What program or tool would you recommend for analysis of Windows security logs? For example, I want Windows security...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
log tools that enable me to see all successful and unsuccessful logins.
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: email@example.com.
Microsoft Windows security log analysis records an audit event whenever users perform certain specified actions, such as login and logout activity, and other security-related events specified by the system's audit policy. For example, the modification of a file or a policy can trigger an event that shows the action that was performed, the associated user account, and the date and time of the action. Recording and monitoring the creation or modification of system objects offers a way to track potential security problems, ensures user accountability and provides important information in the event of a security breach as to how it occurred and what systems were affected.
This makes the security log one of the primary means of detecting both attempted and successful unauthorized activity as well as being an essential aid in investigating and troubleshooting various system problems. An organization should identify those actions in its audit policy that need to be logged in order to hold users accountable for their actions when using organizational resources. In many cases, setting an organization’s policy to record failure events is more informative than recording successful events, because failures typically indicate errors or problems. It also reduces the number of log entries which, even on a small network, mount surprisingly quickly. Although the security log can be viewed using the Windows Event Viewer, organizations need a more specialized tool for in-depth analysis. There is little value in large volumes of audit data if there is no means of using it.
While Windows can capture a wide range of security events, it provides little in the way of analysis, and the often-cryptic event descriptions do not help matters. Microsoft does offer a Active Directory services. Depending on organizational preferences, another available option is the free Log Parser Lizard, which is a GUI interface to Microsoft’s log parser that provides an easier way to query logs and export the results to Excel.
For real-time log-based intrusion detection and analysis, an organization should look at products that can track audited events across all its networked machines, with GFI EventsManager being one option. If an organization prefers open source tools, OSSEC is a host-based intrusion detection system providing log analysis, file-integrity checking, policy monitoring, rootkit detection and real-time alerting. Another tool that can handle different operating systems is EventLog Analyzer, which offers real-time log file analysis for Windows, Linux and Unix systems, along with routers and switches.
Dig Deeper on Monitoring Network Traffic and Network Forensics
Related Q&A from Michael Cobb
A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held ...continue reading
A password-verification flaw in iOS 10 allowed attackers to decrypt local backups. Expert Michael Cobb explains how removing certain security checks ...continue reading
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.