Determining Which Events to Audit

The first step in creating a strategy for auditing the operating system is to determine the type of actions or operations to record. Which operating system events should you audit? The easy answer to this question is all of them. Unfortunately, auditing all operating system events would require enormous system resources and could negatively affect system performance. Bear in mind that the more you audit, the more events you generate and the more difficult it can be to spot critical events.

If you plan to monitor the audited events manually or if you do not have a clear understanding of how to read audit logs, it can be extremely difficult to isolate potential malicious events from harmless ones. You will need ...

Get Microsoft® Windows® Security Resource Kit, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.