The security log for Windows is full of great information, but unless you know how to control, manage, and analyze the information, it is going to take you much longer to get the information that you want out of it. This article will describe some of the tips and tricks that can be used to better dig the information that you need out of the security log, making your job easier, you more efficient, and the overall security of your network better.
Setting Up What is Logged
First, you need to get information into the security log. Over time, Microsoft has configured it to where some things are logged, but that has not always been the case. Since many of you reading this might still be running Windows 2000, XP, and 2003, it is important to know where you can go to setup the security log audit trail.
All of the information logged in the security log is controlled by Auditing. Auditing is setup and managed by Group Policy. You can either manage Group Policy locally (gpedit.msc) or via Active Directory by using the Group Policy Management Console (GPMC). I highly suggest using the GPMC and manage auditing using Active Directory. This is far more efficient and 1/10th the work as managing it locally.
Within Group Policy, edit the Group Policy object, then expand the GPO down to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, which can be seen in Figure 1.
Figure 1: Audit Policy settings in a Group Policy Object
Regardless of whether you use local Group Policy or a GPO from Active Directory, these settings will be the same. It is just easier to deploy the settings to multiple computers using Active Directory.
As you can see, there are nine different audit policy options. To get a better understanding of what each setting does, be sure to also read this article.
Centralizing the Security Log
Now that you have all of your computers on the network logging the key security audit trails, you need to view them. Consider the default, which is to have every computer having their own copy of the security log. This means that if you have 1000 servers and 10000 desktops, you have a total of 11000 security logs you will need to review! Until recently there was no way of centralizing these logs for efficient analysis.
However, since Windows Server 2008, Vista, and 7, Microsoft released a way for you to centralize all of your logs, including the security logs from all 11000 (or however many computers you have) computers. The solution is to use subscriptions and event log forwarding.
You do need to have at least one Windows Server 2008, Vista, or 7 computer, but the minimum is one. This becomes the centralized logging computer. All other computers running Windows XP, 2003, Vista, 2008, and 7 can send their events to this centralized computer. (Sorry, Windows 2000 is not supported!)
For more information on how to setup centralized logging, refer to this article.
Now that you have your centralized log, you can setup how you want to view the information. Consider that you might have thousands of different events logged, with hundreds of event IDs. You would not want to try and sift through all of these events just looking for those events that meet a specific event ID. You don't have to do that!
Now that your centralized log is on a Windows Server 2008, Vista, or 7 computer, you can use a custom view. Custom views allow you to create a "special log" of just the logs and event IDs that you desire to view. So, now you can create as many custom views of the existing logs, including the forwarded logs, that you desire and need.
Say for example you just want to have a view of all of the server logons that have occurred on all the servers. You can just create a custom view of Event ID 4624 (For Windows 2008, Vista, and 7) and 528 (Windows 2000, XP, 2003) so you can see all of the successful logons. Figure 2 illustrates what the custom view would look like.
Figure 2: Custom view of events 4624 and 528
Tasks Per Event
Not only can you setup special custom views of your logs, you can also setup triggers for when certain events are registered. This option referred to as attaching a task to an event or log, is available on Windows Server 2008, Vista, and 7.
The task is really nothing more than a scheduled task, but it is important to know that it is available. You can either setup these tasks within the Event Viewer or the Scheduled Tasks tool. The tasks can either be at a high level and basic, or you can get very granular with the settings that you make for the tasks.
For the basic tasks, you only need to establish the following:
- Event ID
- Action for when event is registered
You can see these options in Figure 3.
Figure 3: Basic task for the event viewer events
For a more granular task for an event, you can get very granular. You can setup specifics related to the event, time of day, thresholds, etc. Figure 4 illustrates an example of one of the tabs for setting up these detailed tasks.
Figure 4: Detailed task for an event
For the actions on both the basic and detailed tasks, you can do a few options. You can set it up so an email is sent out when a specific task is generated. You can also set the action to where a program is run if an event is tracked. This can be a script, built-in program, or virtually anything else you want the system to accomplish if an event is tracked. You can also just show a message, which will help the administrator know that an event occurred, allowing them to manually take action after seeing the event.
As you can see the new options for controlling events and specifically security log events are very powerful. What was once only available through a third party product is now available with just one new Windows computer running Windows 2008, Vista, or 7. Yes, you will need to install software on the downlevel computers so they can forward events, but that is a small task compared to the benefits that you get once the events are centralized. The ability to create custom views and even associates tasks with certain events makes the new event viewer a tool worth looking at and even upgrading computers to obtain.