EventManager from GFI is what I wrote and what we have. I think the others typo'd or something :)
> -----Original Message----- > From: Gene Giannamore [mailto:[email protected]] > Sent: Wednesday, January 07, 2009 1:51 PM > To: NT System Admin Issues > Subject: RE: Auditing Everything > > Can you all clarify something? I cannot find "GFI EventSentry", I can > find "GFI EventsManager http://www.gfi.com/eventsmanager/ " and > "netikus ltd. EventSentry http://www.eventsentry.com/ ". So I am just > wondering which one is the product people are using? > > > > > Gene Giannamore > Abide International Inc. > Technical Support > 561 1st Street West > Sonoma,Ca.95476 > (707) 935-1577 Office > (707) 935-9387 Fax > (707) 766-4185 Cell > [email protected] > > -----Original Message----- > From: Durf [mailto:[email protected]] > Sent: Wednesday, January 07, 2009 9:55 AM > To: NT System Admin Issues > Subject: Re: Auditing Everything > > We aren't partially right - we are entirely right. > > The whole point of GFI EventSentry is to *gather the events from > Windows and store them in SQL*. So I can safely disregard your whole > first paragraph as frankly ignorant of the possibilities. > > If you have any clients who have compliance needs, such as the recent > Massachussets data privacy regulations, or basically any HIPAA, SARBOX, > etc kind of requirements, this is the product that will accomplish > these needs. > > Using the Windows Event Log properly and auditing for Security Events, > you can tell who made any modifications to accounts, password changes, > security priv elevations...and so forth. > > There are several products that can accomplish this - I don't want to > evangelize GFI; they are just the product I am familiar with. I'm not > a reseller or GFI employee. However, the fact it IT CAN DO WHAT THE OP > REQUESTED, in combination with other products and techniques. > > Please, you all, stop saying different unless you have actual knowledge > to the contrary. There are a lot of reasons why the OP *should* not do > such a thing. But they *can* if they need to. > > -- Durf > > -- Durf > > On Wed, Jan 7, 2009 at 12:07 PM, Devin Meade <[email protected]> > wrote: > > > Okay guys I suppose you are partially right. The need was > stated to > carte blanche audit everything. The built in windows audit > *has a > limit*. It can be overwritten when full. You can loose > events. That > doesn't fill this need. The need needs to be clarified -- > maybe > "audit file changes on X drive over the last Y days". > > If you need to audit everything there is a chance that using > windows > security log wont meet that need. That's all I was getting at. > Our > file shares have auditing for file changes and we overwrite > events as > needed. I have used eventcomb to mine our audit entries and it > works > for our need. Again, the need must be defined. One one box, > we do > get only about a weeks worth of audit entries then they are > overwritten. That meets our need and our owners understand > this. > > I deal with these off-the-cuff requests all the time. The > request is > made - I deliver the cost. The request is re-defined. I > answer with > a different cost. Reminds me of building our house. Start out > at > 4500sq ft and then see the cost, then start cutting back. > > Devin > > > > On Wed, Jan 7, 2009 at 10:47 AM, David Lum <[email protected]> > wrote: > > Log files don't need to be big if you know what you're > looking for. It goes > > back to the "I *can* audit everything, but what are you > looking for"? I, for > > example, have monitoring software and I look for application > installs on > > all PC's for a 50-user company by simply having it look for > Event ID 11707 > > in the Application log of each PC. Log files are set to their > normal size > > (16MB), and whatever meets the criteria I get an e-mail > about, I don't have > > to search a log for anything. > > > > If you know what you're looking for, you can be proactive an > never have to > > manually dig through log files. As Durf says, log files will > take care of > > the needs, but knowing what you're looking for saves a LOT of > time. > > > > Durf is right, you can accomplish this with auditing settings > and an > > application that can read logs. > > David Lum // SYSTEMS ENGINEER > > NORTHWEST EVALUATION ASSOCIATION > > (Desk) 971.222.1025 // (Cell) 503.267.9764 > > -----Original Message----- > > From: Devin Meade [mailto:[email protected]] > > > Sent: Wednesday, January 07, 2009 8:32 AM > > To: NT System Admin Issues > > > Subject: Re: Auditing Everything > > > > Watch out setting the server's event log bigger than 300MB. > CHeck this out: > > > > > http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTip > s/Admin/MaximumsizeforEventlogs.html > > > > You are gonna have to use something other than windoze file > auditing > > due to this limit. Something designed for $$ this $$ need > $$. Like I > > see in other posts, you will need multiple tools. We use MS > ISA's > > logging for web surfing history - it works well if setup > right. > > > > Something tells me he wants it at no cost. > > > > hth,Devin > > > > On Wed, Jan 7, 2009 at 9:31 AM, Michael B. Smith > > <[email protected]> wrote: > >> Is he a control freak, or what? > >> > >> > >> > >> ISA can give you web auditing. For the rest, you'll need a > third party > >> application. (And you can also go third-party for web > auditing - WebSense > >> is > >> probably the most popular.) > >> > >> > >> > >> Personally, I'm fond of NetPro's ChangeAuditor (they were > recently > >> acquired > >> by Quest). NetWrix also has a suite of tools for this that > is installed at > >> one of my clients. > >> > >> > >> > >> To audit EVERYTHING, you may find it necessary to add a > server that does > >> nothing but process audit records. The volume is quite > large, even in a > >> small network. > >> > >> > >> > >> Regards, > >> > >> > >> > >> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP > >> > >> My blog: http://TheEssentialExchange.com/blogs/michael > >> > >> I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php > >> > >> > >> > > >> From: Alex Carroll [mailto:[email protected]] > >> Sent: Wednesday, January 07, 2009 10:25 AM > >> To: NT System Admin Issues > >> Subject: Auditing Everything > >> > >> > >> > >> I have a request from my CEO to audit everything that > happens on our > >> network. When users open files, when they change files, > delete files, use > >> any programs, go to any websites (we use ie7, firefox), etc > etc etc. Do > >> any > >> of you have a good solution you can recommend for that? I > can google all > >> I > >> want, but I won't know the real world experience by doing > that. We are a > >> smaller company - 16 users. Right now we have 3 servers (1 > SBS 03, 2 that > >> are 2003) in production. We use XP and Vista. > >> > >> > >> > >> Thanks in advance! > >> > >> > >> > >> Alex Carroll > >> > >> Software Support > >> > >> Crabtree Companies, Inc. > >> > >> 651-688-2727 > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > > > > > > > > -- > > > Devin > > > > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ > > > > > > > > > > > > > > > > > -- > Devin > > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ > > > > > > -- > -------------- > Give a man a fish, and he'll eat for a day. > Give a fish a man, and he'll eat for weeks! > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
