Re: File access auditing fills security log too fast

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/18/05

• Next message: Mike Adams: "Re: Certificate Server Web Server Template Please help"
• Previous message: Omid: "Requesting a Certificate with Mutilple Common Names"
• In reply to: ParamusAdmin: "File access auditing fills security log too fast"
• Next in thread: Steven L Umbach: "Re: File access auditing fills security log too fast"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 18 Mar 2005 08:14:15 -0700

There are two things you can do to assist you in this.
1. increase the max size and the on-full behaviors of the
    security event log
2. tune the SACLs that control what actions are logged
    and on what objects. Use the Advanced dialog in the
    audit NTFS security settings dialog so that you do not
    trigger audit messages for actions of no interest

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"ParamusAdmin" <ParamusAdmin@discussions.microsoft.com> wrote in message
news:8839A676-F174-4B92-B388-7403204BD453@microsoft.com...
> I am attempting to enable file and application auditing to meet HIPAA
> compliance.  The issue I am having is the security log fills up way to
fast,
> eventually locking out all but administrators from logging on.  I know I
can
> disable this, but I would rather just audit when the file or app was
accessed
> and by whom.  I have been experimenting with the auditing settings, but no
> matter what I do, even opening one folder creates 10 security items in the
> event log.  Does anyone have any tips on how to narrow down what is
entered
> into the event log?

---

• Next message: Mike Adams: "Re: Certificate Server Web Server Template Please help"
• Previous message: Omid: "Requesting a Certificate with Mutilple Common Names"
• In reply to: ParamusAdmin: "File access auditing fills security log too fast"
• Next in thread: Steven L Umbach: "Re: File access auditing fills security log too fast"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: SBS "Newbie" question - viewing logins ... THANKS for the help - are these audits set in the security event log? ... first "success audit". ... (microsoft.public.windows.server.sbs) Re: Security Event Log (audit object access) logging too much? ... >I did not get the results I anticipated in the event log. ... >the workstation the actual file being accessed remotely. ... >memory - and that delete is also logged in the Security log. ... can I audit only changes & deletes to files like I ... (comp.os.ms-windows.nt.admin.security) Re: Access is denied when calling a remote serviced component (framework 1.1->1.0 issue) ... Audit Account logon event ... Start/Control panel/Administrative Tools/Local Security Policy/ ... After that we should find some events in the Security Log in the event log. ... (microsoft.public.dotnet.framework.aspnet) Re: AspErrorsToNTLog no longer works in IIS6 ... The security implication is that anonymous remote requests can be used to ... fill the event log and cause the server to stop responding (for very legal ... > logic for further disabling it. ... How about using the web log file? ... (microsoft.public.inetserver.iis) Viewing Event Logs ... How to set event log security locally or by using Group Policy in Windows ... Descriptor Definition Language (SDDL) syntax. ... (microsoft.public.windows.server.active_directory)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2005-03