NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > ISS> 2004-q1

AW: [ISSForum] Server Sensor7.0 and Windows auditing.

From: Mohr James (james.mohrelaxy.com)
Date: Tue Feb 10 2004 - 11:36:04 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Andy!

When you right-click the sensor and select "edit properties", click the "Servor Sensor" tab. There is a setting labled "Enforce audit policy". If this is selected, then the sensor wíll change the system auditing to do what it needs to. I had the same problem (mine was unsuccessful logins, but the idea is the same). Uncheck that option and you should be good to go.

Regards,

Jim Mohr

-----Ursprüngliche Nachricht-----
Von: Dryburgh, Andrew [mailto:ADryburghscotborders.gov.uk]
Gesendet: Montag, 9. Februar 2004 15:46
An: issforumiss.net
Betreff: [ISSForum] Server Sensor7.0 and Windows auditing.

***** THIS EMAIL WAS SENT VIA THE INTERNET *****

Hi All,
I have found that our security event logs are filling up rapidly due to logging Successful Object Access - making them hard to manage. I want to change the Windows audit policy to only log failed object accesses, according to NSA guidelines, but when I do server sensor seems to overwrite the setting putting it back to success, failure. I know there is an audit.policy file on the sensor but I can't find anywhere to administer it from. Does server sensor require a certain auditing configuration to function properly? Does it need to have successful object accesses audited?

Any help would be much appreciated.

Andy

**********************************************************************
This email is privileged, confidential and subject to copyright. Any unauthorised use or disclosure of its content is prohibited. The views expressed in this communication may not necessarily be the views held by Scottish Borders Council
**********************************************************************

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]