Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5 Source: GFIEventsManager

Level
Description
<?xml version="1.0" encoding="utf-16"?>
<CheckResults xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <checkID>1</checkID>
  <setID>0</setID>
  <checkResult>0</checkResult>
  <computer>W2K8DC01</computer>
  <resultDetails>
    <string>System events SUCCESS AUDIT not enabled
Object Access events SUCCESS AUDIT not enabled
Privilege use events SUCCESS AUDIT not enabled
Process tracking events SUCCESS AUDIT not enabled
Directory service access events SUCCESS AUDIT not enabled
</string>
  </resultDetails>
</CheckResults>
Comments
 
These events are recorded by GFI EventsManager on the target machine when a configured audit fails. These audits can be turned off in the Event Sources Groups by right clicking a computer group or a particular computer, and selecting Properties -> Audit tab. In this particular case you're looking for "Check audit policy". Uncheck it and you're done.
This type of event is recorded by GFI EventsManager log monitoring software and it notifies the administrator that certain audit policies that EventsManager consider important are not enabled on that computer. This event is usually followed by event id 7 and event id 1 also from EventsManager. If the computer monitored is part of a "Real-time" schedule scanning (such as the one configured for domain controllers) then this events will be recorded every 5 seconds.

For example, for the information recorded in the sample event description above, the following information is meaningful (the rest is just XML formatting):

Computer: W2K8DC01
The audit of "Success Audit" events is NOT enabled for the following type of security events:
System, Object Access, Privilege use, Process tracking and Directory service.

In our case, we set the scheduled scanning interval to 59 minutes as we did not want to enable all the "Success Audit" events as these can really fill the logs with events that are not always useful and should be used mostly for troubleshooting when applicable.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...