ACS (audit collection service) is now under the MOM/System Center
Umbrella and out in the 2007 era...but I don't think it's free anymore
in it's plans.
The Vista event viewer is vastly different than the XP one.
You can ask Brian about the audit logging into SQL.
Wells, James Arthur wrote:
I've been told by some folks at Microsoft that it won't just be Longhorn, but
that Windows Server 2003 will have some native (and free?) options for
collecting event log data into SQL and performing reporting, similar to what
3rd party products or custom development mentioned on this thread are
capable of. I'm not sure if it will be more powerful than what can be done
with LogParser, or just easier...
There was also some mention of MOM packs to go along with it.
I've not seen anything official yet, though.
--James
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett
Sent: Thursday, August 31, 2006 4:54 AM
To: [email protected]
Subject: RE: [ActiveDir] Logging successful logons in AD security log
Interesting.
from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed
in Longhorn.
Glenn
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, 31 August 2006 7:20 PM
To: [email protected]; [email protected]
Subject: Re: [ActiveDir] Logging successful logons in AD security log
Does everyone know this recomendation from Microsoft?
On Windows XP, member servers, and stand-alone servers, the combined size of
the application, security, and system event logs should not exceed 300 MB.
On domain controllers, the combined size of these three logs - plus the
Directory Service, File Replication Service, and DNS Server logs - should not
exceed 300 MB.
http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e
5e-514173bf15e31033.mspx?mfr=true
Mark
________________________________
Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006
Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with
SMTP; Thu, 31 Aug 2006 04:12:18 +0100
Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net
with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100
Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by
mail.activedir.org
(SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400
Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 -0000
Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80
with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35
-0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Reference
s:In-Reply-To:Content-Type:Content-Transfer-Encoding;
b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPV
R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkH
R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++O6+P
EuYRMiJ3/EUAyhoBySfo8= ;
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 30 Aug 2006 20:07:29 -0700
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<[EMAIL PROTECTED]>
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: [email protected]
Subject: Re: [ActiveDir] Logging successful logons in AD security log
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk
Sender: [EMAIL PROTECTED]
Reply-To: [email protected]
Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not
designate permitted sender hosts)
X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190]
X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom
Anti-Virus. Advanced Virus and Spam protection is available to subscribers of
Giacom Business Pro Plus. Visit http://www.giacom.com for more details.
X-Spam-Tests-Failed: ROUTING [-1]
X-Note: This E-mail was sent from ([12.168.66.190]).
X-Rcpt-To: <[EMAIL PROTECTED]>
Ask the PSS security guys and they want success and failure. Only having half
the story... is only half the story....
Buy bigger harddrives and archive.
Sitton Glen E wrote:
I don't know that there is a 'general consensus' because everyone's
business needs differ. My environment has around 100K users and you're
right, there's a ridiculously high volume of logon events. We set the
security log size very high on the domain controllers, and collect and
clear the security logs several times per day using a
commercially-available "fancy log management system." We don't allow
the security logs to rollover. The eventlog management software gives
us an impressive battery of audit reports, and a compressed eventlog
repository that we archive for FISMA compliance.
I'm sure our uncompressed event log archive is well above 1TB per year.
But we realize about a 20:1 compression using the commercial software.
Your options may be limited by legal requirements that may govern the
audit logs of your business or organization.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 5:32 PM
To: [email protected]
Subject: RE: [ActiveDir] Logging successful logons in AD security log
That may work, but it sort of falls under option b. The logs will grow
so large that they will become unmanageable. I did some calculations
and it works out to be about 1TB a year.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Wednesday, August 30, 2006 3:06 PM
To: [email protected]
Subject: RE: [ActiveDir] Logging successful logons in AD security log
I have a pretty small site, and this probably won't scale very well,
but I have a script scheduled to run every day at midnight that backs
up the security log to a compressed folder & clears it. I have the log
size set ridiculously high, so it doesn't rollover unexpectedly.
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay &
"_" & Hour(Time) & Minute(Time) strComputer = "."
Set objWMIService = GetObject("winmgmts:" _ &
"{impersonationLevel=impersonate, (Backup, Security)}!\\" & _
strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery
_ ("Select * from Win32_NTEventLogFile where LogFileName='Security'")
For Each objLogfile in colLogFiles
objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _
"_security.evt")
objLogFile.ClearEventLog()
Next
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 3:10 PM
To: [email protected]
Subject: [ActiveDir] Logging successful logons in AD security log
What is the general consensus on logging successful logon events?
For example if you have a domain with 100K users or so and you use AD
as your primary authentication service for: application, file, email,
and web access then it is plausible that you will end up with up to
100 log entries per second. That kind of volume will no doubt cause
the logs to roll over frequently thus making them somewhat useless.
The only alternatives I see are:
a) Don't log success logon.
b) Set your event log size to a very large (and possibly unmanageable)
size.
c) Invest in a fancy log management system that will collect, index,
and retain all of your logs.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
