Event Log Auditing

My company has had a policy for checking all server event logs at least weekly for as long as I can remember. Honestly I’m happy to review server logs on a regular basis, as I’ve caught a variety of small problems before they’ve become big problems by doing it. The bigger issue is creating a trail of some sort that proved that it was done to make our auditors happy.

Last fall I went looking for some software that would help with the whole process. We’d settled on NetPro’s LogAdmin because we were purchasing some of their other products and LogAdmin seemed like it would do the trick. A combination of factors led to us not getting it installed properly or in a timely manner – my time being pulled by a variety of “more pressing” projects, the purchase of NetPro by Quest Software, my lack of experience with SQL installations, misinformation about what IIS requirements were needed to support the software, and then the subsequent “end of life” announcement for LogAdmin by Quest.

I feel like a spent a lifetime on the phone and sending emails, but we got our LogAdmin licenses converted to the equivialent Quest product, InTrust. So finally after 2 days of scheduled phone support, some growing pains of installing SQL 2005 on Server 2008 and the software requirement of disabling UAC, the InTrust product is installed and I’ve had some basic training on configuration.

Since we didn’t originally look at this product, I feel like I’ve been flying blind. The support tech I was working with was great but concentrated his demos on the security logs, where I need reports and alerts for ALL the logs in Windows. I’m hoping I’ll have some time next week to RTFM and concentrate on setting up the agent, filters and reports on a server or two to get more comfortable.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s