Guest Column | April 7, 2014

Windows Event Logs: Things Every Solutions Provider Should Know

Windows Event Logs

By John McCann, Co-Founder of Visual Click Software

Windows Event Logs (WELs) for Active Directory provide information that helps reduce unwanted events — or that signals a cyberattack. Effective usage of WELs requires two important ingredients.

  1. Implementation

There are multiple methods to implement WELs. System access control lists (SACLs) must be created for those objects and child objects to be monitored, and there are numerous categories of refinements to aid in the reduction of unwanted or even benign events. Alerts can be defined but require the user to know specific event code(s) and event sources to alert.

  1. Analysis

Once collected, logged events must be analyzed. The WEL native “event viewer” includes the ability to perform ad-hoc analysis of recorded events, but requires users to be versed in what data they want to extract. Many organizations do not have employees well versed in either implementation or analysis of WELs. Further, many consider log analysis to be a reactive process, something to be accomplished once a concern has been discovered, usually via other means. Without processes designed to routinely or actively monitor event logs, their effectiveness is greatly diminished, and they become more of a method to document historical evidence for later use.

Microsoft does not include a native out-of-the-box solution to seamlessly implement and analyze WELs. Even its pay-for option via its System Center product line has third parties that create tools to further assist in analyzing WELs.

Risks To Security

Security is imperative, and organizations of all sizes do their best with the tools they have. Many do not employ experts on Active Directory or even on Windows. Many of those that administer systems are doing their best, but do not have the skills or time to handle the complexity of the planning and implementation of WELs. Thus, WEL technology is largely rendered useless to most organizations requiring breach awareness as well as complying with regulatory burdens.

“Events to be logged” must be defined, and improper definition of events to be logged can easily occur. As a result, important security related actions/events will not be logged —  or everything is audited and as a result there are far too many events for a human to review.

Many computer security compromises could be discovered early in the event if the victims enacted appropriate event log monitoring and alerting. Independent reports have long supported this conclusion. For example, the 2009 Verizon Data Breach Report states: “The apparent ineffectiveness of event monitoring and log analysis continues to be somewhat of an enigma. The opportunity for detection is there; investigators noted that 66 percent of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analyzing such resources.”

This lack of monitoring event logs remains a consistent weakness in many companies’ security defense plans. The 2012 Verizon Data Breach report found that even though 85 percent of breaches took several weeks to be noticed, 84 percent of victims had evidence of the breach in their event logs.

VARs and managed services providers can make sure their clients’ WELs are providing the most benefit. They can find commercial solutions that simplify the monitoring and auditing of important Active Directory events. These benefit you and your customers by being the “expert” and providing relevant real-time information to aid in breach discovery and compliance with regulatory requirements.

About The Author

John McCann has more than 33 years’ experience in the software industry. Since 1986, he has developed an array of network management and reporting tools for Novell's NetWare and Windows’ NT networks. In 1987, he helped create the software metering industry, being called the father of software metering by the New York Times (August 21, 1994) and others. In the summer of 1989 he helped Novell create the NLM Developer's Toolkit. In the fall of 1989 he wrote the NetWare Supervisor's Guide which enjoyed 7 reprints though 1995. In late 1989 he worked closely with Novell to develop the NetWare Name Service (NNS) which became Novell's NDS/eDirectory. Throughout the period 1988-1990 he served as the lead SysOp (System Operator) for Novell's forums (i.e. newsgroups) on The Source and on Compuserve. In October of 1993 Mr. McCann released SofTrack which has provided Software Metering solutions for more than 14,000 customers worldwide. In late 1996, Mr. McCann first envisioned Visual Click Software's first product, DSRAZOR.