Unable to get auditing of network traffic turned on, on Windows Server 2008 RRS feed

  • Question

  • I use a SIEM tool to manage various security events on various systems. However, as a part of the concept of "separation of duties", I do not do any sysadmin work. I only perform security functions.

    I need for our Windows Server 2008 systems (DC's and member servers) to audit all inbound and outbound network traffic. Based on a TechNet article, it appears that one of the things necessary to get this auto take place is to enable the "Audit Filtering Platform Connection" audit setting.

    I've requested our Windows sysadmin to do this and, according to him, he has done it via Group Policy. But when I check the Windows Event Logs (System, Application, Security, WFP/Operational, WFP/Microsoft-Windows-IKE/Operational, or Windows Firewall with Advanced Security, nothing is showing up in the way of audit events for network traffic (events in the 5000's).

    So, I'm wondering if there is more to it than just enabling that one audit setting. Can someone please provide the step-by-step procedure for getting Windows Server 2008 to audit all network traffic (both inbound and outbound connection attempts, both successful and unsuccessful (I'm interested in the events that are in the 5000's not the ones that are in the 2000's).

    Wednesday, November 17, 2010 6:09 PM