Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2197
Views
0
Helpful
5
Replies

Cisco Security Agent - CSA Logging features

Go to solution
secureboy
Level 1
Level 1

‎03-17-2010 01:34 AM - edited ‎03-09-2019 10:52 PM

Please, I need yours help.

I have some questions which must be answered ASAP.

Is it possible

Logging - File copy from local drive to removable storages

Logging - File copy from network drive to removable disk

Logging – System parameters change

Logging – Connection to share on computer???

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7
In response to secureboy

‎03-17-2010 09:19 AM

Logging – System parameters change

   -registry changes

Yes

  - changing or replacing important system  files

Yes

  or any system changes which maybe take to instability  operating system normal functionality..

Much harder, since this is a million different ways an o/s could become unstable, but looking at certain system registry keys and system/system32 directories will give you alot of information you are looking for.

Logging – Connection to share on   computer???

Sorry it was incorrect.

Logging – Connection  to share folder on agent's computer?

Yes, you can log read/write access to a local folder which is shared, and with source @network in your rules, the actual attempt to connect to the share is probably a bit more difficult.

View solution in original post

0 Helpful

Go to solution
jyoung@americafirst.com
Level 1
Level 1
In response to jan.nielsen

‎03-17-2010 11:07 AM

you could monitor connections on port 445 from @network, that would tell you if they're connected to a windows share, but not *which* windows share.

View solution in original post

0 Helpful

Go to solution
dkthomas
Level 1
Level 1
In response to jyoung@americafirst.com

‎03-18-2010 06:17 PM

Actually you can monitor... if an event is logged into the Windows event logger, CSA can log that event as well....

We used the event logger to pull specific event log information into out CSA logs.. like, login and logout and disk errors.

I hope that helps,

-dt

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jan.nielsen
Level 7
Level 7

‎03-17-2010 05:59 AM

Logging - File copy from local  drive to removable storages

Yes

Logging - File copy from network drive to removable disk

Yes

Logging – System parameters change

Don't know what you are referring to...registry changes ?

Logging – Connection to share on  computer???

What do you mean, just the actual attempt to connect to the machine, or the accessing of data on the share ?

0 Helpful

Go to solution
secureboy
Level 1
Level 1
In response to jan.nielsen

‎03-17-2010 06:14 AM

Thank you for quick reply..

Logging – System parameters change

I am referring that

  -registry changes

  - changing or replacing important system files

  or any system changes which maybe take to instability operating system normal functionality..

Logging – Connection to share on  computer???

Sorry it was incorrect.

Logging – Connection to share folder on agent's computer?

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to secureboy

‎03-17-2010 09:19 AM

Logging – System parameters change

   -registry changes

Yes

  - changing or replacing important system  files

Yes

  or any system changes which maybe take to instability  operating system normal functionality..

Much harder, since this is a million different ways an o/s could become unstable, but looking at certain system registry keys and system/system32 directories will give you alot of information you are looking for.

Logging – Connection to share on   computer???

Sorry it was incorrect.

Logging – Connection  to share folder on agent's computer?

Yes, you can log read/write access to a local folder which is shared, and with source @network in your rules, the actual attempt to connect to the share is probably a bit more difficult.

0 Helpful

Go to solution
jyoung@americafirst.com
Level 1
Level 1
In response to jan.nielsen

‎03-17-2010 11:07 AM

you could monitor connections on port 445 from @network, that would tell you if they're connected to a windows share, but not *which* windows share.

0 Helpful

Go to solution
dkthomas
Level 1
Level 1
In response to jyoung@americafirst.com

‎03-18-2010 06:17 PM

Actually you can monitor... if an event is logged into the Windows event logger, CSA can log that event as well....

We used the event logger to pull specific event log information into out CSA logs.. like, login and logout and disk errors.

I hope that helps,

-dt

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents