cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
massivele
massivele
Level 7
Report Inappropriate Content
Message 1 of 3
‎02-15-2015 11:43 AM

SIEM auditing settings with Microsoft Servers

Recently we have implemented Mcafee Enterprise security Manager SIEM

To collect all events and logs from all network, servers, event viewer and other logs.

I'm looking for what exact configurations should be made on Microsoft servers to enable audit, logging to be collected by SIEM.

Shall Microsoft has standard on that or recommendation for each application if I monitor this application and need to get the maximum logs what configurations should be made in this app. To get that

I did some research but I didn't get clear or complete answer for that

Servers list I've:

  • Exchange 2010 highly available
  • Active directory 2008 / 2012
  • SQL server 2008 / 2012
  • Hyper-V Servers 2010 / 2012
  • SharePoint Server 2010
  • DNS servers 2008
  • DHCP servers 2008

Please i don't know if some settings should be enabled or may not, just to confirm!

Appreciate support.

0 Kudos
Reply
2 Replies
catdaddy
catdaddy
Level 20
Report Inappropriate Content
Message 2 of 3
‎02-15-2015 11:51 AM

Re: SIEM auditing settings with Microsoft Servers

Moved from Consumer Products to SIEM for better assistance By Moderator

Cliff
McAfee Volunteer
0 Kudos
Reply
ksudki
ksudki
Level 10
Report Inappropriate Content
Message 3 of 3
‎02-17-2015 01:29 AM

Re: SIEM auditing settings with Microsoft Servers

Hello massivele,

I will answer for both DNS and DHCP servers as you don't have so many things to configure.

[DNS Servers]

  1. Open the DNS Management console
  2. From the DNS Server list, right-click the server and select Properties
  3. Select Debug Logging tab and the Log packets debugging check box
  4. Ensure that Incoming, UDP&TCP, Queries/Transfers and Requests check boxes are selected.
  5. Default file location is in %systemroot%\System32\Dns\Dns.log
  6. Configure the agent to tail this log file


[DHCP Servers]

  1. Open the DHCP Management console
  2. From the DHCP server list, righ-clik the server and select Properties
  3. On the General tab select the option Enable DHCP audit logging
  4. Default files location %systemroot%\System32\Dhcp
  5. Configure the agent to tail the log files

Note:

The two mentionned path can be moved to other location if needed

DHCP rotate the file based on days, every day at 12:00AM by default. (DhcpSrvLog-Mon,DhcpSrvLog-Tue,...)

Microsoft does not have any standards about logging. However you can compile yourself a list of useful events that you would like to collect based on the following links:

http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1...https://www.google.ch/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAA&url=http...

https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Poli...

https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf

..

Hope this helps

Regards

0 Kudos
Reply