Re: Security logging stopped

From: Eric Fitzgerald [MS] (ericf@online.microsoft.com)
Date: 10/24/02 

From: "Eric Fitzgerald [MS]" <ericf@online.microsoft.com>
Date: Wed, 23 Oct 2002 16:47:48 -0700

Sometimes it's not even corruption, but rather an event log limitation when
the log size is configured too high. Try configuring your log to a smaller
size (say, the greater of the amount of RAM you have or 128MB), and then
clearing the log. The problem might recur if your log is too large.

Eric

"Karl Levinson [x y] MVP" <levinson_k@excite.com> wrote in message
news:O$PQpWteCHA.2340@tkmsftngp10...
>
> "Dan Hensley" <dhensley@usgs.gov> wrote in message
> news:c18501c27aca$1b927240$35ef2ecf@TKMSFTNGXA11...
> > NT 4.0
> >
> > On some of my workstations security logging has stopped
> > and I cann't find where to turn it back on.
> >
> > Also is there a way to log who logs into the RAS?
>
> Try using the Event Log viewer to clear the event log. If it becomes
> corrupted, you won't see anything until it is cleared.
>
> On my RAS server, I believe that all gets logged as long as auditing of
> login successes and failure events was turned on in the RAS server
settings.
> Then, if you wish, you can use a utility such as DUMPEL from the Windows
> resource kit to export just the RAS server logins to a CSV file and open
it
> in Excel to make a report on RAS time usage per user. There are free log
> dumping tools such as the ones at www.sysinternals.com but I can't confirm
> whether they will do this as well.
>
> I guess you already know this, but just in case, here's info on how to
> enable auditing on your RAS server:
>
> ==============
>
> Note that to enable logging of access to files or registry settings, you
> must both enable logging in the overall computer policy AND also add
> auditing settings on individual folders or registry keys in the NTFS
> security properties in Windows Explorer or the REGEDT32 registry editor.
> [Using REGEDIT will not work.] To log file access, the files must be on
an
> NTFS-formatted partition.
>
> Note also that to enable logging of security events on a Windows domain,
you
> must change the auditing policy on all domain controllers. Changing the
> auditing policy on the computers in the domain enables logging of failed
> logins to the computers using local accounts and would not necessarily log
> attempts to log into the domain.
>
> Consider changing the Windows event log settings to be appropriate for
your
> environment. Consider increasing the maximum log size to retain more
> information. Be careful not to log too much, or you might find that your
> logs contain only a few minutes or hours worth of data. Finally, check
the
> logs to be sure logs are really being captured.
>
> For more information on enabling and configuring auditing, see the
articles
> below:
>
> http://nsa1.www.conxion.com/win2k/download.htm a.k.a. http://www.nsa.gov
> [look for the NSA Security Recommendation Guides for Windows 2000 and
> also Group Policy]
>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/
> 13w2kadc.asp
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310399 - XP
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549 - 2000
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248260 - 2000
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640 - 2000,
file
> access settings
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300958 - 2000,
> monitoring for unauthorized user access
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q157238 - NT
> http://www.labmice.net/troubleshooting/EventLog.htm
>
> [Thanks to Thomas Deml and others]
>
>
>
>