From: JR on
Hia folks


I'm trying to solve a tough (for me) security problem. I have to set
up a series of restricted access folders in our network. The users
insist in keep a log of all access to these folders. Fair enough, but
my problem is that the "securty log" on the event viewer is allready
extended to the maximum size, and it can't keep log entrances older
than 7 days (no room in log...)

I'd like to know if there are tools, or settings (whetever) that would
allow me to set up extra log files just for these folders. I'd then be
abble to keep them for a lot longer than those 7 days of the standard
log.
From: RCan on
Hi JR,

of course :-)

a.e. if you monitor the systems a.e. with SCOM you can collect the events
and write them into a database for an history purpose.
a.e. only for this SCOM is not a "must" criteria, you can also write a own
script where you export the eventlog to a.e. etl/html/xml file and then
reset after a succesfull export ;-)

In W2K8 systems you could also use "wevtutil.exe" but I could not remember
currently an command line based tool for W2K3. In any case you can also use
the public available eventlog API's a.e. with "ClearEventLog Function" ->
http://msdn.microsoft.com/en-us/library/aa363637.aspx ;-)
http://tekktips.spaces.live.com/blog/cns!3C3690998D3204D7!463.entry

Also in most cases and especially in security area you will log too much
information's which is not really useful, check also each enabled setting,
if really required, some of them can make a big difference.

PS : AND thereare several 3rd party tools available which does exactly this
:-)

Hope that helps

Regards
Ramazan

"JR" <not(a)mine.mn> wrote in message
news:26c5v5d0754grado3sdcdlou2mfh28gc7m(a)4ax.com...
> Hia folks
>
>
> I'm trying to solve a tough (for me) security problem. I have to set
> up a series of restricted access folders in our network. The users
> insist in keep a log of all access to these folders. Fair enough, but
> my problem is that the "securty log" on the event viewer is allready
> extended to the maximum size, and it can't keep log entrances older
> than 7 days (no room in log...)
>
> I'd like to know if there are tools, or settings (whetever) that would
> allow me to set up extra log files just for these folders. I'd then be
> abble to keep them for a lot longer than those 7 days of the standard
> log.

From: JR on
On Tue, 18 May 2010 21:18:18 +0200, "RCan" <noospam(a)arcor.de> wrote:

>Hi JR,
>
>of course :-)
>
>a.e. if you monitor the systems a.e. with SCOM you can collect the events
>and write them into a database for an history purpose.
>a.e. only for this SCOM is not a "must" criteria, you can also write a own
>script where you export the eventlog to a.e. etl/html/xml file and then
>reset after a succesfull export ;-)
>
>In W2K8 systems you could also use "wevtutil.exe" but I could not remember
>currently an command line based tool for W2K3. In any case you can also use
>the public available eventlog API's a.e. with "ClearEventLog Function" ->
>http://msdn.microsoft.com/en-us/library/aa363637.aspx ;-)
>http://tekktips.spaces.live.com/blog/cns!3C3690998D3204D7!463.entry
>
>Also in most cases and especially in security area you will log too much
>information's which is not really useful, check also each enabled setting,
>if really required, some of them can make a big difference.
>
>PS : AND thereare several 3rd party tools available which does exactly this
>:-)
>
>Hope that helps
>
>Regards
>Ramazan

If I understand you correctly, what you propose is to simply save
copies of the normal log over time, and then search it for the
relevant data?
From: RCan on
Correct, then a.e. you could also create an database and import the data.
afterwards you can query anything and in any combination .... :-)
Also reporting services on top of your DB could be an useful "feature" if
you want to have a longterm history of your security logs and reports can be
generated on demand.

Note : be also careful with logging user activity as this is most europe
countries in some circumstances not allowed !

Hope that helps

Regards
Ramazan
http://tekktips.spaces.live.com/default.aspx

"JR" <not(a)mine.mn> wrote in message
news:r0s5v555spf9m6qun5ghpdrca7s4c72mn4(a)4ax.com...
> On Tue, 18 May 2010 21:18:18 +0200, "RCan" <noospam(a)arcor.de> wrote:
>
>>Hi JR,
>>
>>of course :-)
>>
>>a.e. if you monitor the systems a.e. with SCOM you can collect the events
>>and write them into a database for an history purpose.
>>a.e. only for this SCOM is not a "must" criteria, you can also write a own
>>script where you export the eventlog to a.e. etl/html/xml file and then
>>reset after a succesfull export ;-)
>>
>>In W2K8 systems you could also use "wevtutil.exe" but I could not remember
>>currently an command line based tool for W2K3. In any case you can also
>>use
>>the public available eventlog API's a.e. with "ClearEventLog Function" ->
>>http://msdn.microsoft.com/en-us/library/aa363637.aspx ;-)
>>http://tekktips.spaces.live.com/blog/cns!3C3690998D3204D7!463.entry
>>
>>Also in most cases and especially in security area you will log too much
>>information's which is not really useful, check also each enabled setting,
>>if really required, some of them can make a big difference.
>>
>>PS : AND thereare several 3rd party tools available which does exactly
>>this
>>:-)
>>
>>Hope that helps
>>
>>Regards
>>Ramazan
>
> If I understand you correctly, what you propose is to simply save
> copies of the normal log over time, and then search it for the
> relevant data?

From: JR on
On Thu, 20 May 2010 20:54:14 +0200, "RCan" <noospam(a)arcor.de> wrote:

>Correct, then a.e. you could also create an database and import the data.
>afterwards you can query anything and in any combination .... :-)
>Also reporting services on top of your DB could be an useful "feature" if
>you want to have a longterm history of your security logs and reports can be
>generated on demand.
>
>Note : be also careful with logging user activity as this is most europe
>countries in some circumstances not allowed !
>
>Hope that helps
>
>Regards
>Ramazan
>http://tekktips.spaces.live.com/default.aspx

Ok, thanks