I typically set my logs at 32megs on the server for everything. Turn on auditing for logon events, and file access success/failure. I think there was one or two more but that's it for the most part. Trying to sift through logs can be painful at best. If you are looking for particular items at a particular time its not too bad, but the noise level is usually pretty high.
If you want general overall knowledge, and maybe some decent reporting over time you definitely will want to get some kind of log viewer app to centralize it and parse the data. _____ From: Matthew W. Ross [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2008 3:13 PM To: NT System Admin Issues Subject: Windows Auditing... What do you audit? Hey List. I'm learning about Windows auditing. As I read up on the subject, I'm curios what most of you guys are auditing... Login attempts? Failures? File access attempts for all users? Do you log only on the servers, or workstations as well? How big do you make your security event log? Is there a bunch of "noise" in the log from various cache files? Thanks for the info. --Matt Ross ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
