Hello,
I've been asked to audit the access to the Windows Event logs themselves... this might be more of a Windows Server question, but still Splunk relevant.
To access Windows Events, I have identified that a user has several options:
1. Use Event Viewer
2. User PowerShell Cmdlt ***Get-EventLog***
3. Open the files in ***%SystemRoot%\System32\winevt\Logs*** directly with some tool (like event viewer)
So, I would think all of these use cases trigger a read from the file system and I setup a File System auditing for the whole ***%SystemRoot%\System32\winevt\Logs*** in Windows Server group policy for the Everyone group and I manage to capture events from the 3rd use case using explorer, event viewer (double clicking the file from explorer), and event from a CMD console using the ***type*** command. But for use case 1 (Event Viewer and click on any Windows Logs) and 2, I don't get any events in the Security logs.
Am I missing something? From where is Event Viewer reading the logs if it's not from the files in ***%SystemRoot%\System32\winevt\Logs***?
Thanks,
Igor
↧