29. 03. 2019
Log Management, NetEye
03. 12. 2015
MarinovMihail
Log Management, NetEye
Trace Windows Administrators Login Activities with Safed
Sometimes it is required to trace login/logoff activities of the administrator in order to be compliant with legal guidelines or simply for security reasons (see also our article “What to do with all those logs“). The Safed agent for Windows can be easily configured to collect administrator’s login/logoff. The agent is deployed with some administrator discovery commands, which it can execute in order to obtain the list of the admin of the domain and then to create a filtering objective. All events that concern with administrator’s login/logoff will be captured, formatted and then sent to the log server.
This simple solution may have its drawbacks. For example when Safed monitors a domain controller with Kerberos login/logoff authentications, the number of the captured events can become really high, creating fast growing log files on Safed, as well as on the collector server sides. Here some tuning has to be done. First of all, you have to set the administrator’s filter as the last evaluated one (see picture below). Then you can define some filtering objectives with the “Exclude General Search Type” enabled.
Fill the regexp enabled General Search Term field with what you need to be excluded from elaboration and forwarding (see picture below). So only what really is desired from the Administrator’s login/logoff will be processed by the last filter and forwarded to the log server.
MarinovMihail
Developer at Würth Phoenix
“Hi guys! I’m Mihail and since the university years I has been fascinated by distributed systems and measurements on them. Now when I join the Neteye project I get the possibility to continue with this passion and this is great. My free time is completely dedicated to my wife and my daughters, I simply love them.”
Author
Latest posts by MarinovMihail
18. 06. 2019
NetEye, Unified Monitoring
Go pprof – How to Understand Where There is Memory Retention