Recently we have implemented Mcafee Enterprise security Manager SIEM
To collect all events and logs from all network, servers, event viewer and other logs.
I'm looking for what exact configurations should be made on Microsoft servers to enable audit, logging to be collected by SIEM.
Shall Microsoft has standard on that or recommendation for each application if I monitor this application and need to get the maximum logs what configurations should be made in this app. To get that
I did some research but I didn't get clear or complete answer for that
Servers list I've:
Please i don't know if some settings should be enabled or may not, just to confirm!
Appreciate support.
Moved from Consumer Products to SIEM for better assistance By Moderator
Hello massivele,
I will answer for both DNS and DHCP servers as you don't have so many things to configure.
[DNS Servers]
[DHCP Servers]
Note:
The two mentionned path can be moved to other location if needed
DHCP rotate the file based on days, every day at 12:00AM by default. (DhcpSrvLog-Mon,DhcpSrvLog-Tue,...)
Microsoft does not have any standards about logging. However you can compile yourself a list of useful events that you would like to collect based on the following links:
http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1...https://www.google.ch/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAA&url=http...
https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf
..
Hope this helps
Regards
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA