Okay guys I suppose you are partially right. The need was stated to carte blanche audit everything. The built in windows audit *has a limit*. It can be overwritten when full. You can loose events. That doesn't fill this need. The need needs to be clarified -- maybe "audit file changes on X drive over the last Y days".
If you need to audit everything there is a chance that using windows security log wont meet that need. That's all I was getting at. Our file shares have auditing for file changes and we overwrite events as needed. I have used eventcomb to mine our audit entries and it works for our need. Again, the need must be defined. One one box, we do get only about a weeks worth of audit entries then they are overwritten. That meets our need and our owners understand this. I deal with these off-the-cuff requests all the time. The request is made - I deliver the cost. The request is re-defined. I answer with a different cost. Reminds me of building our house. Start out at 4500sq ft and then see the cost, then start cutting back. Devin On Wed, Jan 7, 2009 at 10:47 AM, David Lum <[email protected]> wrote: > Log files don't need to be big if you know what you're looking for. It goes > back to the "I *can* audit everything, but what are you looking for"? I, for > example, have monitoring software and I look for application installs on > all PC's for a 50-user company by simply having it look for Event ID 11707 > in the Application log of each PC. Log files are set to their normal size > (16MB), and whatever meets the criteria I get an e-mail about, I don't have > to search a log for anything. > > If you know what you're looking for, you can be proactive an never have to > manually dig through log files. As Durf says, log files will take care of > the needs, but knowing what you're looking for saves a LOT of time. > > Durf is right, you can accomplish this with auditing settings and an > application that can read logs. > David Lum // SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 // (Cell) 503.267.9764 > -----Original Message----- > From: Devin Meade [mailto:[email protected]] > Sent: Wednesday, January 07, 2009 8:32 AM > To: NT System Admin Issues > Subject: Re: Auditing Everything > > Watch out setting the server's event log bigger than 300MB. CHeck this out: > > http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Admin/MaximumsizeforEventlogs.html > > You are gonna have to use something other than windoze file auditing > due to this limit. Something designed for $$ this $$ need $$. Like I > see in other posts, you will need multiple tools. We use MS ISA's > logging for web surfing history - it works well if setup right. > > Something tells me he wants it at no cost. > > hth,Devin > > On Wed, Jan 7, 2009 at 9:31 AM, Michael B. Smith > <[email protected]> wrote: >> Is he a control freak, or what? >> >> >> >> ISA can give you web auditing. For the rest, you'll need a third party >> application. (And you can also go third-party for web auditing – WebSense >> is >> probably the most popular.) >> >> >> >> Personally, I'm fond of NetPro's ChangeAuditor (they were recently >> acquired >> by Quest). NetWrix also has a suite of tools for this that is installed at >> one of my clients. >> >> >> >> To audit EVERYTHING, you may find it necessary to add a server that does >> nothing but process audit records. The volume is quite large, even in a >> small network. >> >> >> >> Regards, >> >> >> >> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP >> >> My blog: http://TheEssentialExchange.com/blogs/michael >> >> I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php >> >> >> >> From: Alex Carroll [mailto:[email protected]] >> Sent: Wednesday, January 07, 2009 10:25 AM >> To: NT System Admin Issues >> Subject: Auditing Everything >> >> >> >> I have a request from my CEO to audit everything that happens on our >> network. When users open files, when they change files, delete files, use >> any programs, go to any websites (we use ie7, firefox), etc etc etc. Do >> any >> of you have a good solution you can recommend for that? I can google all >> I >> want, but I won't know the real world experience by doing that. We are a >> smaller company – 16 users. Right now we have 3 servers (1 SBS 03, 2 that >> are 2003) in production. We use XP and Vista. >> >> >> >> Thanks in advance! >> >> >> >> Alex Carroll >> >> Software Support >> >> Crabtree Companies, Inc. >> >> 651-688-2727 >> >> >> >> >> >> >> >> >> >> >> >> > > > > -- > Devin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > -- Devin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
