Re: Event Viewer Getting Full

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/13/04

• Next message: Resonate: "Re: Permissions Impeeding Internet Browsing"
• Previous message: Dave: "Re: Emailing Admin when user changes password"
• In reply to: SSK: "Re: Event Viewer Getting Full"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 13 Aug 2004 20:12:08 GMT

No, auditing of object access must be enabled. You can however use "filter" view of
the security log, search with EventComb, or dump the logs and search them that way
for specific file names, users, etc. --- Steve

http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml -- PsLogList to dump lof
files by criteria.

"SSK" <SSK@discussions.microsoft.com> wrote in message
news:E9A9EAAA-2DF2-4534-808F-B61E52F78D93@microsoft.com...
> Is there any other way to see the deletion of folder without enabling object
> access ?
> Please Reply
>
> "Steven L Umbach" wrote:
>
> > That is normal. You can increase the size of the security log and by default it
is
> > quite small. Something like 10mb would be a good start.I would recommend that you
> > audit for only specific files and avoid using the users and everyone group to
audit.
> > Also audit only the deletion permission. The less parameters you audit, the less
> > events in the log though it will never be a small amount when object access
auditing
> > is enabled. --- Steve
> >
> > http://www.microsoft.com/technet/security/guidance/secmod144.mspx
> >
> > "SSK" <SSK@discussions.microsoft.com> wrote in message
> > news:7316819B-01E0-46BA-9417-EB2DF3B7C29B@microsoft.com...
> > > Event Viewer Getting Full when I enable object access . But I want to audit
> > > the deletion of files . Please help in this regard
> >
> >
> >

• Next message: Resonate: "Re: Permissions Impeeding Internet Browsing"
• Previous message: Dave: "Re: Emailing Admin when user changes password"
• In reply to: SSK: "Re: Event Viewer Getting Full"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: auditing question - single file object access creates duplicate security log messages ... object access, ... go into the NTFS permissions and audit only success on deletion, creation, ... > one audit message in the security log when a file is read. ... (microsoft.public.win2000.security) Re: File Auditing ... The nature of auditing of object access is that there will be many seemingly ... but instead create a global group or local groups of users you want to audit. ... avoid auditing write or you will continue to large amounts in the security log. ... (microsoft.public.win2000.security) Re: duplicate eventID 560? ... Object access will generate a ton of events in the ... security log. ... When you configure auditing of a folder be sure to audit the ... (microsoft.public.security) Re: duplicate eventID 560? ... Object access will generate a ton of events in the ... > security log. ... When you configure auditing of a folder be sure to audit the ... (microsoft.public.security) Re: Can you log the use of a workstation? ... > security log quite a bit bigger. ... Also look into enabling of object access ... > and the audit the specific files in question, ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint