How do you do....it? Thread, Audit logging and incident handling in Technical; Having just seen all the becta bombshell of best /good practice.. i have too realised i need to encrypt usb ...
11th March 2009, 01:15 AM #1
Audit logging and incident handling
Having just seen all the becta bombshell of best /good practice.. i have too realised i need to encrypt usb sitcks and any laptops that go off site...
my question is more on this guide... http://schools.becta.org.uk/upload-d...it_logging.pdf
firstly what do we need to log in reality? it looks to me from reading it.. i basically need all the security logs from my DCs.. i script a log in and out to a SQL DB so this too would be useful (though currently use a stored procedure to remove records older than 32 days so the db didn't grow massive, but holds enough to follow querys up).
it looks like i need to keep all my externally available IIS server logs..
it looks like the MIS (in our case CMIS) logs too...
now the more important question is can we automate this process... the windows security logs just over write them selves after so long... and don't "archive" them selves off..
the other thing that looked manualish time consuming is the moving of the logs on to read only media.. the becta report seemed to imply this should be done regularly implying that once a week was poor / high risk.
has anyone started to look at this yet?
IDG Tech News
11th March 2009, 09:06 AM #2
you've made the fatal mistake of assuming becta know anything. extra homework for you.
11th March 2009, 10:57 AM #3
Have a search for data protection and becta on the forums - it comes up a lot.
Initial thread: Becta Information security guidance for schools published
We have a working group sorting this out - me (NM), two governors, deputy head and head of ict.
Some of it is merely an extension of what we already do, some of it has an attached time/money/hardware cost.
Two things to remember:
1) Don't panic.
2) The advice hinges on "reasonableness". When looking at a log ask yourself: "As an outside person, how long would I reasonably expect the school to retain this log?"
Windows servers can be configured to log to an external syslog server with minimal effort. Your main issue is getting the logs (or rather a copy of them) into something that can provide decent search functionality so the data is usable.
For each device / apps individual logs:
What does the log hold?
Where does it hold it?
In what format? (.txt, .evt, binary, gzipped plain text etc)
How long is data kept for before it overwrites? Is this sufficient?
Who has access to the log?
Do we need to retain this log for auditing purposes?
Once you have the above info, you can work out the scale of the task.
Last edited by pete; 11th March 2009 at 12:19 PM.
11th March 2009, 11:54 AM #4
Looked at this a while back, now seems to run on Windows so worth a test
Splunk > IT Search Company | It's not just Log Management anymore
Edit: just downloaded and installed to test network, Added the Windows WMI app onto it and just need to edit the conf file to get it to pull the logs from other servers, something to try tomorrow
Last edited by gshaw; 11th March 2009 at 06:02 PM.
20th March 2009, 01:13 PM #5
- Rep Power
Just had a meeting with Splunk's VP for EMEA. One of our technicians is rolling it out for a huge retailer in the UK at the minute and it is a fantastic product.
You can use the full version for free with a few caveats but I would definately recommend anyone who doesn't want to trawl through endless management / log consoles trying to find things when you can have a search engine akin to how google searches the web for free!
You can download it here; Splunk : Download Splunk 3.4.6
It is available for Linux, Mac, Windows (2000-> Vista).
By Nij.UK in forum General Chat
Last Post: 4th November 2008, 01:33 PM
By frankybaloney in forum Windows
Last Post: 10th October 2008, 01:17 PM
By ITWombat in forum Jokes/Interweb Things
Last Post: 15th July 2006, 07:31 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)