Tracking Requirements

Navigation: Monitoring with EventSentry > Compliance Tracking >

All compliance tracking features work by intercepting Audit Failure and Audit Success events from the Security events. As such, the respective audit features need to be enabled in the security policy of the computers being monitored. For example, in order to track the creation of new user accounts, the Account Management policy needs to be enabled.

All tracking features can be configured to automatically turn on tracking for you if it's not already enabled, however we still recommend to enable auditing on the domain level using group policies when possible.

Please see the list below to identify which auditing options are required by the respective tracking features:

Compliance Tracking Feature	Windows Auditing Category (Windows 2000 to Windows 2003)	Windows Auditing Category Windows Vista to Windows 2008 R2
Process Tracking	Audit process tracking (Success)	Detailed Tracking: - Audit Process Creation - Audit Process Termination
Logon Tracking (Console Sessions)	Audit logon events	Logon and Logoff: - Logon - Logoff
Logon Tracking (Network Logons)		Account Logon: - Credential Validation - Kerberos Authentication Service - Kerberos Service Ticket Operations - Other Account Logon Events
File Access Tracking	Audit object access	Object Access: - File System
Account Management Tracking	Audit account management	Account Management: all subcategories
Policy Change Tracking	Audit policy change	Policy Change: - Audit Policy Change - Authentication Policy Change - Authorization Policy Change
Print Tracking	Log spooler information events	Enable "Microsoft-Windows-PrintService/Operational" event log

As mentioned before, once you have determined which auditing option needs to be enabled, you can use one of the following three options to enable auditing. The required auditing setting from the Required Auditing column will be referred to as [Auditing Option].

1.	You can have the EventSentry agent automatically enable the required auditing setting when the service starts by selecting "Auditing On" from the Requested Audit Policy. In this case make sure that no top-level policies are overwriting policy settings set by the EventSentry agent.

clip0169

Using the EventSentry agent to automatically enable "Process Tracking"

2.	If you would like to enable "Audit process tracking" yourself then you have several options:

Windows NT 4

From the "Administrative Tools" open "User Manager" or "User Manager for domains" and select Policies -> Audit from the menu. Then, check the "Success" checkbox next to [Auditing Option].

Windows 2000 (and higher) without Active Directory

Open "Local Security Policy" in the "Administrative Tools". Navigate to "Security Settings" -> "Local Policies" -> "Audit Policy". Double-click [Auditing Option] and check the "Success" checkbox. This change might take several minutes until it becomes effective.

Windows 2000 (and higher) with Active Directory

Open the appropriate group policy or open the "Domain Security Policy". There, navigate to "Audit Policy" and set [Auditing Option] to "Success". Depending on your Active Directory setup you might need to edit a group policy other than the Domain Security Policy.

3.	The security event log "Log Size" needs to be configured to "Overwrite events as needed", it also recommended to specify a size of at least 2048kb. The EventSentry agent will write an error message upon startup to the application event log if the event log is not correctly configured.

You can change the "Log size" settings by opening up "Event Viewer" (from Administrative Tools) and right-clicking "Security Log". Select "Properties" from the menu and verify that the "Log size" is correctly set to "Overwrite events as needed". Also verify that the "Maximum log size" is sufficiently big.

To disable previously enabled Process Tracking of the Operating System set the Requested Audit Policy to Auditing Off. Again, make sure that no domain policies undo any policy changes performed by the EventSentry agent.