Hi Andy! When you right-click the sensor and select "edit properties", click the "Servor Sensor" tab. There is a setting labled "Enforce audit policy". If this is selected, then the sensor w�ll change the system auditing to do what it needs to. I had the same problem (mine was unsuccessful logins, but the idea is the same). Uncheck that option and you should be good to go.
Regards, Jim Mohr -----Urspr�ngliche Nachricht----- Von: Dryburgh, Andrew [mailto:[EMAIL PROTECTED] Gesendet: Montag, 9. Februar 2004 15:46 An: [EMAIL PROTECTED] Betreff: [ISSForum] Server Sensor7.0 and Windows auditing. ***** THIS EMAIL WAS SENT VIA THE INTERNET ***** Hi All, I have found that our security event logs are filling up rapidly due to logging Successful Object Access - making them hard to manage. I want to change the Windows audit policy to only log failed object accesses, according to NSA guidelines, but when I do server sensor seems to overwrite the setting putting it back to success, failure. I know there is an audit.policy file on the sensor but I can't find anywhere to administer it from. Does server sensor require a certain auditing configuration to function properly? Does it need to have successful object accesses audited? Any help would be much appreciated. Andy ********************************************************************** This email is privileged, confidential and subject to copyright. Any unauthorised use or disclosure of its content is prohibited. The views expressed in this communication may not necessarily be the views held by Scottish Borders Council ********************************************************************** _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
