How are object access events generated?

I wrote this as an answer for Tom, who emailed me, but I thought I’d share it with everyone.   There are 7 events associated with object access auditing in Windows:   560 is the “open handle” event.  It is logged when an app asks for access to an object (via a call like CreateFile).  An…


Trustworthiness of Information in Audit Records

I get asked quite often “why is the Workstation name missing from some events?”  I’ve explained that elsewhere.  But this raises another issue that many of you might not have considered, and I want to take a few minutes to explain. The Windows Security event log is designed to be as trustworthy as possible, and…


Auditing and the Payment Card Industry (PCI) Data Security Standard

Here is a link to an interesting blog article interpreting the audit requirement of the PCI standard.   For reference, here is a link (pdf) to the PCI 1.1 Data Security Standard itself.   The high-level PCI requirements are listed below.  Requirement 10 is the requirement pertaining to audit.   Build and Maintain a Secure…


Logs and the US Department of Justice Cybercrime Manual

Source: Here is the most relevant excerpt; highlighting is mine. Records of regularly conducted activity. A memorandum, report, record, or data compilation, in any form, of acts, events, conditions, opinions, or diagnoses, made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a…


Logs and the Canadian Rules for Electronic Evidence

Source:, 8/31/2006 Here are two excerpts from the Canadian national laws pertaining to the introduction of business records and electronic records as evidence in courts of law. Business Records   Inference where information not in business record 30. (1) Where oral evidence in respect of a matter would be admissible in a legal proceeding,…


ISV Writing Reports for Operations Manager Audit Collector (formerly ACS)

Those of you who know the long and sordid history of ACS (Audit Collection Services, which I blogged about once before) will be pleased to hear that we’re not vaporware (again). System Center Operations Manager 2007 beta 2 released two weeks ago, and included ACS.  To make amends for not having shipped yet, we also…


Sharepoint Portal Services Auditing Tool

While searching for something else, I stumbled across this post. Disclaimer: I have never used Syntergy’s product, so I cannot recommend for or against it; I’m just letting you know that it’s available for those of you who need it.


LogLogic posts open-source Windows log collection tool

I just became aware that LogLogic has posted an open-source log collection system called Lasso that supports Windows clients.  I haven’t had a chance to use it yet but it looks like a collection engine that you’d build analysis apps on. As always, I have to disclaim: this is not an endorsement, just me letting you…


Quick Overview of Object Access Auditing in Windows

A lot of people are unhappy with object access auditing on Windows, because what they want to know is “who touched the object and what did that person do”, but what Windows auditing tells you is actually “who touched the object and what did they ask for permission to do”.  The distinction is subtle, but…