What program or tool would you recommend for analysis of Windows security logs? For example, I want Windows security...
log tools that enable me to see all successful and unsuccessful logins.
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: firstname.lastname@example.org.
Microsoft Windows security log analysis records an audit event whenever users perform certain specified actions, such as login and logout activity, and other security-related events specified by the system's audit policy. For example, the modification of a file or a policy can trigger an event that shows the action that was performed, the associated user account, and the date and time of the action. Recording and monitoring the creation or modification of system objects offers a way to track potential security problems, ensures user accountability and provides important information in the event of a security breach as to how it occurred and what systems were affected.
This makes the security log one of the primary means of detecting both attempted and successful unauthorized activity as well as being an essential aid in investigating and troubleshooting various system problems. An organization should identify those actions in its audit policy that need to be logged in order to hold users accountable for their actions when using organizational resources. In many cases, setting an organization’s policy to record failure events is more informative than recording successful events, because failures typically indicate errors or problems. It also reduces the number of log entries which, even on a small network, mount surprisingly quickly. Although the security log can be viewed using the Windows Event Viewer, organizations need a more specialized tool for in-depth analysis. There is little value in large volumes of audit data if there is no means of using it.
While Windows can capture a wide range of security events, it provides little in the way of analysis, and the often-cryptic event descriptions do not help matters. Microsoft does offer a Active Directory services. Depending on organizational preferences, another available option is the free Log Parser Lizard, which is a GUI interface to Microsoft’s log parser that provides an easier way to query logs and export the results to Excel.
For real-time log-based intrusion detection and analysis, an organization should look at products that can track audited events across all its networked machines, with GFI EventsManager being one option. If an organization prefers open source tools, OSSEC is a host-based intrusion detection system providing log analysis, file-integrity checking, policy monitoring, rootkit detection and real-time alerting. Another tool that can handle different operating systems is EventLog Analyzer, which offers real-time log file analysis for Windows, Linux and Unix systems, along with routers and switches.
Dig Deeper on Real-time network monitoring and forensics
Related Q&A from Michael Cobb
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.