03. 12. 2015 MarinovMihail Log Auditing, NetEye, Syslog

Trace Windows Administrators Login Activities with Safed

Sometimes it is required to trace login/logoff activities of the administrator in order to be compliant with legal guidelines or simply for security reasons (see also our article “What to do with all those logs“). The Safed agent for Windows can be easily configured to collect administrator’s login/logoff. The agent is deployed with some administrator discovery commands, which it can execute in order to obtain the list of the admin of the domain and then to create a filtering objective. All events that concern with administrator’s login/logoff will be captured, formatted and then sent to the log server.

This simple solution may have its drawbacks. For example when Safed monitors a domain controller with Kerberos login/logoff authentications, the number of the captured events can become really high, creating fast growing log files  on Safed, as well as on the collector server sides.  Here some tuning has to be done. First of all, you have to set the administrator’s filter as the last evaluated one (see picture below). Then you can define some filtering objectives with the “Exclude General Search Type” enabled.

Safed Agent System Administrator Logging Configuration

Fill the regexp enabled General Search Term field with what you need to be excluded from elaboration and forwarding (see picture below). So only what really is desired from the Administrator’s login/logoff will be processed by the last filter and forwarded to the log server.

Safed Agent Filtering Objective Configuration

MarinovMihail

MarinovMihail

Developer at Würth Phoenix
“Hi guys! I’m Mihail and since the university years I has been fascinated by distributed systems and measurements on them. Now when I join the Neteye project I get the possibility to continue with this passion and this is great. My free time is completely dedicated to my wife and my daughters, I simply love them.”

Author

MarinovMihail

“Hi guys! I’m Mihail and since the university years I has been fascinated by distributed systems and measurements on them. Now when I join the Neteye project I get the possibility to continue with this passion and this is great. My free time is completely dedicated to my wife and my daughters, I simply love them.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive