3

A colleague and I have been discussing an IS audit demo on Windows.

One point we'd like to cover is that an administrative/high-privilege user should view the security log within X hours of a failure event. Something as follows

  1. Read the ID of a failure event
  2. Apply a filter on the privilege use by an admin/privy user constrained to the ID of the failure event/security event log

Basically I'd like to know whether it is possible to verify when the security log was last viewed, and by whom. Can this be done?

Everyone
  • 249
  • 2
  • 4
  • 9
  • 8
    I can't even remember if viewing the logs is an auditable event in Windows. But I'd respectfully suggest this is a meaningless metric - even if you can measure if someone viewed a log, you can't tell if they actually *read* the log and thought about what it said vs. just clicking on the log and skimming through it at high speed just to conform to your metric. It's the same as read receipts on email - just because I clicked and generated a receipt, that doesn't mean I took any notice of it. – Rob Moir Feb 25 '12 at 10:06
  • Agreed on the noise-factor mentioned by both Rob Moir, and uSlacker – Everyone Feb 26 '12 at 23:02

1 Answers1

4

I would take a different approach. A centralized log mgmt program that generates its own events from specific server events that either 1) create help desk tickets or 2 allow events to be acknowledged with the mgmt tool.

Keep in mind, your job is to cook down the number of events that need to be reviewed to an absolute minimum or else you are just generating noise and adding useless workload. Server logs generate a lot of noise because there is little intelligence behind them.

uSlackr
  • 6,412
  • 21
  • 37