NOTE: I am running Windows XP Professional with "Simple File Sharing" disabled.
Here is the issue I encountered with Retina when attempting to fix the following:
"Windows Microsoft Windows Security Event Preservation - Application"
Description: Informational check to ensure that security events are properly preserved.
How To Fix: Ensure that event logs are properly preserved for 14 days.
Risk 3
Below is my ticket I submitted:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Communication History
On 11/21/2007 10:33:05 PM you wrote:
After scanning my Windows XP Professional machine I receive the following Retina Scan result:
---------------------------------------------
"Windows Microsoft Windows Security Event Preservation - Application"
Description: Informational check to ensure that security events are properly preserved.
How To Fix: Ensure that event logs are properly preserved for 14 days.
Risk 3
---------------------------------------------
If I go into Administrative Tools >>> Event Viewer then select
the "Application" log and try to set it to save alerts for 14 days, I
correct this Retina Scan result I have listed above, however, I receive
a new one in its place which is this:
---------------------------------------------
"Miscellaneous Windows Application Events Logs Overwritten"
Description: Retina has detected that the system allows Application Event logs to be overwritten when the logs are full.
How To Fix: To not allow the system to overwrite log files, please follow these steps:
1. Go to Administrative Tools, then select Event Viewer.
2. From Event Viewer, right click on Application Log and select Properties.
3. Within the Application Log Properties box, select Do Not Overwrite Events.
Links Microsoft TechNet: Event Log security tips
Risk 3
---------------------------------------------
I can fix this alert by doing what it says, but I get the first one as
I pointed out. Is there a confliction here with this, or is there
another location I am unaware of to set how long my computer retains
log files?
I have attached by Retina Scan results from: C:\Program Files\eEye Digital Security\Blink\Scanner\Logs
NOTE:
The log named "2280_Retina Scanner.Log" contains the first alert, the
log named "3148_Retina Scanner.Log" is after I attempt to fix it and
receive the second alert posted above.
On 11/26/2007 4:57:40 PM eEye Digital Security wrote:Hello Jeffrey,
I am looking into this audits. I will get back to you shortly.
Thank you, regards,
Alex.
On 11/27/2007 12:12:25 AM eEye Digital Security wrote:Hello Jeffrey,
The
audit "Windows Microsoft Windows Security Event Preservation -
Application, Security, System" are not enabled by default but "Windows
Application Events Logs Overwritten" is enabled by default. We
recommend you set your settings so that logs cannot be overwritten.
Thank you, regards,
Alex.
On 11/27/2007 11:45:16 AM you wrote:Yes,
I have changed that to allow the log files to be 2048 in size and to
have to be manually deleted. However, when I change it to allow that, I
get this alert in Retina instead:
"Windows Microsoft Windows Security Event Preservation - Application"
Description: Informational check to ensure that security events are properly preserved.
How To Fix: Ensure that event logs are properly preserved for 14 days.
Risk 3
---------------------------------------
If I attempt to fix this one, I get the alert I got before: "Miscellaneous Windows Application Events Logs Overwritten"
This is why to me these are conflicting. Is there a way to fix both?
Jeffrey
On 11/27/2007 9:05:33 PM eEye Digital Security wrote:Hello Jeffrey,
These
two audits conflict with each other. You cannot meet both requirements.
This is why we do not have them both enabled by default. We suggest you
set it so that logs cannot be overwritten.
If you do not want
your scans to continue to flag the "...preserve logs for 14 days..."
audit, please uncheck this audit from the audit group.
Thank you, regards,
Alex.