OT - Windows Event Log Monitoring/Analysis

stevewood
Honored Contributor II
Honored Contributor II

This is totally not a Casper related question, but I trust there are a few
Windows admins out there in hiding.

I am needing to audit file create/delete/access/write for my Macintosh
users. We've recently installed Group Logic's ExtremeZ-IP to host the
Windows shares, and I know how to turn on auditing for the folders I need to
watch, but I'm buried with the amount of data that is being logged.

So, I have two questions:

1) Does anyone have a good Windows event log monitor/analyzer that can help
sift through this data?

2) Does anyone know of a product that runs on OS X that will provide this
same type of auditing?

Again, I need to track the user names of individuals accessing these
files/folders and what they are doing.

Thanks!

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

1 REPLY 1

aamjohns
Contributor II

I'm pretty sure this will be of no help to you but we are looking for something like this for our Windows realm, which we are moving towards http://www.varonis.com/. Or maybe http://www.splunk.com/?

I've been responsible for some similar tasks here, I've even posted a question on here in this regards, which I have received no replies.

One thing I might suggest is Googling and finding some documents that discuss the whole concept of auditing, filtering, finding what is important, and leaving the rest behind. I found some great reads through SANS - which describe avoiding the 'let's just collect it all and then figure out what to do with it' approach for a designed approach where in the end all that is left is what you need to be paying attention to...

I've not been able to convince my peers on this necessity so ATM we are just gathering, gigs and gigs of data to meet security requirements. One thing I did though is parse the data and write it to SQL so we can at least query it for anomalies should we desire.

Right now I need to figure out how to log Mac user logon/logoff events to SQL. I'm not making much headway on this. I've got the Windows part done.

To sum, although I cannot point you to a product and say 'get this' I can say that there are some readings that will lead you to other readings, or pages, which might ultimately help you find what you are looking for.

These are some links I had on hand, may be of no use to you but anyway...
http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx.aspx)
http://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstatio...
http://chuvakin.blogspot.com/2011/03/updated-free-log-management-tools.html
http://www.sans.org/reading-room/whitepapers/logging/
http://blogs.splunk.com/2014/02/03/forwarding-windows-event-logs-to-another-host/