Re: Security Event log full in 30 min

From: Jeff (jeff@nospam.com)
Date: 01/21/03

• Next message: JASON FECTEAU: "LOST PASWORD"
• Previous message: Mike: "Re: Strong Passwords Revisited"
• In reply to: Blitz: "Re: Security Event log full in 30 min"
• Next in thread: Blitz: "Re: Security Event log full in 30 min"
• Reply: Blitz: "Re: Security Event log full in 30 min"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Jeff" <jeff@nospam.com>
Date: Tue, 21 Jan 2003 12:45:49 -0800

Okay, I'm attempting to remember what the settings are on
W2k, but I believe they are similar to XP. There is an
Audit Logon Events, which is what you set, and there is
Audit Account Logon Event - which is what you want.

Audit Logon Events should log everything, including system
events.

Audit Account Logon Events should only log actual account
logons (like yours), not the system logon events.

That's all from the depths of my brain, so forgive me if I
do not have the exact syntax down of what the audit
policies are actually named, but it should be close.

>-----Original Message-----
>"Richard Donovan" <rldonovan@erg-va.com> wrote in
>news:O8fLicWwCHA.2904@TK2MSFTNGP09:
>
>> These events do not necessary look evil. Seems to show
users "SYSTEM"
>> and "Administrator" logging on and off. There are a
number of threads
>> in this newsgroup about interpreting audits and web
sites such as
>>
>> http://www.eventid.net/search.asp
>Thanks for the link
>
>
>>
>> are useful in interpreting logs. Probably the first
thing to do is
>> carefully review the auditing options you have set. If
you really
>> need to see everything that you have asked for, then
increase the
>> allowed size for the logs.
>
>All I want to see is who is logging on/off and when. I
went to gpedit and
>set audit logon/off successful and failures. and last
night the log file
>reported 2900 successful logon/off. I don't understand
this. I have serched
>for a cause but only found it may be related to nt4.0
workstations with a
>2000 server.
>.
>

---

• Next message: JASON FECTEAU: "LOST PASWORD"
• Previous message: Mike: "Re: Strong Passwords Revisited"
• In reply to: Blitz: "Re: Security Event log full in 30 min"
• Next in thread: Blitz: "Re: Security Event log full in 30 min"
• Reply: Blitz: "Re: Security Event log full in 30 min"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Event Log ID 538 and 540 continous ... I believe the Default Domain Controller Security Settings for SBS 2003 are ... set to 'Success' for "Audit Logon Events" and "Audit Account Logon" events. ... Turning on "Audit Logon Events" may generate a large log (on my test server, ... You may be able to switch to only activating "Audit Account Logon Events" ... (microsoft.public.windows.server.sbs) Re: Event Logs/Event Viewer ... That works for Pro but Home has no group policy editor. ... Set both Audit account logon events & Audit logon events for Success & ... (microsoft.public.windowsxp.general) Re: Audit: Account Logon Vs. Logon Events ... Audit logon events ... Policies\Audit Policy ... Determines whether to audit each instance of a user logging on, logging off, ... unchecking Success and Failure. ... (microsoft.public.win2000.security) Re: Track abnormal restart ... Set both Audit account logon events & Audit logon events for Success & ... (microsoft.public.windowsxp.general) Re: Shutdown log appear at event viewer ... If XP Pro, Group Policy. ... Set both Audit account logon events & Audit logon events for Success & ... (microsoft.public.windowsxp.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)