06. 12. 2013 MarinovMihail NetEye

Windows process tracking with Safed

As well known, the Safed agent for Windows can collect events from the event log, filters them and forward the matched records to a centralized syslog server. There are some preconfigured set of events concerning basic activities that have to be tracked.

The first one, and probably the most famous due to existing law conformity requirements deals with the tracking of Login/Logoff to the system. The second one it is worth to be pointed out is aimed at tracking process start/stop on Windows.

Indeed it is easy to set a rule for collecting and filtering events for all processes of interest with Safed. From the left side menu select “EventLog Objectives Configuration”, then add a new rule selecting the “Start or stop a process” option and filling the “General Search Term” field with the regular expression best matching your objective (Img. 1). All the rest is done by Safed, namely audit setting and data collecting, filtering and forwarding to the server.

Img. 1

On the server side all collected records (Img. 2) can be further filtered and correlated to obtain very interesting information about software use on windows systems (think about concurrent running instances licenses), and undesired or prohibited processes execution.

Img. 2

MarinovMihail

MarinovMihail

Developer at Würth Phoenix
“Hi guys! I’m Mihail and since the university years I has been fascinated by distributed systems and measurements on them. Now when I join the Neteye project I get the possibility to continue with this passion and this is great. My free time is completely dedicated to my wife and my daughters, I simply love them.”

Author

MarinovMihail

“Hi guys! I’m Mihail and since the university years I has been fascinated by distributed systems and measurements on them. Now when I join the Neteye project I get the possibility to continue with this passion and this is great. My free time is completely dedicated to my wife and my daughters, I simply love them.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive