Thanks for a non-response. Which book would you suggest he read? Or how
does he turn off the security log? Oh wait though, I have 2,012 events
in my Security log and I've never turned it on. And not one of those
says "The audit log was cleared". I'm not being a smarty pants, I'm just
curious as to the explanation of your response.
Yeah - maybe I was coming on too strong or rude. I now have a better
Security Event Log message for the future.
Here is what I have seen...
Sometimes people wonder why the Security log is empty and think it is
a problem that nothing is being logged. All the other logs have stuff
and know I want some security on my system so they read some, poke
around and end up turning on Security Auditing from Control Panel,
Administrative Tools, Local Security Policy.
Everything for Security Auditing is turned off by default with "No
Auditing", so sometimes the thought is that some kind of additional
security auditing must be a good thing either because they are having
some problem they can't figure out or maybe they are curious.
Security is good, therefore I will put some security on everything!
The logging goes on unnoticed, they may resolve whatever the original
problem was and sometime later they peek at the Security log and see
all the failure messages and wonder what is wrong with their system.
Failure messages must mean something is wrong!
Turn all that logging on and reboot your system and you will get a lot
of failure events. Now folks think they have an issue and things are
failing all over the place, but it is an understanding issue (usually)
or they forgot they turned on the logging and never turned it off.
Event Logs also do not accumulate forever, they wrap when they get
full. Full is defined in the Properties of the log and defaults to
512KB and 7 days after that, then old things get overwritten
(luckily). The logs are usually in the c:\windows\system32\config
folder where those registry files are. You know those files... the
event logs are there too. Maybe yours wrapped or was never cleared -
or both.
Excess logging slows things down (any logging slows things down).
Maybe not much for this stuff, but if something has to read/write or
to even check to see if it needs to or even consider it, it takes some
CPU time that I would rather be spent someplace else. If you are
"tuning up" a system for performance, you can turn all that extra junk
off unless you need it to troubleshoot a problem. If you turn it on,
turn it off when you are done if you remember.
There is a similar story with the Internet Explorer log - why is it
always empty and is that my IE problem? An empty IE log can't be good
if I'm having IE problems. I can tell you, mine is empty and it
better stay that way.
You can buy books on Amazon that discuss Windows security,
performance, forensic analysis, malware - there are even Dummies books
for these things.
Like I mentioned before, no event in the Event Log should defy
explanation. If you have things in your Security Event Log, most
certainly they are there for a reason and should be explainable. Some
people will say the security events can be ignored. Well, I want to
explain them, then maybe I'll decide to ignore them.
I generally only have the one security event noting that my log was
cleared and I don't even need to have that. I only keep it so I know
my Security Event Log is working. Sometimes I use the Security
logging for troubleshooting or understanding somebody else's problem,
but generally not - it is extra I/O I don't need.
I sometimes keep an unused entry in my msconfig Startup tab and a
unused non MS service - just so I know msconfig is working. Seeing
those empty tabs is a little creepy.
