Re: Security Log problem

From: Yu Chen (yuchen_at_online.microsoft.com)
Date: 04/06/04


Date: Tue, 6 Apr 2004 11:46:17 -0700

Simon,

I can't reproduce your problem on a Window 2003 server machine. When there's
only one 517 audit in the security log, GetOldestEventLogRecord returns 1.

What platform does your application run on? When you say
GetOldestEventLogRecord fails, do you mean it returns FALSE (if so, what
does GetLastError() return?), or does it return some strange value in
OldestRecord?

Thanks,

Yu Chen [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.

"Simon" <anonymous@discussions.microsoft.com> wrote in message
news:E65DC609-359F-490D-A172-D58E45DF9D41@microsoft.com...
> Hi,
>
> I'm working on an application that monitors the event logs for changes.
It works fine except for one instance. When the security log is cleared,
there is a success audit placed into the security log (event id 517). My
code calls the GetOldestEventLogRecord() function any time an event log is
cleared to reset its index variable. When this success audit is the only
thing in the security log, the GetOldestEventLogRecord() function does not
return its index.
> I'm wondering if anybody knows of a workaround for this, or knows if it is
impossible to get the record number of this success audit, or has any other
ideas on the subject.
>
> Thanks,
>
> Simon



Relevant Pages

  • Re: Ghost in the Recycle Bin
    ... Audit account logon events ... Prevent local guests group from accessing application log ... Prevent local guests group from accessing security log ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Audit the administrator account?
    ... In a Windows NT domain, the security log of the PDC can be configured to ... "Audit these events" and turn on auditing for "User and Group Management"... ... Event Log for the PDC for event ID 628. ...
    (microsoft.public.win2000.security)
  • Re: Audit problem
    ... I already enabled the suditing ... fail audit options. ... Then, try to check your security log, ... >> I enable object access audit setting and apply all audit ...
    (microsoft.public.win2000.security)
  • Re: administrator sign on
    ... I dont' think Windows audits this by default. ... Event log in the Security log, in the Computer Management MMC. ... also audit success of, say, logon events, and probably also system events, ...
    (microsoft.public.security)
  • Re: DC Policy: just want to audit files, not set security
    ... definition to deliver only Audit SACL to some storage ... > to audit everything. ... Just enabling auditing of object access will generate ... > lot of events in the security log. ...
    (microsoft.public.windows.server.security)