All, I'm a long-time OSSEC user, but I rarely use OSSEC with Windows machines. Recently I had the "opportunity" to monitor a significant number of Windows machines, and I've been learning where security-relevant logs are stored on the system.
In addition to the standard Application/Security/System logs I'm monitoring the following Event Channels, but wanted to see if others had suggestions on additions: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Microsoft-TaskScheduler/Operational Does anyone have any recommendations that I should add to my configuration? Of course the function of the machine will drive which channels are valuable. I'm currently considering the following: - WinRM - WinNAT - Exchange - SMBServer - PrintService - NTLM - IIS_Logging What do you use in your configuration? Thanks, Chris -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
