Security Logs

  • Thread starter Thread starter Richard Ling
  • Start date Start date
R

Richard Ling

I have enable auding on my Windows 2000 server (SBS 2000) for Logon/Logoff
event so that I can audit who is logging on and off the domain. I have done
this by setting the security settings in Domain Controller Security Policy.

The security log has hundreds of event (mainly system) and is filling up the
log very quickly. I was suprised about this as I only have 10 users. I
have increased the log size to 4mb but is still full within a day or two.

Can anyone suggest how I can control this so the log does not fill so
quickly

Thanks


Richard
 
Jason

They are all logon/logoff but the majority of them are system and not users.
This seems to be what is filling up the logs so quickly

Any advice apreciated

Thanks


Richard


Are all the events logon/logoff? If so, are they all your known users?

-JasonW
 
I don't know of any way to not log system logons. I think they come with
auditing any logons. MS didn't have any suggestions about how to stop this
kind, saying that system logons happen along with regular logons. The only
thing I could suggest is increase the limit of the size of the event log and
having it overwrite as needed.

It would be nice if MS would be a bit more verbose about what each of these
login events really means, because many sysadmins worry about what they are
seeing and we don't know if it is a legitimate thing or not. If MS has
described them in detail somewhere, I haven't seen it.

-JasonW
 
Thanks Jason, I agree with your comments.

I know you can filter events by user to making finding things easier but do
you know if you can also do this by global security group?


I don't know of any way to not log system logons. I think they come with
auditing any logons. MS didn't have any suggestions about how to stop this
kind, saying that system logons happen along with regular logons. The only
thing I could suggest is increase the limit of the size of the event log and
having it overwrite as needed.

It would be nice if MS would be a bit more verbose about what each of these
login events really means, because many sysadmins worry about what they are
seeing and we don't know if it is a legitimate thing or not. If MS has
described them in detail somewhere, I haven't seen it.

-JasonW
 
Back
Top