RE: [ActiveDir] Logging successful logons in AD security log
Exactly. As described in KB824245. Thanks David. That is exactly what happed to me, I was controlling the size with the GPO (or so I thought) and when I was done testing and wanted to reduce the size, the actual logs never reflected the GPO setting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, September 01, 2006 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log The bug you're probably referring to is that in 2003 RTM you cannot reduce the size of an Event Log via GPO. You can increase the size but not decrease it. This can cause you to have larger logs than what you think if all you do is review what the GPOs say. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > Sent: Friday, September 01, 2006 1:37 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > >I can say that I have seen logs way bigger than the > specified max size. > > > That's probably due to the little bug in the Policy setting > vs actual size, I don't have the reference with me but it's > back at the office, I had to figure it out because my DC logs > actual sizes weren't matching what was in the Domain Controller GPO. > > Anyway, the point I mentioned the other day and that Mark > later reinterated was the practical limit of ~300MB, or risk > of introducing problems with services.exe, lsass, the audit > subsystem etc on a DC. Are you saying you have seen the > aggregate size of the eventlogs go over that? I found out > about the instability the hard way and then once I knew what > to look for the references became apparent. > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Akomolafe, Deji > Sent: Thursday, August 31, 2006 9:15 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > > I can say that I have seen logs way bigger than the specified > max size. > I can't say it's hurt the servers in any way. > > > Sincerely, >_ > (, / | /) /) /) > /---| (/_ __ ___// _ // _ > ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /) >(/ > Microsoft MVP - Directory Services > www.akomolafe.com > http://www.akomolafe.com> - we know > IT -5.75, -3.23 Do you now realize that Today is the Tomorrow > you were worried about Yesterday? -anon > > > > From: Glenn Corbett > Sent: Thu 8/31/2006 2:53 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > > Interesting. > > from the article: "Microsoft plans to resolve these problems > in the next version of Windows by rewriting the event logging > system from the ground up." since the last update was Mar 28 > 2003, I wonder how this applies to Wndows 2003 R2 and the 64 > Bit versions of Windows, or if this will only be fixed in Longhorn. > > Glenn > > > ________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > Sent: Thursday, 31 August 2006 7:20 PM > To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Logging successful logons in AD security log > > > Does everyone know this recomendation from Microsoft? > > On Windows XP, member servers, and stand-alone servers, the > combined size of the application, security, and system event > logs should not exceed 300 MB. > On domain controllers, the combined size of these three logs > - plus the Directory Service, File Replication Service, and > DNS Server logs - should not exceed 300 MB. > > http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0 > f-c7eb-45e > d-9e > 5e-514173bf15e31033.mspx?mfr=true > > Mark > > > > > > Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 > 2006 > Received: from smarthost1.giacom.net [194.131.240.55] by > mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 > Received: from mail.activedir.org ([12.168.66.190]) by > smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 > 04:12:15 +0100 > Received: from smtp111.sbc.mail.mud.yahoo.com > [68.142.198.210] by mail.activedir.org > (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 > Rec
RE: [ActiveDir] Logging successful logons in AD security log
The bug you're probably referring to is that in 2003 RTM you cannot reduce the size of an Event Log via GPO. You can increase the size but not decrease it. This can cause you to have larger logs than what you think if all you do is review what the GPOs say. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > Sent: Friday, September 01, 2006 1:37 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > >I can say that I have seen logs way bigger than the > specified max size. > > > That's probably due to the little bug in the Policy setting > vs actual size, I don't have the reference with me but it's > back at the office, I had to figure it out because my DC logs > actual sizes weren't matching what was in the Domain Controller GPO. > > Anyway, the point I mentioned the other day and that Mark > later reinterated was the practical limit of ~300MB, or risk > of introducing problems with services.exe, lsass, the audit > subsystem etc on a DC. Are you saying you have seen the > aggregate size of the eventlogs go over that? I found out > about the instability the hard way and then once I knew what > to look for the references became apparent. > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Akomolafe, Deji > Sent: Thursday, August 31, 2006 9:15 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > > I can say that I have seen logs way bigger than the specified > max size. > I can't say it's hurt the servers in any