The Security Event Log: The Unofficial Guide (May 4, 2005)

Published: May 5, 2005

Please note: Portions of this transcript have been edited for clarity

Introduction

James Z (Moderator):
We are pleased to welcome Randy Franklin Smith contributing Editor and Author of Windows 2003 Security Log (http://windowsitpro.com/Windows/Article/ArticleID/45269/45269.html)

Randy Franklin Smith (Expert):
Hi! I’m Randy Franklin Smith. I’m an information security consultant, an SSCP, a CISA, and a Security MVP. I write extensively about Windows security for Windows IT Pro magazine including many articles on the Windows security log. I’ve also recently compiled my research on the security log into a free, online resource called the Windows Security Log encyclopedia at www.ultimatewindowssecurity.com where you can also learn about my 2-day Security Log Secrets course.

James Z (Moderator):
Let’s begin the chat. We welcome you to begin submitting your questions for Randy.

Start of Chat

Randy Franklin Smith (Expert):
Q: I run an I.T. consulting firm. The security event log is very confusing. Often I'm asked to monitor if someone is accessing files or applications they shouldn't be. What is the best way to monitor this and extract that info from the security event log?
A: You can monitor either successful or failed accesses of specified files using the "Audit object access" audit policy. Typically you enable auditing on just important, critical folders. Then to find instances of someone trying to access the file who isn't authorized you configure the folder's audit policy for failed read attempts. To get an audit trail of who is modifying data, change the folders audit policy to trap successful Write and Append events.

Randy Franklin Smith (Expert):
Q: Suggested software for getting a handle on the event logs from a dozen or more servers and finding the important events.
A: I get asked this question a lot. There are, as you may know, many products out there for merging, archiving, reporting and alerting on the security log. I've only worked with a few. You read about the solutions I have experience with at http://www.ultimatewindowssecurity.com/logTools.html . You can also look at a comparative I did for the magazine at http://www.windowsitpro.com/Windows/Article/ArticleID/44093/44093.html which gives you some good evaluation criteria. That being said, I can't make a recommendation without knowing more about your specific needs. However make sure you get a tool that allows you to filter based on the fields within the event's description since this is where most of the important information is found and all indications are that this trend will continue with Longhorn. Also, check out the free LogParser tool from MS and Audit Collection Services which is in beta at MS.

Randy Franklin Smith (Expert):
Q: Is there a Microsoft version of the Unix syslog server functionality?
A: Yes, search Google on EventReporter if I am not mistaken. Also check out Audit Collection Services which is in beta currently at Microsoft.

Randy Franklin Smith (Expert):
Q: why am i getting these, there from a DC, Category: Account Logon; type: Failure Audit; Event ID: 673; it's a Service ticket request from a server on network with the word host in front of it, e.g. host/fs1.domain.com, ticket options: 0x40830000 Failure 0xD
A: That is very common and you can ignore them. Every computer on the network work frequently chats with the DC for a variety of reasons - including the refresh of group policy. To facilitate this computer to DC communication the computer maintains Kerberos tickets which eventually expire causing the failures you see. Nothing to worry about.

Randy Franklin Smith (Expert):
Q: Is there any way to get a stand-along server, (such as a co-located web server) to email a daily report of all event logs, or better yet, just any warnings or non-standard informational events?
A: There are plenty of programs you can buy but you might also look at writing a couple logparser queries that produce the information you want and then use blat to email the results to you. Combine that in a batch file and create a scheduled task. logparser is part of the IIS resource kit from MS and you can find blat on the Internet.

Randy Franklin Smith (Expert):
Q: On a machine that generates logs on a minute by minute basis, there is a 6 hour gap. What are some of the programs/hacker tools that could edit or suspend event logs?
A: Interesting. First I would check the events immediately preceding and following the gap. Look for events that indicate a reboot or audit policy change. See events 512, 513 and 612 at my encyclopedia at http://www.ultimatewindowssecurity.com/encyclopedia.html. Both phenomena could be the source of the gab. Otherwise the only other tool I'm aware of that will allow an admin to delete events is winzapper. For more info on winzapper see my article at http://www.windowsitpro.com/Article/ArticleID/15674/15674.html.

Randy Franklin Smith (Expert):
Q: Suggestions for using logon/off events to create a billing process for a shared machine ?
A: Unfortunately Windows does a horrible job of logging logoff events. So there is no good way at all to get a good record of when users logoff.

Randy Franklin Smith (Expert):
Q: would that be the same advice for a Failure event on an Exchange 2003 server Event ID 680 & 529? These are valid users, they get into their email fine but I see failures all the time of this type....
A: what are the failure/error codes? I have them documented at http://www.ultimatewindowssecurity.com/ntlmerrors.html and http://www.ultimatewindowssecurity.com/kerberrors.html

Randy Franklin Smith (Expert):
Q: topic of collecting logs, could the logs from all servers be sent to a SQL server for collection? assuming the right tables, etc were already built. How would I send them automatically to SQL 2000 without going to every server and doing a manual exports
A: This is exactly what ACS does. I don't know how much ACS will cost if anything. But ACS puts an agent on each server which sends security events (not other event logs) in near real time to the ACS server which has the tables already built as you described.

Randy Franklin Smith (Expert):
Q: I get a single Event ID 565 each time a workstation is turned on. The source is Security and the category is Directory Service Access. Is there something I should adjust to get rid of these or should I just ignore them?
A: There is no end to the events you just need to ignore which really illustrates why I say you absolutely need some kind of tool whether a free one like logparser or something you pay for like Dorian or Engagents tools which give you the ability to filter out what you don't care about

Randy Franklin Smith (Expert):
Q: Do you work with or recommend the use of templates that will set the appropriate audit log values for DC's?
A: Well there are only 9 audit policies that you have to configure so a template helps but not a big deal to just manually configure them in the correct group policy object. The most important categories to enable for auditing on DCs are Account Management, Account Logons, Directory Service Access, Policy Change and System events.

Randy Franklin Smith (Expert):
Q: Suggestions for imediate notification of important events/failures? Email/pager/phone?
A: You are in luck! Here is an article I wrote showing how to use WMI filters for specific event IDs and then email them to you. http://www.windowsitpro.com/Article/ArticleID/15674/15674.html
The code is at http://www.windowsitpro.com/Web/Articles/ArticleID/25235/pg/2/2.html

Randy Franklin Smith (Expert):
Q: This is exactly what ACS does. ACS ???
A: Audit Collection Services is new thing coming from MS that merges all your security events into a DB. I guess there isn't much about it right now on the public sites. If you aren't part of the beta you won't be able to get much information on it. I thought there was more information available but I just did a search and see why no one knows about it. Subscribe to my newsletter at ultimatewindowssecurity.com and I'll keep you posted.

Randy Franklin Smith (Expert):
Q: Hey Randy, I've done what you suggested, but the event log seems to fill up with a LOT of stuff. Is there an easy way just to extract the info related to something like "who has been accessing c:\secret_docs??? Thanks!!!
A: Logparser, logparser, logparser

Randy Franklin Smith (Expert):
Q: MACS Beta looks like it's been production ready for ages - any idea when they'll finally release this and under what conditions (purchase/free/free SMB version/cost Enterprise version)??
A: Your questions are so relevant. I wish I had some answers for you. I can't get anything from MS on this so I figure they haven't decided yet.

Randy Franklin Smith (Expert):
Q: One of our servers intermittently logs on to the other as "anonymous" with the event IDs 538 and 540. Is this something I should change?
A: This is normal. Recommend ignoring.

Randy Franklin Smith (Expert):
Q: We have some clustered win/exchange 2003 that are getting access denied via OWA . The only event id is 537 (Logon Failure: Reason: An error occurred during logon )
A: Interesting. That is a pretty rare event. Perhaps you can provide more information on this offline via email. rsmith@montereytechgroup.com

Randy Franklin Smith (Expert):
Q: Is there a list of events that you can safely ignore?
A: Good question. I don't have a list per se but the best generalization I can make is that it is usually safe to ignore any generated by computers which you can distinguish because computer accounts always end with a $ sign.

Randy Franklin Smith (Expert):
I've noticed that, and understandably, there's a lot of interest on tools to merge, report and alert on the security log. It is a HUGE problem. You have 3 options: 1) roll your own solution with utilities and scripts your write or collect from the Internet 2) Buy a solution 3) Wait on ACS from MS. Unfortunately, all 3 options still require you to understand the security log and write your own reports and alerts. 3rd party ISV solutions are good at the merge, alert and report functions but all of them that I've seen are pretty lean as far as the "canned" reports and alerts that come with the tool. As far as I've seen with ACS from MS, it just gets everything into a well structured DB but it seems it will be up to you to write your own reports.

