The System Auditing Conundrum
Windows event logs are crucial to understand because they are still the most reliable source of auditing within the enterprise. These event logs need to be used to determine insider threats or even threats that originated from outside the firewall. Event logs are also an invaluable source for detecting data breaches, increasing system uptime, and debugging application problems. Without being able to determine what the events mean, security teams are greatly hindered from determining and responding to attacks. This also limits the ability for administrators to troubleshoot system and network issues.
Below are the underlying flaws of the Windows logs which cause them to be more inconsistent than any other log source.
Understanding the Windows Event Log Flaws
- Redundant Event –Contains the same information as another event log that is generated within a different event category (i.e. account management, directory service)
- Duplicate Event – Exact copies of events that are already recorded
- Incomplete Event – Contains partial information but missing elements that are relevant to deciphering event
- Missing Detail Event – Valid event which requires correlation with other events to complete the recorded action.
- Internal Use Event – An internal event for Microsoft’s use. These events do not contain any data related to user, group, computer, gpo system or application activity.
- Erroneous Event– Event is deemed invalid by Log Fidelity
- Retired Event– Microsoft has retired the event and replaced it with another event ID