way. > > > Sincerely, >_ > (, / | /) /) /) > /---| (/_ __ ___// _ // _ > ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /) >(/ > Microsoft MVP - Directory Services > www.akomolafe.com > http://www.akomolafe.com> - we know > IT -5.75, -3.23 Do you now realize that Today is the Tomorrow > you were worried about Yesterday? -anon > > > > From: Glenn Corbett > Sent: Thu 8/31/2006 2:53 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > > Interesting. > > from the article: "Microsoft plans to resolve these problems > in the next version of Windows by rewriting the event logging > system from the ground up." since the last update was Mar 28 > 2003, I wonder how this applies to Wndows 2003 R2 and the 64 > Bit versions of Windows, or if this will only be fixed in Longhorn. > > Glenn > > > ________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > Sent: Thursday, 31 August 2006 7:20 PM > To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Logging successful logons in AD security log > > > Does everyone know this recomendation from Microsoft? > > On Windows XP, member servers, and stand-alone servers, the > combined size of the application, security, and system event > logs should not exceed 300 MB. > On domain controllers, the combined size of these three logs > - plus the Directory Service, File Replication Service, and > DNS Server logs - should not exceed 300 MB. > > http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0 > f-c7eb-45e > d-9e > 5e-514173bf15e31033.mspx?mfr=true > > Mark > > > > > > Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 > 2006 > Received: from smarthost1.giacom.net [194.131.240.55] by > mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 > Received: from mail.activedir.org ([12.168.66.190]) by > smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 > 04:12:15 +0100 > Received: from smtp111.sbc.mail.mud.yahoo.com > [68.142.198.210] by mail.activedir.org > (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 > Received: (qmail 99368 invoked from network); 31 Aug 2006 > 03:07:35 - > Received: from unknown (HELO ?192.168.16.19?) > ([EMAIL PROTECTED]@69.106.185.80 with plain) by > smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; > d=pacbell.net; > h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Sub > ject:Refer > ence > s:In-Reply-To:Content-Type:Content-Transfer-Encoding; > b=PEI
RE: [ActiveDir] Logging successful logons in AD security log
>I can say that I have seen logs way bigger than the specified max size. That's probably due to the little bug in the Policy setting vs actual size, I don't have the reference with me but it's back at the office, I had to figure it out because my DC logs actual sizes weren't matching what was in the Domain Controller GPO. Anyway, the point I mentioned the other day and that Mark later reinterated was the practical limit of ~300MB, or risk of introducing problems with services.exe, lsass, the audit subsystem etc on a DC. Are you saying you have seen the aggregate size of the eventlogs go over that? I found out about the instability the hard way and then once I knew what to look for the references became apparent. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, August 31, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com http://www.akomolafe.com> - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Glenn Corbett Sent: Thu 8/31/2006 2:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45e d-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Refer ence s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL +WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkH O6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: <[EMAIL PROTECTED]> Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-
Re: [ActiveDir] Logging successful logons in AD security log
On us wacko DCs... we are advised to keep the max of our log files at 64 MB otherwise it messes with the backup: *Cause:* An Event Log is larger than 64 MB. *Solution:* Reduce the size of the Event Log to a maximum of 64 MB. Note To complete the following procedure, you must be logged on as a member of the Domain Admins security group. *To reduce the size of the Event Log* 1. Click *Start*, click *Administrative Tools*, and then click *Event Viewer*. 2. In the console tree, click any Event Log that is larger than 64 MB. 3. On the *Action* menu, click *Properties*. 4. On the *General* tab, in *Maximum log size*, specify a log size of 64000 kilobytes or less. 5. To put the new setting in effect, click *Clear Log*. If you want to retain the information currently in the log, click *Yes* when a message appears asking if you want to save the original log before clearing it, and then click *OK*. *Cause:* Directory Service Access auditing is enabled. *Solution:* Disable Directory Service access auditing. *To verify that Directory Service Access auditing is enabled* 1. Click *Start*, click *Run*, and then type *rsop.msc*. 2. In the details pane, double-click *Computer Configuration*, double-click *Windows Settings*, double-click *Security Settings*, double-click *Local Policies*, and then double-click *Audit Policy*. 3. In the *Computer Setting* column, verify that it reads either *Success* or *Failure*. If Directory Service Access is not enabled, the entry in the Computer Setting column will read *No auditing*. *To disable Directory Service access auditing* 1. Click *Start*, and then click *Server Management*. 2. In the console tree, click *Advanced Management*, and then click *Group Policy Management*. 3. Navigate to /Forest/Domains/your domain/Domain Controllers, and then right-click *Small Business Server Auditing Policy*. 4. Click *Edit* to open Group Policy Object Editor. 5. In Group Policy Object editor, navigate to Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy. 6. Double-click *Audit directory service access*. 7. Clear the *Success* and *Failure* boxes if they are checked. 8. Click *Start*, click *Command Prompt*, and then type *gpupdate /Force* to refresh the policy setting. [EMAIL PROTECTED] wrote: It can certainly hurt DCs. services.exe can consume huge amounts of RAM at the detriment of lsass.exe. e.g. I have seen services.exe consume ~ 2Gb of RAM thus leaving scraps for lsass. Once a suitable monitoring solution was put in place and event log sizes reduced, lsass grabbed more RAM and the DC performance went thru the roof :) neil *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* 31 August 2006 17:15 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com http://www.akomolafe.com> - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Glenn Corbett *Sent:* Thu 8/31/2006 2:53 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 3
RE: [ActiveDir] Logging successful logons in AD security log
This is great feedback. Thanks to everyone for the information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, August 31, 2006 6:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log That would be the Audit Collector Services (ACS) - been in Beta forever and due to internal struggles they couldn't release it for free. AFAIK, ACS is still planned to be a part of MOM. The Longhorn Eventsystem is a completely different story - can handle many more events (incl. great filtering capabilities) and has native capability to forward events to other servers (centrally collect on one or many LH servers). Not sure how the latter will scale, but it sure will be interesting for many companies. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Thursday, August 31, 2006 2:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I've been told by some folks at Microsoft that it won't just be Longhorn, but that Windows Server 2003 will have some native (and free?) options for collecting event log data into SQL and performing reporting, similar to what 3rd party products or custom development mentioned on this thread are capable of. I'm not sure if it will be more powerful than what can be done with LogParser, or just easier... There was also some mention of MOM packs to go along with it. I've not seen anything official yet, though. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, August 31, 2006 4:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45e d-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Refer ence s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL +WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkH R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++O6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: <[EMAIL PROTECTED]> Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom An
RE: [ActiveDir] Logging successful logons in AD security log
It can certainly hurt DCs. services.exe can consume huge amounts of RAM at the detriment of lsass.exe. e.g. I have seen services.exe consume ~ 2Gb of RAM thus leaving scraps for lsass. Once a suitable monitoring solution was put in place and event log sizes reduced, lsass grabbed more RAM and the DC performance went thru the roof :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: 31 August 2006 17:15To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Logging successful logons in AD security log I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Glenn CorbettSent: Thu 8/31/2006 2:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Reference s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkHO6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: <[EMAIL PROTECTED]> Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from ([12.168.66.190]). X-Rcpt-To: <[EMAIL PROTECTED]> Ask the PSS security guys and they want success and failure. Only having half the story... is only half the story Buy bigger harddrives and archive. Sitton Glen E wrote: > I don't know that there is a 'general consensus' because everyone's > business needs differ. My environment has around 100K users and you're > right, there's a rid
RE: [ActiveDir] Logging successful logons in AD security log
I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Glenn CorbettSent: Thu 8/31/2006 2:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Reference s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkHO6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: <[EMAIL PROTECTED]> Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from ([12.168.66.190]). X-Rcpt-To: <[EMAIL PROTECTED]> Ask the PSS security guys and they want success and failure. Only having half the story... is only half the story Buy bigger harddrives and archive. Sitton Glen E wrote: > I don't know that there is a 'general consensus' because everyone's > business needs differ. My environment has around 100K users and you're > right, there's a ridiculously high volume of logon events. We set the > security log size very high on the domain controllers, and collect and > clear the security logs several times per day using a > commercially-available "fancy log management system." We don't allow > the security logs to rollover. The eventlog management software gives > us an impressive battery of audit reports, and a compressed eventlog > repository that we archive for FISMA compliance. > > I'm sure our uncompressed event log archive is well above 1TB per year. > But we r
