Please enable JavaScript to view this site.

All Security & Compliance features work by intercepting Audit Failure and Audit Success events from the Security events. As such, the respective audit features need to be enabled in the security policy of the computers being monitored. For example, in order to track the creation of new user accounts, the Account Management policy needs to be enabled.

 

All features can be configured to automatically turn on auditing for you if it's not already enabled, however we still recommend to enable auditing on the domain level using group policies when possible.

 

Please see the list below to identify which auditing options are required by the respective features:

 

Required Audit Configuration for Security & Compliance

 

 

 

Security & Compliance Feature

Auditing Category / Subcategory

Windows Vista and later

Legacy Audit Category

Process Tracking

Detailed Tracking:

   - Audit Process Creation

   - Audit Process Termination

Audit process tracking (Success)

Logon Tracking (Console Sessions)

Logon and Logoff:

   - Logon

   - Logoff

Audit logon events

Logon Tracking (Network Logons)

Account Logon:

   - Credential Validation

   - Kerberos Authentication Service

   - Kerberos Service Ticket Operations

   - Other Account Logon Events

 

File Access Tracking

Object Access:

- File System

Audit object access

Account Management Tracking

Account Management:

   all subcategories

Audit account management

Policy Change Tracking

Policy Change:

   - Audit Policy Change

   - Authentication Policy Change

   - Authorization Policy Change

Audit policy change

Print Tracking

Enable "Microsoft-Windows-PrintService/Operational" event log

Log spooler information events

Registry Change Tracking

Object Access:

- Registry

n/a

Permission Inventory

n/a

n/a

 

 

Once the required auditing options have been determined, one of the following three options can be used to enable auditing. The required auditing setting from the Required Auditing column will be referred to as [Auditing Option].

 

1.You can have the EventSentry agent automatically enable the required auditing setting when the service starts by selecting "Auditing On" from the Requested Audit Policy. In this case make sure that no top-level policies are overwriting policy settings set by the EventSentry agent.

 

clip0169

Using the EventSentry agent to automatically enable "Process Tracking"

 

2.There are multiple ways to enable auditing outside of EventSentry:

 

Windows 2008 (and higher) with "Force audity policy subcategory settings" enabled

Open the appropriate group policy or open the "Domain Security Policy". There, navigate to "Advanced Audit Policy Configuration" and expand the appropriate category (refer to table "Required Audit Configuration for Security & Compliance" above). There, configure the required settings to "Audit Success".

 

Windows 2008 (and higher) without "Force audity policy subcategory settings" enabled (not recommended)

Open the appropriate group policy or open the "Domain Security Policy". There, navigate to "Audit Policy" and set the appropriate legacy audit policy (refer to table "Required Audit Configuration for Security & Compliance" above). There, configure the required settings to "Audit Success".

 

 

3.The security event log "Log Size" needs to be configured to "Overwrite events as needed", it also recommended to specify a size of at least 2048kb. The EventSentry agent will write an error message upon startup to the application event log if the event log is not correctly configured.

 

You can change the "Log size" settings by opening up "Event Viewer" (from Administrative Tools) and right-clicking "Security Log". Select "Properties" from the menu and verify that the "Log size" is correctly set to "Overwrite events as needed". Also verify that the "Maximum log size" is sufficiently big.

 

warning_32

To disable previously enabled auditing of the Operating System, set the Requested Audit Policy to Auditing Off. Make sure that no domain policies overwrite or conflict with policy settings in EventSentry.

 

secomp_eventids