Be careful about pushing event log sizes too high. There is a 1GB shared memory heap that is used for both event logs (assuming Win2k3 and x86), and other services that want to use it. If you have something that wants to use that same shared heap, and you run out of it, you'll miss events. 50MB or 100MB is usually fine. Use a tool like logparser, eventcmb or your operations management tool (ops Manager or whatever) to groom events from the event logs to a central repository
Cheers Ken From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Friday, 1 August 2008 11:20 PM To: NT System Admin Issues Subject: RE: Folders moveing themselves Well there is a little more to it. 1) I would limit the scope of your auditing for right now to the OU that contains the server (s) in question. I think it was mentioned before why putting your servers in your own OU for management and lockdown is a good idea. 2) You can enable the auditing and then push down to your servers accordingly, you don't need to do it at the domain level if you have the structure in (1) above. 3) After this you must configure success and failure auditing as I described before on the folders/files I talked of, and you need to be selective on whom you are targeting for the audit so as not to run your audit logs full. ( I would recommend in the GPO in (2) above pushing your audit log size to 50MB or higher so you capture the events. 4) Lastly you need to add a test user to the group to be audited in question and then try out moving folders and then parsing the logs accordingly, to make sure the event fires off when you move/delete a folder. If you run into issues, contact me off list, I will give you a hand. Sincerely, EZ Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 ________________________________ From: Gavin Wilby [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2008 4:55 AM To: NT System Admin Issues Subject: Re: Folders moveing themselves ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