Randy Franklin Smith (Expert):
Q: On a number of plain 2003sp1 servers - "A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. ... will be run using the LocalSystem account. ..." Can you give more info?
A: what's the event ID? Is this in the security log or a different log?

Randy Franklin Smith (Expert):
Q: Throughout this chat I've heard a LOT of answers that go something like, "you can just ignore them" then WHY are they there? and there must be a way to PROPERLY fix something ..... ignore them just does NOT seem like an acceptable answer from Microsoft!!
A: First of all, let me make clear I am NOT part of MS. I am an independent consultant. I don't waste time therefore trying to figure out why or explain why MS code does what it does. :-)

Randy Franklin Smith (Expert):
Q: Other than the "executive reporting" items (like # account lockout, # admin changes, etc), what do you think are the top X reports that I should generate? I definitely have any/all changes to Admin group(s), but what else should be on my top list?
A: I have a security log quick reference available as a free download in which I list what I consider the most important events to monitor. You can get it at http://www.ultimatewindowssecurity.com/codesheet.asp

Randy Franklin Smith (Expert):
Q: Other than the "executive reporting" items (like # account lockout, # admin changes, etc), what do you think are the top X reports that I should generate? I definitely have any/all changes to Admin group(s), but what else should be on my top list?
A: In addition to the events in the quick reference chart I just mentioned I would monitor for changes to GPOs and OUs for change control purposes. You could also set up file auditing to alert you whenever file permissions are changed without also bugging you every time a file is opened.

Randy Franklin Smith (Expert):
Q: Event Id 560 and 576 do you know what benefit monitoring this have. I tried to get an understanding from the web but could not really find out exactly what use in protection or accountability they provide
A: 576 isn't that useful. It just tells you what user rights a user had at the time he/she logged on. Windows uses this event for user rights which get logged so frequently it would be bad to log each use. See http://www.ultimatewindowssecurity.com/events/com212.html. As far as 560, 560 tells you when a file, registry key or other object is accessed. Unless you turn on auditing for specific folders or keys you shouldn't be getting many 560s. You will get some useless 560s for SAM related events . The point with 560 and many other events is that the event ID alone is not enough to base monitoring on. You have to look at the fields within the event's description.

Randy Franklin Smith (Expert):
Q: Blackberry Enterprise Server is generating 565 errors on our Exchange server. I've discussed with RIM with no luck. The BES works fine but the errors fill up the log. They reference "Unknown Specific Access (bit 8)" - How do I interpret that?
A: I need to see the entire event with any sensitive information obfuscated

Randy Franklin Smith (Expert):
Q: How can I determine what happened when I see an event like this ? Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 1/14/2004
Time: 1:24:15 AM
User: S-1-5-21-420350432-1808818903-1233803906-1004 Computer: {editted} Description: Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0,0xF6CD317) Privileges: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilegeFor more information, see Help and Support Center at http://go.microsoft.com/fwlink/
A: all this means is that someone (SID S-1-5-21-420350432-1808818903-1233803906-1004) logged on with the 4 rights listed under Privileges. See http://www.ultimatewindowssecurity.com/rights.html for an explanation of those rights

Randy Franklin Smith (Expert):
Q: We get the following in the event log of ourWindows 2003 SQL 2000 server: Event ID 40961; Category SPNEGO - The security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available.
A: That is not a security log event but I recognize it. Your computer is trying to update its DNS record against the indicated DNS server if I'm right

Randy Franklin Smith (Expert):
Q: Third party services that do log aggregation and analysis for a (large?) fee ?
A: My firm, Monterey Technology Group, Inc. :-) Feel free to email or call me. www.montereytechgroup.com

Randy Franklin Smith (Expert):
Q: Suggestions for getting a "baseline" of normal events to ignore ?
A: These chats are so valuable because I learn what your folks in the trenches really need. This is the 2nd or 3rd time such a request has come up in this log. I don't have anything now but I'll try to put a list together in the near future at www.ultimatewindowsecurity.com. (I know - vaporware :-) Anyway, everyone is welcome to submit what they have found to be very common in the log and safe to ignore. I'll compile the feedback and my own thoughts on the subject.

