Audit logging and incident handling
Having just seen all the becta bombshell of best /good practice.. i have too realised i need to encrypt usb sitcks and any laptops that go off site...
my question is more on this guide... http://schools.becta.org.uk/upload-d...it_logging.pdf
firstly what do we need to log in reality? it looks to me from reading it.. i basically need all the security logs from my DCs.. i script a log in and out to a SQL DB so this too would be useful (though currently use a stored procedure to remove records older than 32 days so the db didn't grow massive, but holds enough to follow querys up).
it looks like i need to keep all my externally available IIS server logs..
it looks like the MIS (in our case CMIS) logs too...
now the more important question is can we automate this process... the windows security logs just over write them selves after so long... and don't "archive" them selves off..
the other thing that looked manualish time consuming is the moving of the logs on to read only media.. the becta report seemed to imply this should be done regularly implying that once a week was poor / high risk.
has anyone started to look at this yet?