Where do I get my information on Windows auditing?

You might want to know where I go to get my information on audit events and so forth. Mostly I go to the source code or one of our developers.  For continuity-of-employment reasons I won’t be posting a link to that here 😉  We have some old specs and some new specs but sometimes the…

1

Default ACLs on Windows Event Logs

A question I get asked frequently: what are the default ACLs on Windows event logs? Here’s the answer, straight from the source code with only a little formatting help from me, and in more detail than you probably care to know. Windows 2000: Application Event Log and custom event logs    ACE Type      Principal           Accesses   ————  ——————  ————  *Deny         …

4

What is up with Audit Collection Services?

A lot of you have been asking me to write about Audit Collection Services (ACS, which some of you might know as MACS). For those of you unfamiliar with ACS, it’s a client-server application to collect, normalize and store large volumes of security event log data from large numbers of machines, and to make the…

1

Managed Code Developers: You no longer have an excuse!

One of my former teammates, Mark, designed and built a set of managed classes for generating audit from .NET applications (for example, consider a web service).  His work is published in the latest issue of MSDN magazine. A lot of people aren’t aware of this, but in Windows Server 2003 we added an API set…

0

Yay! A fix for EventQuery

Those of us “in the know” 🙂 use eventquery.vbs to export events to a delimited file, and then use Excel to analyze the log- autofiltering rocks.  Unfortunately if you have a large log, this doesn’t work! Well, I finally used MSN Search to see if there was a KB article on this, and I found…

0