cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

SIEM auditing settings with Microsoft Servers

Recently we have implemented Mcafee Enterprise security Manager SIEM

To collect all events and logs from all network, servers, event viewer and other logs.

I'm looking for what exact configurations should be made on Microsoft servers to enable audit, logging to be collected by SIEM.

Shall Microsoft has standard on that or recommendation for each application if I monitor this application and need to get the maximum logs what configurations should be made in this app. To get that

I did some research but I didn't get clear or complete answer for that

Servers list I've:

  • Exchange 2010 highly available
  • Active directory 2008 / 2012
  • SQL server 2008 / 2012
  • Hyper-V Servers 2010 / 2012
  • SharePoint Server 2010
  • DNS servers 2008
  • DHCP servers 2008

Please i don't know if some settings should be enabled or may not, just to confirm!

Appreciate support.

2 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: SIEM auditing settings with Microsoft Servers

Moved from Consumer Products to SIEM for better assistance By Moderator

Cliff
McAfee Volunteer
Highlighted
Level 10
Report Inappropriate Content
Message 3 of 3

Re: SIEM auditing settings with Microsoft Servers

Hello massivele,

I will answer for both DNS and DHCP servers as you don't have so many things to configure.

[DNS Servers]

  1. Open the DNS Management console
  2. From the DNS Server list, right-click the server and select Properties
  3. Select Debug Logging tab and the Log packets debugging check box
  4. Ensure that Incoming, UDP&TCP, Queries/Transfers and Requests check boxes are selected.
  5. Default file location is in %systemroot%\System32\Dns\Dns.log
  6. Configure the agent to tail this log file


[DHCP Servers]

  1. Open the DHCP Management console
  2. From the DHCP server list, righ-clik the server and select Properties
  3. On the General tab select the option Enable DHCP audit logging
  4. Default files location %systemroot%\System32\Dhcp
  5. Configure the agent to tail the log files

Note:

The two mentionned path can be moved to other location if needed

DHCP rotate the file based on days, every day at 12:00AM by default. (DhcpSrvLog-Mon,DhcpSrvLog-Tue,...)

Microsoft does not have any standards about logging. However you can compile yourself a list of useful events that you would like to collect based on the following links:

http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1...https://www.google.ch/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAA&url=http...

https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Poli...

https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf

..

Hope this helps

Regards

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community