Re: [ActiveDir] Logging successful logons in AD security log
ACS (audit collection service) is now under the MOM/System Center Umbrella and out in the 2007 era...but I don't think it's free anymore in it's plans. The Vista event viewer is vastly different than the XP one. You can ask Brian about the audit logging into SQL. Wells, James Arthur wrote: I've been told by some folks at Microsoft that it won't just be Longhorn, but that Windows Server 2003 will have some native (and free?) options for collecting event log data into SQL and performing reporting, similar to what 3rd party products or custom development mentioned on this thread are capable of. I'm not sure if it will be more powerful than what can be done with LogParser, or just easier... There was also some mention of MOM packs to go along with it. I've not seen anything official yet, though. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, August 31, 2006 4:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Reference s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkH R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++O6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: <[EMAIL PROTECTED]> Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from ([12.168.66.190]). X-Rcpt-To: <[EMAIL PROTECTED]> Ask the PSS security guys and they want success and failure. Only having half the story... is only half the story Buy bigger harddrives and archive. Sitton Glen E wrote: I don't know that there is a 'general consensus' because everyone's business needs differ. My environment has around 100K users and you're right, there's a ridiculously high volume of logon events. We set the security log size very high on the domain controllers, and collect and cl
RE: [ActiveDir] Logging successful logons in AD security log
This is a Vista/Longhorn change as the event logging system has been completely revamped. I'm not, however, 100% certain about 64bit XP and 2003 on if they suffer from the same limitations as the 32bit flavors. I suspect they do. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett > Sent: Thursday, August 31, 2006 4:54 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > Interesting. > > from the article: "Microsoft plans to resolve these problems > in the next version of Windows by rewriting the event logging > system from the ground up." since the last update was Mar 28 > 2003, I wonder how this applies to Wndows 2003 R2 and the 64 > Bit versions of Windows, or if this will only be fixed in Longhorn. > > Glenn > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > Sent: Thursday, 31 August 2006 7:20 PM > To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Logging successful logons in AD security log > > > Does everyone know this recomendation from Microsoft? > > On Windows XP, member servers, and stand-alone servers, the > combined size of the application, security, and system event > logs should not exceed 300 MB. > On domain controllers, the combined size of these three logs > - plus the Directory Service, File Replication Service, and > DNS Server logs - should not exceed 300 MB. > > http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0 > f-c7eb-45ed-9e > 5e-514173bf15e31033.mspx?mfr=true > > Mark > > > > > > Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 > 04:12:18 2006 > Received: from smarthost1.giacom.net [194.131.240.55] by > mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 > Received: from mail.activedir.org ([12.168.66.190]) by > smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 > 04:12:15 +0100 > Received: from smtp111.sbc.mail.mud.yahoo.com > [68.142.198.210] by mail.activedir.org > (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 > Received: (qmail 99368 invoked from network); 31 Aug 2006 > 03:07:35 - > Received: from unknown (HELO ?192.168.16.19?) > ([EMAIL PROTECTED]@69.106.185.80 with plain) by > smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; > d=pacbell.net; > h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Sub > ject:Reference > s:In-Reply-To:Content-Type:Content-Transfer-Encoding; > b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0v > pHGQ7U+CwL+WPV > R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mv > Ifjfh29qkH > R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++O6+P > EuYRMiJ3/EUAyhoBySfo8= ; > Message-ID: <[EMAIL PROTECTED]> > Date: Wed, 30 Aug 2006 20:07:29 -0700 > From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" > <[EMAIL PROTECTED]> > User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) > MIME-Version: 1.0 > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Logging successful logons in AD security log > References: <[EMAIL PROTECTED]> > In-Reply-To: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > Precedence: bulk > Sender: [EMAIL PROTECTED] > Reply-To: ActiveDir@mail.activedir.org > Received-SPF: none (smarthost1.giacom.net: