Before I tackle this issue, it’s important to first state that this isn’t going to be another “event viewer sucks” bashing blog. That kind of article is one-sided and unhelpful in the face of an IT Pro like you trying to find real answers.
But it is a fair question, and needs to be addressed by looking at native auditing from a few angles. The question isn’t just about the tool used, or the viability of the audit data, or how quickly you can find an answer. It’s really about putting all three issues together in the face of an audit and seeing whether you have what you need, can you find what you need, and can you find it in a reasonable time frame.
Do you have what you need?
The value of native auditing is really based on the data generated by the services, applications, and systems you utilize. Generally speaking, you probably either have too much or too little detail, making the value of your auditing data questionable at best. It really depends on the application or service in question. Some can be overly verbose, like simple file system access. Others, like SQL Server, can be rather uncommunicative when it comes to generating an audit trail of access and changes.
Therefore, it’s important that you do your homework on the systems you plan on auditing now, well before it’s actual time to audit what you have. A simple review of what data is provided, matched with known auditing requirements for any auditing specifics required would be prudent.
But even if you’re using a system that provides ample data, you still need to know whether you have the ability to utilize that data to find the answers auditors are asking for.
Can you find what you need?
Sometimes, any kind of auditing seems a bit like the old “needle in a haystack” analogy. But in more recent years in the era of big data, you’re probably feeling more like you want the mounds of data you have to provide better, more concise, information that helps to answer the audit questions being posed to IT.
Native tools can definitely find the answers in audit log data – that is, if you know what you’re looking for. Since most of you are in the “can we stop with all the log data, please?” category, part of the challenge may not be so much whether the answer is in there, but whether it’s in there in an intelligent format. Often times applications will log even the most minute action, causing in a single task made up of several actions taking up as many log entries. The result? You’ll never find that one task; instead you need to logically conclude a task occurred rather than seeing the log entry in front of your face.
With all this extra work being placed on you, the question becomes how long will it take?
What’s a reasonable time frame?
Whoever it is that comes asking for details from the audit logs (like from Active Directory change audit logs) isn’t going to wait forever. While there’s no magic “it should take this long” answer, it’s evident that you can’t take days or weeks to find the answer. While native auditing will likely have the answer, you’re going to need to proactively figure out a way to speed up the process in order to retrieve that answer in a timely manner.
Given the logs sometimes require you to do the detective work and deduce the audit answers, you know it’s going to take longer than a simple text-based search. Instead, when using native auditing, you should think about working to know ahead of time what kinds of questions will be asked, so you can simply focus on pulling the answers when the time comes. This may include doing research on specific event IDs, saved filters, etc. – all in an effort to build up your arsenal of auditing definitions and searches to keep retrieval time to a minimum.
Answering the question
As you can see, the question around native auditing’s viability really isn’t as much about application bells and whistles, but more on whether you have and can find the information needed quickly. By taking a proactive stance and determining whether you can perform the task of auditing adequately well before it’s ever needed, you’ll have your answer of whether native auditing is really enough.