The syslog-ng Administrator Guide

Document version: 1.0.20
Release date: April 11, 2008
Latest version available at the BalaBit Documentation Page

5.7. Configuring the auditing policy on Windows

This section describes how to configure the logging and auditing policy on various versions of Microsoft Windows. The syslog-ng agent can transfer log messages only about those events that are actually logged, so the audit policy has to be configured to log the important events.

Microsoft Windows operating systems can record a range of event types, from a system-wide event such as a user logging on, to an attempt by a particular user to read a specific file. Both successful and unsuccessful attempts to perform an action can be recorded. The audit policy specifies the types of events to be audited. When such an event occurs, an entry is added to the computer's log files.

Following is a brief overview on how to configure the audit policy on various versions of Microsoft Windows. For details, consult the documentation of your operating system, or visit Microsoft TechNet at http://technet.microsoft.com/. For details on configuring the auditing and logging of various applications, like the IIS Server or the ISA Server, consult your product documentation.

5.7.1. Turning on security logging on Windows XP and Windows 2000

The following procedure describes how to enable security logging on Windows XP Professional and Windows 2000 hosts.

Procedure 5.4. Turning on security logging on Windows XP and Windows 2000

  1. Login as an administrator.

  2. Click Start, click Run, and type mmc /a.

  3. On the File menu, click Add/Remove Snap-in, and click Add.

  4. Under Snap-in, click Group Policy, and click Add.

  5. In Select Group Policy Object, select Local Computer, then click Finish, click Close, and click OK.

  6. In Console Root, select Local Computer Policy, then click Audit Policy.

  7. Right-click the attribute or event you want to audit on the details pane.

  8. Set the desired options in the Properties.

  9. Repeat Steps 7-8 for every other event you want to audit.

[Note] Note

To remotely enable security logging for workstations, member servers, and domain controllers, see Section 5.7.2, “Turning on security logging for domain controllers”.

5.7.2. Turning on security logging for domain controllers

The following procedure describes how to enable security logging on a Windows XP Professional domain controller.

Procedure 5.5. Turning on security logging for domain controllers

  1. Login as an administrator.

  2. Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users and Computers.

  3. In the console tree, click Domain Controllers.

  4. Click Action, then click Properties.

  5. On the Group Policy tab, select the policy you want to change, and click Edit.

  6. In the Group Policy window, in the console tree, click Audit Policy.

  7. Right-click the attribute or event you want to audit on the details pane.

  8. Set the desired options in the Properties.

  9. Repeat Steps 7-8 for every other event you want to audit.

5.7.3. Turning on auditing on Windows 2003 Server

The following procedure describes how to configure auditing on a Windows 2003 Server host.

Procedure 5.6. Turning on auditing on Windows 2003 Server

  1. Login as an administrator.

  2. Click Start, point to Programs, point to Administrative Tools, and click Domain Security Policy.

  3. In the console tree, click Local Policies, then Audit Policy.

  4. Double-click on an event and select the Define these policy settings option.

  5. Select the type of event to log: Success or Failure.

  6. Repeat Steps 4-5 for every other event you want to audit.

© 2007 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com

Prev  Up  Next
5.6. Sending messages and CPU load  Home | Contents  Chapter 6. Collecting logs from IBM System i