Off hand, I don't remember which one it is Russ - but I use a tool on our servers (well not all of them, but a majority that I need the data off of) that sends the logs to a Syslog server that is hosted on a Unix system and is used department wide, including the Security Director and Sec Analyst's reporting. We're able to define what events are funneled over so that they don't end up getting a bunch of useless crap that has no bearing on security, but does have a bearing on us resolving a user login issue.
Just remembered what I' using.... It's a product called Snare Agent for Windows, put out under GNU license, and is free for the using. Can report to as I'm doing - a syslog server. http://www.intersectalliance.com/projects/BackLogNT/ Enjoy! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, December 26, 2003 9:22 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] How large are your security logs on your DC's? Central logging server? How do you go about redirecting all your event logs to a single server? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Reynolds Sent: Friday, December 26, 2003 2:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How large are your security logs on your DC's? I have managed very large environments for a few years now, You need a central logging server to gather all the logs and copy into a database, then right reports to flag the items where you are at risk. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rimmerman, Russ Sent: Thursday, December 25, 2003 6:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] How large are your security logs on your DC's? I take it ya'll don't view your event logs remotely across the LAN (especially not the WAN)? We set all our logs to 8MB on DC's, member servers, etc. We have a default domain level policy setting it that way for the domain. I guess this isn't a good idea since we recently when through an audit and they required us to turn on auditing? Is there a recommendation MS KB article anywhere to show to the team here? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joe Sent: Thursday, December 25, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How large are your security logs on your DC's? We currently have our security logs set to 100MB. Depending on the domain controller the logs can take anywhere from 12 hours to a couple of weeks to "roll". Our data center servers tend to roll over every 20 hours during normal every day operation but when we are getting pounded by authenticating worms and such it goes to about every 12 hours. Our auditing is Account logon events failure Account management success/failure Logons failure Object access none Policy changes success/failure Privilege use Success/failure Process tracking none System events success/failure joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, December 24, 2003 10:25 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How large are your security logs on your DC's? We have auditing enabled on all our servers, with the Security log set to 5MB on member servers. We upped that number to 25MB on DC's because the log was filling so fast, then again to 50MB, but it's still only maintaining about 3-4 days worth of logs (we have it configured to prune as needed). We have plenty of disk space, but I know the more we track, the harder it is to even open the log, especially remotely. I'm curious how others have their logs setup. We need to be able to track when users have logged on or off and when changes are made to policies and accounts. The audit settings are (I'm doing this from memory; I'm not at work): Account logon events success/failure Account management success/failure Logons success/failure Object access none Policy changes success/failure Privilege use failure Process tracking none System events success/failure List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/