Archiving Windows AD Audit Data with ADAudit Plus

Archiving is the process of storing inordinate volumes of event data in an organized and reproducible manner. ADAudit Plus helps administrators archive Windows Active Directory audit data effectively. It provides comprehensive solution to the audit data archival requirements and has an edge over native and other methods of Active Directory audit data archiving. There is more, you can even view reports on the data archived through ADAudit Plus.

But why is archiving of Windows event log changes so important and where do other methods fall short in achieving it effectively?

The Importance of Archiving:

Archived data is very important for organizations to achieve one or more goals.

1. Meet compliance and regulatory requirements like SOX, HIPAA, PCI etc.
2. Identify and retrieve event data of a security breach, if any.
3. Take informed decisions by comparing archived and present data with reports.

Limitations of Native Archiving:

• The limited size of security log hinders it from holding large volumes of data. This limitation forces
  1. Older event data to be overwritten over the existing logs when threshold limit is reached (or)
  2. Fresh event data to be neglected if the older logs were not cleared manually - this is a case when "Do not overwrite" option is enabled .
• Speed of operation and management decline with every increase in native event log size.
• Logs are dispersed across Servers, Domain Controllers and local machines in the domain. There is a need for a method to consolidate scatterred data to a single point for querying and analysis.
• There is no replication of event log data between Domain controllers. Manually verifying multiple systems is a pain.
• The format, event log data is archived via. native archiving methods impedes complete recreation of an event over a period of time.

The ADAudit Plus Advantage:

Overcomes consolidation and replication challenges of Native event log:

ADAudit Plus is designed to overcome the above highlighted native eventlog collection and archiving limitations. It addresses this through automating the collection of audit data from various systems and storing them in a single in-built database. Since the data from various systems are collected at a single point - consolidation / replication challenges are easily met.

Allows for organized Archiving by categorization:

While the log changes data is transferred to archives, sufficient intelligence has been applied by ADAudit Plus for its organized storage and retrieval. ADAudit Plus categorises User management, Group management, Computer management, OU management, GPO management and Logon into unique categories. It allows a user to define a category based data holding periods ( Data holding period of the ADAudit Plus database). Event data is automatically archived to user defined "Archive Folder" once this scheduled time is achieved. Further the archived data is compressed and stored for ready retrieval.

Reporting on archived data in quick time :

The organized storage of data in the ADAudit Plus archive folder facilitates event recreation to track any date in the past. The data archived through ADAudit Plus is stored in a user defined location and can be reproduced at convenience with a well defined time based retrieval / reload process. Further reports on archived data for any custom period can be viewed from the reloaded archived data at the convenience of the web browser. More on reporting from archived data and real time audit reporting.