Re: Logon Auditing

From: Herb Martin (news_at_LearnQuick.com)
Date: 07/31/03

• Next message: Herb Martin: "Re: failed logon\incorrect passwords."
• Previous message: Herb Martin: "Re: EFS not secure on LAN"
• In reply to: Ross: "Logon Auditing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 30 Jul 2003 18:02:30 -0500

I don't think you can stop if for 'just one account'.

A couple of ideas -- turn of (local) logon auditing
and just leave the Account Logon auditing (DCs)

Collect less frequently (e.g. 1x day) and clear the logs
daily?

Run scheduled commands on each machine (yeah, I
know "ugh") to filter out extraneous info and perhaps
just avoid the log entry (as system.)

"Ross" <rossd@musicradio.com> wrote in message
news:630a9742.0307301252.78ec69cb@posting.google.com...
> Hi guys
>
> I wonder if you can help me with something.
>
> I am trying implement centralised archvival of remote event logs via a
> perl script I have written. It works quite well and I can retrieve
> the information I want on a regular time period. The problem I have
> is that every time I connect to a remote server to retrieve logs
> (which can be every 10 minutes) I get the usual logon/logoff/kerberos
> messages in the remote security log. The upshot being that it takes
> longer and longer to retrieve the security logs because the program is
> generating so much "noise".
>
> I'm not sure if this is the route I want to take, but I was wondering
> if it is possible stop logon/logoff auditing(or indeed any auditing)
> for just the one account that is running the script and leave it
> enabled for all others?
>
> Any suggestions/hints much appreciated.
>
> Regards
>
> Ross
>
> PS - Apologies for the repost, but for some reason this ended up on
> the bottom of someone elses thread.

---

• Next message: Herb Martin: "Re: failed logon\incorrect passwords."
• Previous message: Herb Martin: "Re: EFS not secure on LAN"
• In reply to: Ross: "Logon Auditing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Trace of 139 attack? ... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ... (Focus-Microsoft) Re: FW: Trace of 139 attack? ... /complex—Forces passwords to have a mixture of upper ... > the admin account on local logins (physical security ... >> deleting the logs he cannot do it. ... >> ur Server ur logs will ... (Focus-Microsoft) RE: Securty Audit Correlating ... exporting both(events and tickets) to a SQL/Access DB ... > viewer logs, so you can set filters for specific ... >>Currently we are outsourcing our account creation, ... >>After that generate a report. ... (Focus-Microsoft) Re: Terminal Services Kiosk ... the locked-down account is the Active Directory account in ... the desktops, not the local accounts in the TS server. ... programs or kill the RD session? ... So one user logs in to the workstation ... (microsoft.public.windows.terminal_services) RE: Slow file access ... This issue does appear to be isolate to the one account. ... Other Excel and other file types seem to be okay. ... The problem occurs no matter which PC this user logs onto. ... > Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)