On Tue, May 3, 2011 at 4:24 PM, Kurt Buff <[email protected]> wrote: >>> ... user column shows N/A for all my Audit Entries >> That functionality was lost with the NT 6.0 security log "improvements". > > Stunning stupidity. Wow.
Stupidity, yes, but at this point, no longer stunning. Note the user detail is still logged, it just gets put in the description text. So browsing the events is much harder. And the exact field isn't always consistent, so even pulling it out with the XML parsing stuff is harder than it should be. I'm highly disgusted with Microsoft on the security logging in 6.0 We in the security community have been telling them for something like a decade that NT's security logging sucks. Before 6.0, it didn't always log the user information in the "User" field, it generated a lot of false positive events, the meaning and causes of events was poorly documented, "Privilege Use" auditing was useless, and it would sometimes not log events when it should. For years they told us it would be improved in 6.0. Now it *never* logs the user information in the "User" field, it generates *more* false positive events, the meaning and causes of events is still poorly documented, "Privilege Use" auditing is still useless, and it still sometimes doesn't log events when it should. The advanced filtering and extraction capabilities added to Event Viewer don't make up for the fundamental failings in the log itself. It's like trying to fix a building with a weak foundation by adding another story. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
