+ Post New Thread
Results 1 to 5 of 5
How do you do....it? Thread, Audit logging and incident handling in Technical; Having just seen all the becta bombshell of best /good practice.. i have too realised i need to encrypt usb ...
  1. #1
    k-strider's Avatar
    Join Date
    Oct 2006
    Location
    Gloucester
    Posts
    357
    Thank Post
    7
    Thanked 40 Times in 30 Posts
    Rep Power
    23

    Audit logging and incident handling

    Having just seen all the becta bombshell of best /good practice.. i have too realised i need to encrypt usb sitcks and any laptops that go off site...


    my question is more on this guide... http://schools.becta.org.uk/upload-d...it_logging.pdf

    firstly what do we need to log in reality? it looks to me from reading it.. i basically need all the security logs from my DCs.. i script a log in and out to a SQL DB so this too would be useful (though currently use a stored procedure to remove records older than 32 days so the db didn't grow massive, but holds enough to follow querys up).

    it looks like i need to keep all my externally available IIS server logs..

    it looks like the MIS (in our case CMIS) logs too...

    now the more important question is can we automate this process... the windows security logs just over write them selves after so long... and don't "archive" them selves off..

    the other thing that looked manualish time consuming is the moving of the logs on to read only media.. the becta report seemed to imply this should be done regularly implying that once a week was poor / high risk.

    has anyone started to look at this yet?

  2. #2
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33
    you've made the fatal mistake of assuming becta know anything. extra homework for you.

  3. #3


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,619
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Have a search for data protection and becta on the forums - it comes up a lot.

    Initial thread: Becta Information security guidance for schools published

    We have a working group sorting this out - me (NM), two governors, deputy head and head of ict.

    Some of it is merely an extension of what we already do, some of it has an attached time/money/hardware cost.

    Two things to remember:

    1) Don't panic.
    2) The advice hinges on "reasonableness". When looking at a log ask yourself: "As an outside person, how long would I reasonably expect the school to retain this log?"

    Windows servers can be configured to log to an external syslog server with minimal effort. Your main issue is getting the logs (or rather a copy of them) into something that can provide decent search functionality so the data is usable.

    For each device / apps individual logs:

    What does the log hold?
    Where does it hold it?
    In what format? (.txt, .evt, binary, gzipped plain text etc)
    How long is data kept for before it overwrites? Is this sufficient?
    Who has access to the log?
    Do we need to retain this log for auditing purposes?

    Once you have the above info, you can work out the scale of the task.
    Last edited by pete; 11th March 2009 at 11:19 AM.

  4. #4
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,648
    Thank Post
    164
    Thanked 217 Times in 200 Posts
    Rep Power
    66
    Looked at this a while back, now seems to run on Windows so worth a test

    Splunk > IT Search Company | It's not just Log Management anymore

    Edit: just downloaded and installed to test network, Added the Windows WMI app onto it and just need to edit the conf file to get it to pull the logs from other servers, something to try tomorrow
    Last edited by gshaw; 11th March 2009 at 05:02 PM.

  5. #5

    Join Date
    Mar 2009
    Location
    London
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Just had a meeting with Splunk's VP for EMEA. One of our technicians is rolling it out for a huge retailer in the UK at the minute and it is a fantastic product.

    You can use the full version for free with a few caveats but I would definately recommend anyone who doesn't want to trawl through endless management / log consoles trying to find things when you can have a search engine akin to how google searches the web for free!

    You can download it here; Splunk : Download Splunk 3.4.6

    It is available for Linux, Mac, Windows (2000-> Vista).

SHARE:
+ Post New Thread

Similar Threads

  1. Audit Tool - How do you Audit your exuipment
    By Nij.UK in forum General Chat
    Replies: 7
    Last Post: 4th November 2008, 12:33 PM
  2. Logging onto the network after logging on locally
    By frankybaloney in forum Windows
    Replies: 9
    Last Post: 10th October 2008, 12:17 PM
  3. more camera views of world cup incident
    By ITWombat in forum Jokes/Interweb Things
    Replies: 7
    Last Post: 15th July 2006, 06:31 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •