You need to go through and look at the actual description and decide if there really is business value in collecting this data. With what you have configured, I would imagine the security event logs only go back a few minutes or hours on a typical device, which obviously defeats the whole purpose of logging.
Things like ‘Audit object access’ are useful only while you are looking at them, since every action of the OS will access some file or registry key, meaning that it alone will add hundreds of event log entries per minute. Approach this as an additive process – only add the things you really really really have a need to get and leave the rest of the noise off. From: [email protected] [mailto:[email protected]] On Behalf Of Ewing, Scott L Sent: Wednesday, July 30, 2014 8:40 AM To: [email protected] Subject: [mssms] Security event logging How do you have your Windows security event log audit policy configured? Which categories do you have enabled for success logging? How about failure logging? What is the “best practice”? [cid:[email protected]] Thanks!
