Microsoft computer security

Youngquist, Jason R. | 22 Sep 2010 16:54

Windows event logs to filter/ignore

We are sending logs from Windows servers to a centralized collector.  The Windows servers are consistently
sending all kinds of events to the collector.  I'm seeing a bunch of Security:538 and Security:576 events. 
For example, one particular server is sending Security:538 events and Security:576 events several
times a minute.  Over a period of time that I was looking at, these two events accounted for 92% of the events
being sent from the server.  When I looked at the events they basically said the same thing over and
over...Security:576 - "Special privileges assigned to new login, username: administrator...."  And
Security:538 - "User Logoff:  User name: administrator...."

I'd like to filter out these events before they hit the collector, but I'm afraid of filtering out too much
and potentially missing a log entry that could help with an incident, while at the same time I don't want to
send and store logs that aren't useful.

Thoughts? 

Thanks. 
Jason Youngquist

headers

diciccone | 22 Sep 2010 17:21

Re: Windows event logs to filter/ignore

Hi, you may consider to change your policy to no longer audit the success of privilege use. See
http://support.microsoft.com/kb/264769 .
576 event log exercise of rights, being nice to have to track some Administrative logons. The event is the
same no matter the object is (user or computer accounts).
You may keep your policy and :
- filter out the event 576 when the user last caracter is $ (SeSecurityPrivilege)
- filter out Computer's event related: filter the event 576 when the user is SYSTEM. (all others Se....Privilege)
christophe

headers

Allan Jones | 22 Sep 2010 17:09

RE: Windows event logs to filter/ignore

Jason,

   Have you tried GPO's for the filtering?

   Regards,
   Damien 

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] On
Behalf Of Youngquist, Jason R.
Sent: quarta-feira, 22 de setembro de 2010 11:54
To: 'focus-ms <at> securityfocus.com'
Subject: Windows event logs to filter/ignore

We are sending logs from Windows servers to a centralized collector.  The
Windows servers are consistently sending all kinds of events to the
collector.  I'm seeing a bunch of Security:538 and Security:576 events.  For
example, one particular server is sending Security:538 events and
Security:576 events several times a minute.  Over a period of time that I
was looking at, these two events accounted for 92% of the events being sent
from the server.  When I looked at the events they basically said the same
thing over and over...Security:576 - "Special privileges assigned to new
login, username: administrator...."  And Security:538 - "User Logoff:  User
name: administrator...."

I'd like to filter out these events before they hit the collector, but I'm
afraid of filtering out too much and potentially missing a log entry that
could help with an incident, while at the same time I don't want to send and
store logs that aren't useful.

(Continue reading)