Kaseya Community

Security Event log reporting

  • We have the need to report on Successful Security Events such as Event ID 624 (User account created) & 630 (User account deleted). These reports are required by auditors for some of our financial clients. Kaseya has a global blacklist in place that stops all successful security events from being recorded back into the Kaseya server. We cannot modify this blacklist, which I feel is horrible.

    Does anyone have the requirements to report on these events and if so how are you handling the reports?

    Legacy Forum Name: Security Event log reporting,
    Legacy Posted By Username: akoop
  • A global blacklist?? where did that information come from?
    While we've not specifically reported on such success events, we have seen a number of things that we thought were not coming through simply being that they were not turned on.
    Do you have the logging turned on for the security logs (Agent->Event Log Settings)?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: rhayes@expertnetsolutions.com
  • Yes, all logging is enabled. Kaseya support has informed me that there are two blacklist files. One that they maintain and cannot be edited and one we have control over. They told me that they felt if all successful security events were allowed to be recorded on the kaseya server it could be too much for it.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: akoop
  • Ah...good to know. I thought it might have been direct from Kaseya the way you stated it, but wanted to be sure. I can understand the overflow of success events on the server from their point.
    Sounds like a short term would be to run a script on some frequency to gather those events from the log and report back.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: rhayes@expertnetsolutions.com
  • Here is a link to the relevant section of the help regarding the blacklists and flood detection, which protect against heavy loads of events degrading performance - http://help.kaseya.com/WebHelp/en-US/5010000/index.htm?toc.htm?238.htm

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: dwalsh
  • It looks like I may have to use the Log Parser to get the data, has anyone used it to pull data out of the Security Event Logs? If so can you provide an example?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: akoop
  • The log parser is for monitoring of text log files. Could you clarify the issue you are having with the Sec event logs, are you trying to alert on an event which is blacklisted?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: dwalsh
  • I would just put together a script that gets that information from the log based on the event you are looking for.
    Look at the script repostiory for examples
    http://www.microsoft.com/technet/scriptcenter/scripts/logs/eventlog/lgevvb14.mspx?mfr=true will give you a good one on looking for a specific event in a specific log.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: rhayes@expertnetsolutions.com
  • dwalsh
    The log parser is for monitoring of text log files. Could you clarify the issue you are having with the Sec event logs, are you trying to alert on an event which is blacklisted?

    Kaseya tech support has told me that all successful Security Events are blacklisted in the global blacklist file that they maintain. Unfortunately some of our clients are under regulations that require them to report on such events as user account creations & deletions which are successful events.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: akoop
  • I find it odd that kaseya would not allow you to modify the blacklist.

    I think they should allow you to collect what ever you want, albeit with a stern warning about overloading the server.

    Have you made an official request to your sales rep etc?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: XeviouS
  • XeviouS
    I find it odd that kaseya would not allow you to modify the blacklist.

    I think they should allow you to collect what ever you want, albeit with a stern warning about overloading the server.

    Have you made an official request to your sales rep etc?


    I thought you could. It's evLogBlkList.xml in the agent's installation directory (not temp directory).

    Michael

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: RCS-Michael