Logon Auditing

  • Thread starter Thread starter Ross
  • Start date Start date
R

Ross

Hi guys

I wonder if you can help me with something.

I am trying implement centralised archvival of remote event logs via a
perl script I have written. It works quite well and I can retrieve
the information I want on a regular time period. The problem I have
is that every time I connect to a remote server to retrieve logs
(which can be every 10 minutes) I get the usual logon/logoff/kerberos
messages in the remote security log. The upshot being that it takes
longer and longer to retrieve the security logs because the program is
generating so much "noise".

I'm not sure if this is the route I want to take, but I was wondering
if it is possible stop logon/logoff auditing(or indeed any auditing)
for just the one account that is running the script and leave it
enabled for all others?

Any suggestions/hints much appreciated.

Regards

Ross

PS - Apologies for the repost, but for some reason this ended up on
the bottom of someone elses thread.
 
I don't think you can stop if for 'just one account'.

A couple of ideas -- turn of (local) logon auditing
and just leave the Account Logon auditing (DCs)

Collect less frequently (e.g. 1x day) and clear the logs
daily?

Run scheduled commands on each machine (yeah, I
know "ugh") to filter out extraneous info and perhaps
just avoid the log entry (as system.)
 
Hi Herb

Thanks for your reply.

I think I'm going to go with the "collect less frequently" option. I
figure collecting once a day is enough for Security logs.

Unfortunately most of the servers I'm querying are DC's, so I cant
stop local auditing and logon with a local account as there is no
"local" account, only domain logons. As for running a script locally,
I had thought about it, but prefer the idea of only having to run one
piece of software as opposed tens.

Still, I think your suggestion of simply collecting less often is
going to be the easiest bet here.

Thanks for taking the time to reply.

Kind Regards

Ross
 
Thanks for your reply.

You are welcome.

Let us know if you learn something remarkable or find
better idea.
 
Back
Top