Re: security log size on PDC problem



Hello Juergen N.,

Here is the script content we use with a scheduled task:
---------------------------------------------------------------------------------
;;The account that runs the scheduled task, needs the user rights assignment: backup files and directorys, logon as a batch job, generate security audits, manage auditing and security log
;;Save this file as .vbs

strDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & Right("0" & Day(Now),2) & "-"
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup,Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")
For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog("d:\SecurityLog\"& strDate &"security.evt")
If errBackupLog <> 0 Then
Wscript.Echo "The Security event log could not be backed up."
Else
objLogFile.ClearEventLog()
End If
Next
---------------------------------------------------------------------------------

You have to modify the folder location for your needs ("d:\SecurityLog\"& strDate &"security.evt").

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Hello Meinolf Weber,

thanks for your response. I've only set the "Audit logon events"
(Success,
Failure) for Domain-Controllers, but the log-file size still grows
very
quickly.
Do you have a link or a sample-script how can I copy and delete the
log
file?
best regards,

Juergen N.

Hello Juergen N.,

You can check the auditing GPO and redefine your logging. You cannot
filter the event id's for logging like you describe. What maybe is an
option, we use this also, is to safe and clear once a day the
security log file with a script. After our 5 year policy the old
logfiles can be archived. This way the security log is not growing
that much, i think and you have also an overview if you need to
search for a special day the logon events.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


.



Relevant Pages

  • Re: Authentication Auditing
    ... > only show in the security log of the domain computer itself - not the ... > it indeed does show that auditing of logon events is enabled for success ... It is enabled but the effective setting dispalys as "No Auditing". ...
    (microsoft.public.win2000.security)
  • Troubleshooting DCOM Error
    ... I have a VB6 application that runs as a service using the NTSVC control, ... Lock service database for exclusive access ... What appear to be rights it is ... trying to use in the security log do not appear in the Local Security Policy ...
    (microsoft.public.win2000.security)
  • Re: Tracking IP Addresses
    ... You can enable auditing of logon events via security policy for that server ... possibly correlating them to events in the security log. ...
    (microsoft.public.win2000.security)
  • Re: User account Information
    ... About the best you can do natively is to look in the security log via Event ... Viewer making sure that auditing of logon events is enabled in Local ... I am using a Windows XP multiuser system. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Who is getting "Remote Access" in my Event Viewer?
    ... If these are logon events for type 3 or 10 logon shown in the security log ... then someone is connecting to your computer though I have never seen an ... "internet router" or firewall device an absolute must to protect your ...
    (microsoft.public.windowsxp.security_admin)