Join Log in
Score:3
Teo B avatar Server

Windows Server Audit Logs

in flag
Teo B

I have a windows server 2012r2 domain controller and file server. I enabled auditing for a specific folder i want to monitor. I am collecting logs on a centralized graylog server. I am getting the audit logs correctlly, the problem is i am getting also a ton of logs of the files being accessed by the av software bitdefender also by the cloud sync software i use to sync my files in the cloud. My graylog server is getting overloaded with messages i dont want. I can filter the messages i want in graylog, but as i said i dont want to receive them as audit logs.

Is there any way i exclude the av program and sync program from being loged in windows event viewer?

Thanks in advance.

146
0 + 0
Alex avatar
us flag
Alex
I would also suggest moving this question to Information Security forum (https://security.stackexchange.com/), you can do it by flagging your question for review (https://meta.stackexchange.com/questions/184657/how-do-i-transfer-this-question-asked-on-stack-overflow-to-the-math-stack-exchan)
0
Reply
Score:0
Alex avatar Server
us flag
Alex

I've never heard of such possibility in Windows audit, and I'm pretty much convinced this cannot be achieved. Maybe you can mitigate the issue, if any of the below would work for you:

  1. Exclude this folder from AV scans, or tune the scan policy for this folder so that low-risk files (e.g. TXT etc.) are excluded
  2. Enable auditing for critical files only
  3. Enable auditing for specific operations only (e.g. write) - ideally, antivirus will not edit your files, neither will cloud sync app.
  4. Dump Windows audit logs in favour of specialized file integrity monitoring (FIM) or data leakage prevention (DLP) solution that has these capabilities.

I must state that I'm talking about audit option itself. I don't know in specific how do you collect logs from Event viewer. Maybe there's a way to filter them before they depart from Windows machine to graylog server; maybe there's a way to force Graylog send a specific query with these logs filtered. But that would be more a question about Graylog itself, not Windows Security logs.

P.S. A semi-related question, also unanswered: Excluding specific file types from a security audit in windows server 2008

0 + 0
Teo B avatar
in flag
Teo B
Thank you Alex. The answer seems legit. Will monitor only deletions and editing writing. Will try that tomorrow morning at work. Will post the results.
0
Reply
Teo B avatar
in flag
Teo B
Its working auditing only for created edit write and deletion. MNo more tons of log entries from av and sync. Now i can filter and extract the info i want in graylog. Thanks again
0
Reply
Alex avatar
us flag
Alex
Glad to hear that. If it helps, please mark it as answer. And also, give a try to an approach proposed by Greg in the second answer - maybe there's a way to filter on OS level using WEF.
0
Reply
Score:0
avatar Server
cn flag
Greg Askew

It isn't possible to select with granularity what events for a subcategory are logged. What you could is setup a Windows Event Forwarder, and specify a filter for the subscription that suppresses the events you don't want, then have that server ship it's log to your SIEM.

You may also way to review what you are auditing. If read is required, there may not be flexibility. If you're only interested in modifications, you could exclude the various read auditing checkboxes and that may help with the volume.

0 + 0
Teo B avatar
in flag
Teo B
I forward logs with nx log ce at the moment. Will test some other tools in a second moment. Thanks Greg.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.