Windows Auditing and Monitoring Overview
Microsoft Windows event logs provide historical information that can help you track down the operation and security of your Windows-based network. The event-logging service controls whether events are tracked on Windows-based systems. When this service is started, you can track user actions and system resource usage events with the following event logs:
- Application Log—records events logged by applications, such as the failure of MS SQL to access a database.
- Security Log—records events set for auditing with local or global group policies, providing information about logon activity, account management, and file and object access events.
- System Log—records events logged by the operating system or its components, such as the failure of a service to start at boot-up.
- Directory Service Log—records events logged by Active Directory and its related services.
- DNS Server Log—records DNS queries, responses, and other DNS activities.
- The DFS Replication log (File Replication Service log in pre-Windows 2008 systems) contains events logged by the DFS Replication service that enables you to synchronize folders on multiple servers across local or wide area network (WAN) network connections.
- User session events—although these events are not contained in a traditional Windows event log (they are not written to any *.evt files and are not viewable in Event Viewer), these custom events are treated exactly like true Windows events by InTrust and are important for Windows security auditing.
The following two sections provide you with more details on Windows Security log events and user session events:
This data can help you detect suspicious activity and audit major administrative tasks.
Windows Security Log
Event records contained in the security log can be grouped according to the audit policy categories they are tracked with. Some events are generated by all versions of the Windows operating system; others are version-specific (for example, generated by Windows Server 2008). The common security event categories common to all versions are described below.
Logon Events
Logon events are generated on the computer to which the logon attempt was made, whether the attempt was an interactive or a remote logon. Events related to this category allow you to track user logons to network computers and discover suspicious activity that might lead to security incidents (such as logon failures due to bad passwords or logons during non-business hours).
Account Logon Events
Account logon events are generated when user tries to logon on the computer or domain:
- Logon attempts with domain accounts
These events are recorded in the security log on the domain controller irrespectively where authentication was taken place. - Logon attempts with local accounts that are stored on the local computer.
These logon events are recorded in the security log on the computer where user tries to log in.
Account Management
These events are related to users account management, and to group and group membership management tasks. These tasks should be performed by administrators. If the administrator fails to carry out these tasks, this may lead to account misrule and security violations. The following events are included:
- User account management—events related to the creation, deletion, enabling, or disabling of user accounts
- Group management—events related to the creation, deletion, enabling, or disabling of groups
- Group membership management—events related to adding or removing user accounts from groups
System Events
The security log contains records on the important system events, allowing you to monitor for your system operation: system startup/shutdown, system time change, and other events. For example, the “Audit log was cleared” event in this category helps you discover potential intruder activity and attempts to cover the tracks.
Object Access
These events help you to find out whether an object of a certain type (printer, server, file, registry key, etc.) was accessed by a user, and what operations were performed on the object (for example, an attempt to delete).
Note, that Active Directory objects are not included in this category (for more information see Directory Service Access section below).
Policy Change
Policy change events include security event messages involving trust relationships, IPSec policy, and user rights assignments.
Privilege Use
These events help you investigate changes to a user's privileges or attempts to use privileges in an unauthorized manner.
Process Tracking
These events help you to find out what software is running on the work stations and on the servers. Information about processed tasks and object access data allow you to stay informed on users’ activity in whole.
|
|
Note: In Event Viewer terminology the Detailed Tracking events category is the same as Process Tracking events. |
Directory Service Access
Directory Service Access events allow you to monitor for AD objects access. These events are also recorded in the Windows security log.
|
|
Note: Since Windows Server 2008, the Audit directory service access policy is divided into the following categories:
To learn more about directory service audit in Windows 2008, search Microsoft TechNet (http://technet.microsoft.com) for “AD DS Auditing Step-by-Step Guide”. |
User Session Events
InTrust lets you extend the auditing of logon activity on any Windows computer where an InTrust agent is installed. In addition to the generic logon and logoff information from the Security log, you get details about the following:
- When and how long the computer was actually in use between logon and logoff
- What caused periods of inactivity between logon and logoff (user switching, screensaver, computer lock)
- Concurrent user activity on the computer
On computers where these events are tracked, you do not have to look at the generic Security log logon and logoff events. InTrust-provided user-session auditing is more complete and (especially in the case of logoff auditing) more dependable.
These events are generated by the Quest InTrust User Session Monitor service, which is installed together with the InTrust agent. This service makes the events available to the agent through the agent cache, and the agent works with them as with any Windows events.
From the agent's perspective, these events come from the “InTrust User Session Tracking” event log, for which the InTrust User Session Tracking data source is provided. Gathering, real-time monitoring, reporting, browsing in Repository Viewer and other operations work for these events without limitations.
This table lists the events logged by the Quest InTrust User Session Monitor service.
| Event ID | Description |
Insertion Strings |
|---|---|---|
| 100 | A user session by user %IS1% took place on computer %Where%, starting at %IS13%, ending at %IS15% and lasting %IS16%. The session was started from computer %IS7% (IP address %IS8%). Reason for session start: %IS23%. Reason for session end: %IS24%. |
|
| 101 | A user session was started on computer %Where% by user %IS1% logging on at %IS13% with the %IS10% logon type. |
|
| 102 | A user session was ended on computer %Where% by user %IS1% logging off at %IS15%. The user session lasted %IS16%. |
|
| 103 | A user session was ended on computer %Where% by user %IS1% locking the computer at %IS15%. The user session lasted %IS16%. |
|
| 104 | A user session was started on computer %Where% by user %IS1% unlocking the computer at %IS13%. |
|
| 105 | A user session was started on computer %Where% by user %IS1% due to user switch at %IS13%. |
|
| 106 | A user session was ended on computer %Where% by user %IS1% at %IS15%, because a user switch was performed. The user session lasted %IS16%. |
|
| 107 | A user session was started on computer %Where% by user %IS1% making a terminal services connection from computer %IS17% (IP address %IS18%) at %IS13. |
|
| 108 | A user session was ended on computer %Where% by user %IS1% logging off at %IS15% and stopping a terminal services connection from computer %IS17% (IP address %IS18%). The user session lasted %IS16%. |
|
| 110 | An incorrectly finished user session by user %IS1% was found on computer %Where% while the user session monitoring service was starting. The session started at %IS13%, lasted %IS16% and ended at %IS15%. |
|
| 111 | A user session was started on computer %Where% by user %IS1% before the start of the user session monitoring service. This session was detected at %IS13%. |
|
| 120 | The user session monitoring service was started on computer %Where% at %Time%. |
|
| 121 | The user session monitoring service was stopped on computer %Where% at %Time%. |
|
| 130 | A user session of user %IS1% was ended on computer %Where% by the screensaver turning on at %IS15%. The user session lasted %IS16%. |
|
| 131 | A user session was started on computer %Where% by user %IS1% exiting screensaver mode at %IS13%. |
|
How to Gather Event Log Data
For a list of Windows versions from which InTrust can collect audit data, see Microsoft Windows Events.
For more details, see the following topics:
- セルフ・サービス・ツール
- ナレッジベース
- 通知および警告
- 製品別サポート
- ソフトウェアのダウンロード
- 技術文書
- ユーザーフォーラム
- ビデオチュートリアル
- RSSフィード