Re: Cannot see audit events in security log

From: Frank Thynne (fthynne_at_elmplace.co.uk)
Date: 11/23/04 

Date: 22 Nov 2004 17:32:41 -0800

Steven, thanks for responding.

I have meanwhile carried out similar tests on another PC and found
that everything worked as I expected, and I could indeed find 560 and
562 events in the security log - but it still isn't working in the
problem PC. The only significant differences that I can think of are:

1. the problem PC is standalone while the working one is a member of a
Windows domain, and

2. the problem PC was originally set up with a FAT file system (not by
me!) and I did not notice that it wasn't NTFS until after I enabled
auditing.

I tried turning auditing off and on again after converting to NTFS in
case the setting had not been effective while the file system was FAT,
but it made no difference.

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message news:<IQdod.129209$HA.61030@attbi_s01>...
> If you enabled auditing of object access then you should see events in the
> security log. Look for event ID's such as 560 and 562. Be sure to increase
> the size of the security log quite a bit and clear the log first. Note that
> if the security log is configured to not override events that the log will
> not add any more events until it is manually cleared. --- Steve
>
>
>
> "Frank Thynne" <fthynne@elmplace.co.uk> wrote in message
> news:f5642ae5.0411211630.4831738a@posting.google.com...
> > My client has a stand-alone Windows 2000 Professional computer. We are
> > trying to establish auditing on a folder and its contents. We have
> > turned on auditing in local policy and enabled success and failure
> > auditing on objects. In the advanced section of the security
> > properties of the folder we have set auditing for the Everyone group
> > and specified that the property will be propagated to files and
> > folders contained in it. We have verified that the property is
> > inherited by a file copied into the folder.
> >
> > After doing those things, and accessing a file in the audited folder,
> > we do not see anything relevant in the Security Event Log. I must be
> > missing something obvious, but I do not know what it is! Can anyone
> > advise?

Relevant Pages

  • Re: Folder reappeares on desktop
    ... Enabling auditing of object access generates a lot of system events such as those ... I would be looking for an Event ID 560 for the parent folder where the ... security log when that happens but it is worth a try. ...
    (microsoft.public.win2000.security)
  • Re: Auditing / Event Log Entries...
    ... You would have to first enable auditing of object access on computer ... whatever permissions you wanted to audit for the user Mary Jane [assuming ... > Do you have to enable the Auditing on that specifi folder on the remote ...
    (microsoft.public.win2000.security)
  • Re: Tracking access to folder
    ... Enabling auditing of object access will generate a lot of seemingly ... permissions will generate a lot of object access events for success. ... I need to track access to a specific folder and also a particular users ...
    (microsoft.public.win2000.security)
  • Re: File auditing not working properly
    ... Try auditing only a specific folder first so that you can see how it works ... etc. Make sure your security log is large enough to keep the ... Event Type: Success Audit ...
    (microsoft.public.win2000.security)
  • Re: Cannot see audit events in security log
    ... If auditing of object access for success and failure has been enabled in the ... Local Security Policy on that computer and auditing has been ... should be recorded in the security log after trying to access the folder as ...
    (microsoft.public.win2000.security)