mail.activedir.org > does not designate permitted sender hosts) > X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] > X-Note: This E-mail was scanned in real-time by Giacom > Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam > protection is available to subscribers of Giacom Business Pro > Plus. Visit http://www.giacom.com for more details. > X-Spam-Tests-Failed: ROUTING [-1] > X-Note: This E-mail was sent from ([12.168.66.190]). > X-Rcpt-To: <[EMAIL PROTECTED]> > > Ask the PSS security guys and they want success and failure. > Only having half the story... is only half the story > > Buy bigger harddrives and archive. > > Sitton Glen E wrote: > > I don't know that there is a 'general consensus' because everyone's > > business needs differ. My environment has around 100K users > and you're > > right, there's a ridiculously high volume of logon events. > We set the > > security log size very high on the domain controllers, and > collect and > > clear the security logs severa
RE: [ActiveDir] Logging successful logons in AD security log
That would be the Audit Collector Services (ACS) - been in Beta forever and due to internal struggles they couldn't release it for free. AFAIK, ACS is still planned to be a part of MOM. The Longhorn Eventsystem is a completely different story - can handle many more events (incl. great filtering capabilities) and has native capability to forward events to other servers (centrally collect on one or many LH servers). Not sure how the latter will scale, but it sure will be interesting for many companies. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Thursday, August 31, 2006 2:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I've been told by some folks at Microsoft that it won't just be Longhorn, but that Windows Server 2003 will have some native (and free?) options for collecting event log data into SQL and performing reporting, similar to what 3rd party products or custom development mentioned on this thread are capable of. I'm not sure if it will be more powerful than what can be done with LogParser, or just easier... There was also some mention of MOM packs to go along with it. I've not seen anything official yet, though. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, August 31, 2006 4:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45e d-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Refer ence s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL +WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkH R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++O6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: <[EMAIL PROTECTED]> Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from ([12.168.66.190]). X-Rcpt-To: <[EMAIL PROTECTED]> Ask the PSS security guys and they want success
RE: [ActiveDir] Logging successful logons in AD security log
I've been told by some folks at Microsoft that it won't just be Longhorn, but that Windows Server 2003 will have some native (and free?) options for collecting event log data into SQL and performing reporting, similar to what 3rd party products or custom development mentioned on this thread are capable of. I'm not sure if it will be more powerful than what can be done with LogParser, or just easier... There was also some mention of MOM packs to go along with it. I've not seen anything official yet, though. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, August 31, 2006 4:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Reference s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkH R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++O6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: <[EMAIL PROTECTED]> Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from ([12.168.66.190]). X-Rcpt-To: <[EMAIL PROTECTED]> Ask the PSS security guys and they want success and failure. Only having half the story... is only half the story Buy bigger harddrives and archive. Sitton Glen E wrote: > I don't know that there is a 'general consensus' because everyone's > business needs differ. My environment has around 100K users and you're > right, there's a ridiculously high volume of logon events. We set the > security log size very high on the domain controllers, and collect and > clear the security logs several times per day using a > commercially-available "fancy log management system." We don't allow > the security logs to rollover. The eventlog management software gives > us an impressive battery of audit reports, and a compressed eventlog
RE: [ActiveDir] Logging successful logons in AD security log
Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Reference s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkHO6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: <[EMAIL PROTECTED]> Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from ([12.168.66.190]). X-Rcpt-To: <[EMAIL PROTECTED]> Ask the PSS security guys and they want success and failure. Only having half the story... is only half the story Buy bigger harddrives and archive. Sitton Glen E wrote: > I don't know that there is a 'general consensus' because everyone's > business needs differ. My environment has around 100K users and you're > right, there's a ridiculously high volume of logon events. We set the > security log size very high on the domain controllers, and collect and > clear the security logs several times per day using a > commercially-available "fancy log management system." We don't allow > the security logs to rollover. The eventlog management software gives > us an impressive battery of audit reports, and a compressed eventlog > repository that we archive for FISMA compliance. > > I'm sure our uncompressed event log archive is well above 1TB per year. > But we realize about a 20:1 compression using the commercial software. > > Your options may be limited by legal requirements that may govern the > audit logs of your business or organization. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, > Joseph > Sent: Wednesday, August 30, 2006 5:32 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Logging successful logons in AD security log > > That may work, but it sort of falls under option b. The logs will grow > so large that they will become unmanageable. I did some calculations > and it works out to be about 1TB a year. > > -----
Re: [ActiveDir] Logging successful logons in AD security log
Does everyone know this recomendation from Microsoft?On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs — plus the Directory Service, File Replication Service, and DNS Server logs — should not exceed 300 MB.http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e5e-514173bf15e31033.mspx?mfr=trueMark Return-Path: <[EMAIL PROTECTED]> Thu Aug 31 04:12:18 2006Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP;Thu, 31 Aug 2006 04:12:18 +0100Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org(SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 -Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain)by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 -DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;s=s1024; d=pacbell.net;h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPVR6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkHO6+PEuYRMiJ3/EUAyhoBySfo8= ;Message-ID: <[EMAIL PROTECTED]>Date: Wed, 30 Aug 2006 20:07:29 -0700From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]>User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)MIME-Version: 1.0To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Logging successful logons in AD security logReferences: <[EMAIL PROTECTED]>In-Reply-To: <[EMAIL PROTECTED]>Content-Type: text/plain; charset=ISO-8859-1; format=flowedContent-Transfer-Encoding: 7bitPrecedence: bulkSender: [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgReceived-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts)X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190]X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details.X-Spam-Tests-Failed: ROUTING [-1]X-Note: This E-mail was sent from ([12.168.66.190]).X-Rcpt-To: <[EMAIL PROTECTED]>Ask the PSS security guys and they want success and failure. Only having half the story... is only half the storyBuy bigger harddrives and archive.Sitton Glen E wrote:> I don't know that there is a 'general consensus' because everyone's> business needs differ. My environment has around 100K users and you're> right, there's a ridiculously high volume of logon events. We set the> security log size very high on the domain controllers, and collect and> clear the security logs several times per day using a> commercially-available "fancy log management system." We don't allow> the security logs to rollover. The eventlog management software gives> us an impressive battery of audit reports, and a compressed eventlog> repository that we archive for FISMA compliance.>> I'm sure our uncompressed event log archive is well above 1TB per year.> But we realize about a 20:1 compression using the commercial software.>> Your options may be limited by legal requirements that may govern the> audit logs of your business or organization. >> -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,> Joseph> Sent: Wednesday, August 30, 2006 5:32 PM> To: ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] Logging successful logons in AD security log>> That may work, but it sort of falls under option b. The logs will grow> so large that they will become unmanageable. I did some calculations> and it works out to be about 1TB a year.>> -Original Message-----> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris> Sent: Wednesday, August 30, 2006 3:06 PM> To: ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] Logging successful logons in AD security log>> I have a pretty small site, and this probably won't scale very well, but> I have a script scheduled to run every day at midnight that backs up the> security log to a compressed folder & clears it. I have the log size set> ridiculously high, so it doesn't rollover unexpectedly.>> dtmThisDay = Day(Date)> dtmThisMonth = Month(Date)> dtmThisYear = Year(Date)> strBackupName = dtmThisYear & "_" & dtmThisMonth & "_
Re: [ActiveDir] Logging successful logons in AD security log
