The content of audit data must validate that the information contains:<br /> <br />User IDs<br />Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)<br />Date and time of the event<br />Type of event<br />Success or failure of event<br />Successful and unsuccessful logons<br />Denial of access resulting from excessive number of logon attempts<br />Failure to not contain this information may hamper attempts to trace events and not allow proper tracking of incidents during a forensic investigation<br />
Have the System Administrator validate the audit records contain valid information to allow for a proper incident tracking. Use the View Console Events task to display contents of security logs. <br /><br />Use the View Console Events task to view security logs and validate that it has the following information:<br /><br />User IDs<br />Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)<br />Date and time of the event<br />Type of event<br />Success or failure of event<br />Successful and unsuccessful logons<br />Denial of access resulting from excessive number of logon attempts<br />
Have the System Administrator check the content of audit records.<br /><br />Use the View Console Events task to view security logs and validate that it has the following information:<br /><br />User IDs<br />Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)<br />Date and time of the event<br />Type of event<br />Success or failure of event<br />Successful and unsuccessful logons<br />Denial of access resulting from excessive number of logon attempts<br />