Randy Franklin Smith (Expert):
Q: Randy, concerning the event for the BES, can I send that to you via email? Chat truncates the text.
A: sure

Randy Franklin Smith (Expert):
Q: How about the opposite of what to ignore - what events usually indicate a problem and need attention?
A: 675, 676 or (failed 672 on Win2003), 642, 632, 636, 660, 624, 644, 617. See http://www.ultimatewindowssecurity.com/codesheet.asp for why I say these events. BTW, the security log won't tell you when there is an attack or intrusion. It just tells you what is happening on the system that has security relevance. With any event, you have to evaluate whether it is innocent or not. For instance, 675, failed authentication. Usually indicates bad password. But is it a legit user who fat fingered it or a bad guy? Your or our reporting tool has to consider things like the quantity of 675s for the same user as well as the IP address of the client in the event's description. Again I stress the need to understand and use the info in each event's description

Randy Franklin Smith (Expert):
Q: Randy - I tried clicking on one of the links to your site and got a DNS error. So I added an 's' to the link - "www.ultimatewindowSSecurity.com - and the link worked. Thought I would mention it incase anyone else was flummoxed by the error.
A: thanks! I'm a bad typer

Randy Franklin Smith (Expert):
Q: Randy, I know you can't make excuses for MS code, but does MS have any plans to put correct links in the event logs in the future. (i.e. http://go.microsoft.com/fwlink/ in the log entry above is broken.) Maybe they could link to your site. :)
A: That would be fine with me :-). In fact at least one log monitoring company (Dorian) links to my site from their reports.

Randy Franklin Smith (Expert):
Q: From source "RegSrvc" "The description for Event ID ( 0 ) in Source ( RegSrvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started."
A: You are looking at an event log created on a different computer with a different version of windows which means your local computer doesn't have the static text description for the event

Randy Franklin Smith (Expert):
Q: Any way to identify a workstation trying to logon, that is not in your domain, from the info provided in the event log?
A: yes, you need "account logon" auditing enabled (not to be confused with the logon/logoff category) on your DCs. Then look for failed events from the Account Logon category. The events should list the client IP address and/or client workstation depending on authentication protocol and version of windows.

Randy Franklin Smith (Expert):
Q: Suggestions for learning the basics of Event Log analysis ?
A: Basics: check out my articles at http://www.ultimatewindowssecurity.com/articles_seclog.html. For advanced: (shameless plug) come to my Security Log Secrets course in DC next month. http://www.ultimatewindowssecurity.com/SLS.html

Randy Franklin Smith (Expert):
Q: Suggestions for including logs from IIS, Firewalls, IDS, etc. in a log aggregation service ? (OK, spelling is not my best event.)
A: I know I've talked about logparser a lot but it is truly an amazing tool. It is free and allows you to query all of those log formats using SQL-SELECT commands - just like what Access queries use. Other than that, the only tool I'm aware of that monitors many different log formats (even allows you to train) is Intruder Alert. When I last looked at IA it was owned by Axent Technologies which was subsequently bought out by Symantec and I haven't looked at it since...

Randy Franklin Smith (Expert):
Q: Randy, which security logs on my network need to be monitored? Domain controllers, servers, workstations?
A: domain controllers definitely. But there is still a lot of security activity that only gets logged on the local server itself such as attacks on local accounts (as opposed to domain accounts which gets logged on the DCs) or access events for the files on that server. as far was workstations, it's a good idea to turn on auditing for logon/logoff and process tracking even if (like most companies) you don't/can't monitor the logs. It helps to have the information if you suddenly have to investigate a user

Randy Franklin Smith (Expert):
Q: How would you track whether a user attempted to access the registry on their workstation?
A: Well, you have to understand the from the operating system's point of view, the user is accessing the registry all the time, whenever they run an application that accesses their preferences or the app's own configuration settings. However, if you mean a user trying to access the registry using the Registry Editor for instance, you could turn on the Process Tracking category and look for event 592 where the executable name is regedit or regedt32. Bear in mind that this would not catch other programs trying access the registry or scripts the user my write

Randy Franklin Smith (Expert):
I've mentioned logparser a lot. You can learn more about it at http://www.ultimatewindowssecurity.com/SLS.html and you can download it from http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en. If you haven't already checked out logparser you really must. It is one of the coolest tools to come out in a long time.

Randy Franklin Smith (Expert):
Q: How easy is it for an attacker to tamper with the security log?
A: Not very. You either need physical access to the server or admin authority. If you are an admin you can find winzapper on the Internet which allows you to delete events from the log. There is no way to protect the log from admins except for very frequently shipping the events out of the security log and to a secure, isolated server which tools like the ones I mention at my web site accomplish as well as upcoming ACS from Microsoft.

Randy Franklin Smith (Expert):
Q: Is there any chace that MS will release a Security MP for MOM 2005 that scours the Security logs for basic audit events. So, for example, real-time notification of someone adding themselves to the Domain Admins Security Group.
A: I doubt it. MOM is operations focused and not designed with security requirements of audit log integrity built into it. My understanding is that Microsoft's feeling is that ACS is for the security log and MOM for everything else.

Randy Franklin Smith (Expert):
Q: Are workstation events logged on the DC security events normally when a user logs on? Is this info replicated to all DC's or just logged on the DC the user happened to authenticate to?
A: No and No. Each system has its own security log and there is NO replication of security events -even between DCS.

Randy Franklin Smith (Expert):
Q: Are workstation events logged on the DC security events normally when a user logs on? Is this info replicated to all DC's or just logged on the DC the user happened to authenticate to?
A: so authentication events are logged as you described - just on the DC that happens to services the request

Adam Carheden (Expert):
Q: what is the best way to script the log to alert me via mail or whatever, when there is an alert of qualifying criteria?
A: You are in luck! Here is an article Randy wrote showing how to use WMI filters for specific event IDs and then email them to you. http://www.windowsitpro.com/Article/ArticleID/15674/15674.html
The code is at http://www.windowsitpro.com/Web/Articles/ArticleID/25235/pg/2/2.html

Randy Franklin Smith (Expert):
Q: if we want to be careful about security and want to track security on several files and folders, dc, whatever, do you recommend another server or the same box will normally due?
A: The only reason you need to push security events off one computer to another is if you want to protect those events from tampering by either the admins or a hacker that gets admin authority- admin authority and/or the "manage auditing and security log" user right

Randy Franklin Smith (Expert):
Q: Is there anyway to get dcom related security events in the event log. (IE.: A web app tries to launch excel trough DCOM to output a report trough asp and the IUSR_machinename gets denied, nothing is logged)
A: Unfortunately no. Just a few components of the Windows OS report the majority of the events to the security log so unless the problem you are describing is a security event from the standpoint of the Security Reference Monitor, a logon process, Active Directory, etc, you won't get an event. This means that there is some security activity best monitored outside the security log. :-(

Randy Franklin Smith (Expert):
Q: OK I'm going to admit not knowing what ACS is. Can someone give me the 20 sec pitch?
A: Please see my earlier posts regarding ACS where I describe it's agent architecture and central DB

Randy Franklin Smith (Expert):
Q: OK I'm going to admit not knowing what ACS is. Can someone give me the 20 sec pitch?
A: Audit Collection Services is new thing coming from MS that merges all your security events into a DB. I guess there isn't much about it right now on the public sites. If you aren't part of the beta you won't be able to get much information on it. I thought there was more information available but I just did a search and see why no one knows about it. Subscribe to my newsletter at ultimatewindowssecurity.com and I'll keep you posted.

Randy Franklin Smith (Expert):
In case anyone just came into the chat, I've got lots of free information on security log at www.ultimatewindowssecurity.com where you can also learn about my course. I appreciate all your questions and I'll be working on that "Events Safe to Ignore" list later this week so stay tuned...

Randy Franklin Smith (Expert):
Q: Outside of the event log what are the best place to monitor for security related information? (C:\windows\system32\logfiles , ...)
A: The IAS log is useful but other than that you really have to think about the services and applications installed on a given server. Then find out where they log their information. I wish it were simpler but it really depends on each developer.

Randy Franklin Smith (Expert):
Q: With auditing turned on in Exchange and AD, getting info meaningful real-time data out of the logs can be like drinking from a fire hose. What tool (right now) would you recommend that users use to get data out of the audit logs.
A: Logparser which is free or else check my posts earlier on this subject

Randy Franklin Smith (Expert):
OK folks. Thanks again for attending. Good bye.

James Z (Moderator):
Thanks Randy and everyone else for coming. This concludes today's chat on The Security Event Log: The Unofficial Guide.