Ask the PSS security guys and they want success and failure. Only having half the story... is only half the story Buy bigger harddrives and archive. Sitton Glen E wrote: I don't know that there is a 'general consensus' because everyone's business needs differ. My environment has around 100K users and you're right, there's a ridiculously high volume of logon events. We set the security log size very high on the domain controllers, and collect and clear the security logs several times per day using a commercially-available "fancy log management system." We don't allow the security logs to rollover. The eventlog management software gives us an impressive battery of audit reports, and a compressed eventlog repository that we archive for FISMA compliance. I'm sure our uncompressed event log archive is well above 1TB per year. But we realize about a 20:1 compression using the commercial software. Your options may be limited by legal requirements that may govern the audit logs of your business or organization. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 5:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log That may work, but it sort of falls under option b. The logs will grow so large that they will become unmanageable. I did some calculations and it works out to be about 1TB a year. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Wednesday, August 30, 2006 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I have a pretty small site, and this probably won't scale very well, but I have a script scheduled to run every day at midnight that backs up the security log to a compressed folder & clears it. I have the log size set ridiculously high, so it doesn't rollover unexpectedly. dtmThisDay = Day(Date) dtmThisMonth = Month(Date) dtmThisYear = Year(Date) strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay & "_" & Hour(Time) & Minute(Time) strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _ strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='Security'") For Each objLogfile in colLogFiles objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _ "_security.evt") objLogFile.ClearEventLog() Next -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 3:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logging successful logons in AD security log What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Logging successful logons in AD security log
The option chosen for my environment is: c) Invest in a fancy log management system that will collect, index, and retain all of your logs. The product we employ is EventSenty (http://www.eventsentry.com/features.php?FEATURE=EVENTLOG) Though not that fancy but good enough to do what is needed. The events are collected and using sql reporting services a 24 hr summary is emailed to the appropriate person. It does not matter how many successful logons you have --I guess the space on your sql server would be the limitation. One aspect that drives what you choose is compliance if you have to satisfy any audit requirements. Good luck. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 3:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log That may work, but it sort of falls under option b. The logs will grow so large that they will become unmanageable. I did some calculations and it works out to be about 1TB a year. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Wednesday, August 30, 2006 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I have a pretty small site, and this probably won't scale very well, but I have a script scheduled to run every day at midnight that backs up the security log to a compressed folder & clears it. I have the log size set ridiculously high, so it doesn't rollover unexpectedly. dtmThisDay = Day(Date) dtmThisMonth = Month(Date) dtmThisYear = Year(Date) strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay & "_" & Hour(Time) & Minute(Time) strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _ strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='Security'") For Each objLogfile in colLogFiles objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _ "_security.evt") objLogFile.ClearEventLog() Next -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 3:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logging successful logons in AD security log What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Logging successful logons in AD security log
I don't know that there is a 'general consensus' because everyone's business needs differ. My environment has around 100K users and you're right, there's a ridiculously high volume of logon events. We set the security log size very high on the domain controllers, and collect and clear the security logs several times per day using a commercially-available "fancy log management system." We don't allow the security logs to rollover. The eventlog management software gives us an impressive battery of audit reports, and a compressed eventlog repository that we archive for FISMA compliance. I'm sure our uncompressed event log archive is well above 1TB per year. But we realize about a 20:1 compression using the commercial software. Your options may be limited by legal requirements that may govern the audit logs of your business or organization. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 5:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log That may work, but it sort of falls under option b. The logs will grow so large that they will become unmanageable. I did some calculations and it works out to be about 1TB a year. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Wednesday, August 30, 2006 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I have a pretty small site, and this probably won't scale very well, but I have a script scheduled to run every day at midnight that backs up the security log to a compressed folder & clears it. I have the log size set ridiculously high, so it doesn't rollover unexpectedly. dtmThisDay = Day(Date) dtmThisMonth = Month(Date) dtmThisYear = Year(Date) strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay & "_" & Hour(Time) & Minute(Time) strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _ strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='Security'") For Each objLogfile in colLogFiles objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _ "_security.evt") objLogFile.ClearEventLog() Next -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 3:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logging successful logons in AD security log What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Logging successful logons in AD security log
