This week's NIST TechTidbit is: Maintenance, Monitoring and Analysis of Audit Logs / DETECT.. Activate Audit Logging ...
This is a simple and complex topic all at once I have been advocating for a good two years that all of you should have an auditing server. Honestly that really is now two audit servers. One is for the Windows environment and one is for your firewall environment.
Microsoft Windows has an auditing GPO setting and an enhanced setting. I generally turn that on to get meaningful details. Reading a raw Microsoft audit log is quite painful if you are looking for anything of substance. There is a lot of good information there, but it is hard to manually manipulate. The solution to that is to install and auditing server. These servers are fairly easy add to your networks. They do a great job of taking all that fire hose of a data stream and distilling it down to meaningful and actionable information. All of you should plan to add a Windows audit server to your network in the 21/22 school year to meet this requirement. You really need this.
For the non-Windows devices such as firewalls that need logging generally all roads lead to some sort of SYSLOG server. We point the monitored devices to the syslog server and it just consumes the logs. SYSLOG data streams tend to be huge. All of you should plan to add a SYSLOG server in the 21/22 school year to meet this requirement. Again, you really need this.
Setting up those servers are the simple parts. On the Windows side an auditing server's reports will make the Windows side understandable. On the Syslog side having captured a log and knowing what to do with it are two different things. Forensicly having the log allows a backwards look if something bad happens.
However, we like to be more pro-active. CSI has a "Done for you Managed Firewall service" to setup and manage the firewall side. There are specific requirements as to what firewalls we can offer this service on. We also can install and configure a Windows audit server to report on the Windows side of the network.
If you are interested in discussing how to move forward on this NIST requirement and get audit logging running on your network, please give us a call to talk further.