Depends on how much info you need but doing it through the native event log in an environment of that size is nearly futille unless you have SAN space and CPU cycles to burn, ours is 1/4 that size and I tried it and did the calcs and it's storage reqs were unbelievable. IIRC I was also seeing more than 100/sec in aggregate but I would need my notes and abacus to confirm that. For the short time I actually had it on, the logs were updating so fast it rendered event viewer useless, it couldn't even refresh on the PDCe. (they were set to 125MB and unmanagable at that size when I tried it)
b) won't work because the total of ALL your event logs together are limited a practical maximum somewhere around 300MB since they have to be memory mapped and are sharing the 1 GB memory space of services.exe. Eric Fitzgerald had a great blog entry about it a while back. c) possible but still takes a lot of resources, I have been playing with 3rd party tools and DAD/MACS/ACS for a while, none are panacea IMO. I'm beginning to like the approach at least one of the 3rd party vendors uses of just grabbing the changes to the AD attribute instead of using the native audit subsystem. I'm leaning toward A and either checking the AD attribute or using something in a logon script to update a database with the who/what/when/where stuff. Depends on your needs I guess. Sorry this is a little choppy but I'm pressed for time. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 2:10 PM To: [email protected] Subject: [ActiveDir] Logging successful logons in AD security log What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
