I've been told by some folks at Microsoft that it won't just be Longhorn, but that Windows Server 2003 will have some native (and free?) options for collecting event log data into SQL and performing reporting, similar to what 3rd party products or custom development mentioned on this thread are capable of. I'm not sure if it will be more powerful than what can be done with LogParser, or just easier...
There was also some mention of MOM packs to go along with it. I've not seen anything official yet, though. --James -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, August 31, 2006 4:54 AM To: [email protected] Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: [email protected]; [email protected] Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e 5e-514173bf15e31033.mspx?mfr=true Mark ________________________________ Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 -0000 Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Reference s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkH R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++O6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: <[EMAIL PROTECTED]> Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: [email protected] Subject: Re: [ActiveDir] Logging successful logons in AD security log References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [email protected] Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from ([12.168.66.190]). X-Rcpt-To: <[EMAIL PROTECTED]> Ask the PSS security guys and they want success and failure. Only having half the story... is only half the story.... Buy bigger harddrives and archive. Sitton Glen E wrote: > I don't know that there is a 'general consensus' because everyone's > business needs differ. My environment has around 100K users and you're > right, there's a ridiculously high volume of logon events. We set the > security log size very high on the domain controllers, and collect and > clear the security logs several times per day using a > commercially-available "fancy log management system." We don't allow > the security logs to rollover. The eventlog management software gives > us an impressive battery of audit reports, and a compressed eventlog > repository that we archive for FISMA compliance. > > I'm sure our uncompressed event log archive is well above 1TB per year. > But we realize about a 20:1 compression using the commercial software. > > Your options may be limited by legal requirements that may govern the > audit logs of your business or organization. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, > Joseph > Sent: Wednesday, August 30, 2006 5:32 PM > To: [email protected] > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > That may work, but it sort of falls under option b. The logs will grow > so large that they will become unmanageable. I did some calculations > and it works out to be about 1TB a year. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris > Sent: Wednesday, August 30, 2006 3:06 PM > To: [email protected] > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > I have a pretty small site, and this probably won't scale very well, > but I have a script scheduled to run every day at midnight that backs > up the security log to a compressed folder & clears it. I have the log > size set ridiculously high, so it doesn't rollover unexpectedly. > > dtmThisDay = Day(Date) > dtmThisMonth = Month(Date) > dtmThisYear = Year(Date) > strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay & > "_" & Hour(Time) & Minute(Time) strComputer = "." > Set objWMIService = GetObject("winmgmts:" _ & > "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _ > strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery > _ ("Select * from Win32_NTEventLogFile where LogFileName='Security'") > For Each objLogfile in colLogFiles > objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _ > "_security.evt") > objLogFile.ClearEventLog() > Next > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, > Joseph > Sent: Wednesday, August 30, 2006 3:10 PM > To: [email protected] > Subject: [ActiveDir] Logging successful logons in AD security log > > What is the general consensus on logging successful logon events? > > For example if you have a domain with 100K users or so and you use AD > as your primary authentication service for: application, file, email, > and web access then it is plausible that you will end up with up to > 100 log entries per second. That kind of volume will no doubt cause > the logs to roll over frequently thus making them somewhat useless. > > The only alternatives I see are: > > a) Don't log success logon. > b) Set your event log size to a very large (and possibly unmanageable) > size. > c) Invest in a fancy log management system that will collect, index, > and retain all of your logs. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