Depends on how much info you need but doing it through the native event log in an environment of that size is nearly futille unless you have SAN space and CPU cycles to burn, ours is 1/4 that size and I tried it and did the calcs and it's storage reqs were unbelievable. IIRC I was also seeing more than 100/sec in aggregate but I would need my notes and abacus to confirm that. For the short time I actually had it on, the logs were updating so fast it rendered event viewer useless, it couldn't even refresh on the PDCe. (they were set to 125MB and unmanagable at that size when I tried it) b) won't work because the total of ALL your event logs together are limited a practical maximum somewhere around 300MB since they have to be memory mapped and are sharing the 1 GB memory space of services.exe. Eric Fitzgerald had a great blog entry about it a while back. c) possible but still takes a lot of resources, I have been playing with 3rd party tools and DAD/MACS/ACS for a while, none are panacea IMO. I'm beginning to like the approach at least one of the 3rd party vendors uses of just grabbing the changes to the AD attribute instead of using the native audit subsystem. I'm leaning toward A and either checking the AD attribute or using something in a logon script to update a database with the who/what/when/where stuff. Depends on your needs I guess. Sorry this is a little choppy but I'm pressed for time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 2:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logging successful logons in AD security log What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Logging successful logons in AD security log
That may work, but it sort of falls under option b. The logs will grow so large that they will become unmanageable. I did some calculations and it works out to be about 1TB a year. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Wednesday, August 30, 2006 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logging successful logons in AD security log I have a pretty small site, and this probably won't scale very well, but I have a script scheduled to run every day at midnight that backs up the security log to a compressed folder & clears it. I have the log size set ridiculously high, so it doesn't rollover unexpectedly. dtmThisDay = Day(Date) dtmThisMonth = Month(Date) dtmThisYear = Year(Date) strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay & "_" & Hour(Time) & Minute(Time) strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _ strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='Security'") For Each objLogfile in colLogFiles objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _ "_security.evt") objLogFile.ClearEventLog() Next -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 3:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logging successful logons in AD security log What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Logging successful logons in AD security log
I have a pretty small site, and this probably won't scale very well, but I have a script scheduled to run every day at midnight that backs up the security log to a compressed folder & clears it. I have the log size set ridiculously high, so it doesn't rollover unexpectedly. dtmThisDay = Day(Date) dtmThisMonth = Month(Date) dtmThisYear = Year(Date) strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay & "_" & Hour(Time) & Minute(Time) strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & _ strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='Security'") For Each objLogfile in colLogFiles objLogFile.BackupEventLog("c:\seclogs\" & strBackupName & _ "_security.evt") objLogFile.ClearEventLog() Next -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August 30, 2006 3:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logging successful logons in AD security log What is the general consensus on logging successful logon events? For example if you have a domain with 100K users or so and you use AD as your primary authentication service for: application, file, email, and web access then it is plausible that you will end up with up to 100 log entries per second. That kind of volume will no doubt cause the logs to roll over frequently thus making them somewhat useless. The only alternatives I see are: a) Don't log success logon. b) Set your event log size to a very large (and possibly unmanageable) size. c) Invest in a fancy log management system that will collect, index, and retain all of your logs. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx