Re: Audit Logs

From: Eric Fitzgerald [MS] (ericf@online.microsoft.com)
Date: 11/13/02

• Next message: Karl Levinson [x y] mvp: "Re: removing command.com from system32 directory"
• Previous message: Paul Calvin: "Event ID: 676"
• In reply to: Bryan Redman: "Audit Logs"
• Next in thread: Eric Fitzgerald [MS]: "Re: Audit Logs"
• Reply: Eric Fitzgerald [MS]: "Re: Audit Logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Eric Fitzgerald [MS]" <ericf@online.microsoft.com>
Date: Tue, 12 Nov 2002 16:21:47 -0800

Hey Bryan,

This doesn't repro on Windows .NET Server. Let me talk to the dev team.

Eric

-- 
Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"Bryan Redman" <bredman@cdnpay.ca> wrote in message
news:151b01c28a63$fbc0b0e0$8cf82ecf@TK2MSFTNGXA07...
> Hi,
> Can you please help me?  I am experiencing some
> inconsistencies with auditing on Windows 2000.
> I have enabled Auditing under Local Policies.
> Audit Account Logon events - Success & Failure
> Audit Logon events - Success & Failure
>
> I have enable the screen saver with password protect with
> a 15 minute wait.
>
> If I wait for the system (15 min) the audit log will
> contain the following information:
> Event ID: 538 User Logoff
>
> All is OK.
>
> If I press CTRL-ALT-DEL and select Logoff - no logoff
> entries are placed into the audit log. The next entry in
> the audit log is a successful logon Event ID: 528.
>
> Do you have any ideas as what may be cause the
> inconsistency??
>
> OS: Windows 2000 Server
> Service Pack Level: SP3
> IIS v5.0
>

• Next message: Karl Levinson [x y] mvp: "Re: removing command.com from system32 directory"
• Previous message: Paul Calvin: "Event ID: 676"
• In reply to: Bryan Redman: "Audit Logs"
• Next in thread: Eric Fitzgerald [MS]: "Re: Audit Logs"
• Reply: Eric Fitzgerald [MS]: "Re: Audit Logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Who is Logged On? ... enable auditing of account logon events in Domain Controllers Security ... > I am new to Windows and have been on Netware too long, ... > is an intruder, but I cannot tell who is logged on now. ... (microsoft.public.win2000.security) Re: Training for Juinior IT Auditor, ... what events to audit (eg file access, logon events etc) - which should ... be set via group policy, and some of which is AD anyway. ... it's hard to keep it to windows only... ... (microsoft.public.windows.server.security) Re: Notification of Logins ... Might I suggest that you use EventQuery.pl from the Windows 2000 Resource ... You can query the event log for logon events, output as CSV, and then ... I find Microsoft's whole implementation of login auditing to ... >> example using the windows 2000 server resource kit utility DUMPEL to ... (microsoft.public.win2000.security) Re: Audit Logs ... it doesn't repro on my Windows 2000 SP3 machine either. ... Lock workstation: no event. ... >> entries are placed into the audit log. ... (microsoft.public.win2000.security) Re: NT4 & w2k autiding tools needed... ... Windows has built in auditing. ... Account logon is probably most useful for domain controllers or ... logon events record attempts of a user to access network resources. ... (microsoft.public.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint