cancel
Showing results for 
Search instead for 
Did you mean: 

SIEM auditing settings with Microsoft Servers

Recently we have implemented Mcafee Enterprise security Manager SIEM

To collect all events and logs from all network, servers, event viewer and other logs.

I'm looking for what exact configurations should be made on Microsoft servers to enable audit, logging to be collected by SIEM.

Shall Microsoft has standard on that or recommendation for each application if I monitor this application and need to get the maximum logs what configurations should be made in this app. To get that

I did some research but I didn't get clear or complete answer for that

Servers list I've:

  • Exchange 2010 highly available
  • Active directory 2008 / 2012
  • SQL server 2008 / 2012
  • Hyper-V Servers 2010 / 2012
  • SharePoint Server 2010
  • DNS servers 2008
  • DHCP servers 2008

Please i don't know if some settings should be enabled or may not, just to confirm!

Appreciate support.

2 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: SIEM auditing settings with Microsoft Servers

Moved from Consumer Products to SIEM for better assistance By Moderator

Cliff
McAfee Volunteer
ksudki
Level 10
Report Inappropriate Content
Message 3 of 3

Re: SIEM auditing settings with Microsoft Servers

Hello massivele,

I will answer for both DNS and DHCP servers as you don't have so many things to configure.

[DNS Servers]

  1. Open the DNS Management console
  2. From the DNS Server list, right-click the server and select Properties
  3. Select Debug Logging tab and the Log packets debugging check box
  4. Ensure that Incoming, UDP&TCP, Queries/Transfers and Requests check boxes are selected.
  5. Default file location is in %systemroot%\System32\Dns\Dns.log
  6. Configure the agent to tail this log file


[DHCP Servers]

  1. Open the DHCP Management console
  2. From the DHCP server list, righ-clik the server and select Properties
  3. On the General tab select the option Enable DHCP audit logging
  4. Default files location %systemroot%\System32\Dhcp
  5. Configure the agent to tail the log files

Note:

The two mentionned path can be moved to other location if needed

DHCP rotate the file based on days, every day at 12:00AM by default. (DhcpSrvLog-Mon,DhcpSrvLog-Tue,...)

Microsoft does not have any standards about logging. However you can compile yourself a list of useful events that you would like to collect based on the following links:

http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1...https://www.google.ch/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAA&url=http...

https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Poli...

https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf

..

Hope this helps

Regards

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community