The option chosen for my environment is: c) Invest in a fancy log management system that will collect, index, and retain all of your logs.
The product we employ is EventSenty (http://www.eventsentry.com/features.php?FEATURE=EVENTLOG) Though not that fancy but good enough to do what is needed. The events are collected and using sql reporting services a 24 hr summary is emailed to the appropriate person. It does not matter how many successful logons you have --I guess the space on your sql server would be the limitation. One aspect that drives what you choose is compliance if you have to satisfy any audit requirements. Good luck. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 3:32 PM To: [email protected] Subject: RE: [ActiveDir] Logging successful logons in AD security log That may work, but it sort of falls under option b. The logs will grow so large that they will become unmanageable. I did some calculations and it works out to be about 1TB a year. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Wednesday, August 30, 2006 3:06 PM To: [email protected] Subject: RE: [ActiveDir] Logging successful logons in AD security log I have a pretty small site, and this probably won't scale very well, but I have a script scheduled to run every day at midnight that backs up the security log to a compressed folder & clears it. I have the log size set ridiculously high, so it doesn't rollover unexpectedly. dtmThisDay = Day(Date) dtmThisMonth = Month(Date) dtmThisYear = Year(Date) strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay & "_" & Hour(Time) & Minute(Time) strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _ strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='Security'") For Each objLogfile in colLogFiles objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _ "_security.evt") objLogFile.ClearEventLog() Next -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 3:10 PM To: [email protected] Subject: [ActiveDir] Logging successful logons in AD security log What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
