1

the security logs of the two domain controllers of my network are flooded by security events id 4624 and 4634 and to a lesser extent, 4672. Reading from the internet such a behavior is quite common, and not necessarily means an underlying issue / problem.

However, such a flood undermines the usefulness of a log: too much information, no information.

I'd like to say to windows server: do not write event id 4624 and 4634 to the security log but, instead, write it to a new log file, used for those events only. In such a way I would not lower the security (audit abilities) of the system, but I would improve the information carried by the modified security log.

Is this possible? Is this adviceable?

Thanks,

Diego

Diego A
  • 13
  • 3
  • Do a search for windows log filtering. It's certainly not advisable. You can make a subscription for those events but they do go to the sec. log. – Jim B May 25 '16 at 20:33
  • Unfortunately filtering would not be useful. I'd like to redirect from logbook A to logbook B some selected event id – Diego A May 26 '16 at 08:26
  • that would defat the purpose of logging at all, that's the exact point of standard log locations so I can't prevent logging from occurring by sending the log events to an immediately rotating log or a null device log. Filtering is the solution you are looking for since only the events you want to see actually show. (and not for nothing but if you are seeing lots 4624 and 4672 events you should look really hard at your DCs) – Jim B May 26 '16 at 23:42
  • Jim, I agree with you about the default location and the "tampering prevention". However, what do you mean by "filtering"? If filtering is the filter given in windows event viewer mmc, is not useful to me. It would be only visual, the security log would continue to be huge. – Diego A May 31 '16 at 07:50
  • which is bigger, 2 100gb files or a single 200gb files? – Jim B May 31 '16 at 12:57
  • In this case, despite the math, the 200gb file would be heavier (not bigger) than two 100gb: with a file with just one event id (or a bunch, 2 or 3 of them), and the other file with all the others (issued much slower), this last one would rotate much slower and would be far more explicative, not to mention that the growth rate would be much slower too. The first file would be consulted only at specific need :-) – Diego A Jun 01 '16 at 21:02
  • umm heavier?? that's a new one. windows log rotation times are usually instantaneous, but again what you've essentially asked for is a filter and you want a second log to keep "rotating" which would be done via subscription (if you really really want a second log file) but I can't see any actual benefit since if you ever do have an incident, you'll get to explain as to why you couldn't keep the actual security log in place. – Jim B Jun 02 '16 at 01:54

1 Answers1

0

While Windows allows filtering, you cannot divert certain events based on ID to a different log. It is to some extent possible to divert certain event sources to their own event log (e.g. you can create a specific log for a software product and redirect its events to that log), but the security log is pretty much immutable.

If this is really bothersome to you, then you will probably need to invest into some sort of log monitoring solution, which would allow you to store events in a database, a remote syslog server or even a text file. Of course these products often offer additional capabilities such as alerting, normalizing, correlation, archiving and more.

One such product which focuses on Windows is EventSentry, but there are many more - including free & open source ones. For example, with EventSentry you could review events while easily / automatically filtering out noise from these events, or even store 4624 in a separate database altogether.

Lucky Luke
  • 1,634
  • 1
  • 11
  • 12
  • 1
    Luke, I feared that this was the answer... So, I could further investigate if this high number of events does not hide a problem or a misconfiguration. However, if current behavior would be just correct (and I am pretty sure it is, I already sorted and searched the log events for something suspect, there isn't), I would have only two options: disable auditing for those events or, as you said, invest in a compliance management sofware. Am I right? Just a confirmation. – Diego A May 31 '16 at 08:00
  • Yes, that would be correct unfortunately. If you are concerned about security then investing into a real-time monitoring solution is your best bet at this point. Depending on the # of servers you have, the cost may be much less than you think and well worth the investment. – Lucky Luke May 31 '16 at 14:26