Windows Security Auditing too many logs
By default the Windows Security auditing generates too much logs.Having cleared this log I already have 71,000 logs for the past seven days. Where exactly is this auditing configured cause I would like to lower it a bit.I tried all the auditing in Default Domain, Default Domain Controller Policies but didnt find any audit settings configured.So where do they come from? Thanks.
March 3rd, 2011 4:05pm

Domain security logs are configured via the Default Domain Controller Group Policy. It is located under Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy . You will find a number of policies where you can configure either Success or Failure. Account Logon Events audits when other people succeed or fail when attempting to log onto the domain. Logon Events audits when someone succeeds or fails at logging onto the Domain Controller. Most companies retain their security logs for auditing and historical purposes. Clearing the logs without making a backup could be considered a poor practice depending on what your companies standards are. It is important to make sure that you are auditing the correct settings to avoid collecting to much information. Below is a "Best Practices" guide that you may find useful: Auditing Security Events Best practices http://technet.microsoft.com/en-us/library/cc778162%28WS.10%29.aspx
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2011 3:09pm

jsof, I just read the part where you said you already checked the Default Domain and Default Domain Controller Policies. Have you checked the PC's Local Security Policy to see if any auditing is enabled there?
March 4th, 2011 3:34pm

also if you are using 2008 R2, then there is the advanced audit polciy stuff to check as well
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2011 2:17pm

Hello guys and thanks for stopping by :-) Yes I am using Windows Server 2008R2.It's nothing inside audit policies (even the Adnvanced Audit Policy).
March 5th, 2011 4:59pm

Hi jsof, Please run rsop.msc on the client to check if any audit policy has been configured. Meanwhile, please let us know what logs have been recorded in event log. You can past some samples. Regards, BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2011 4:21am

Looking deeper into the Default Domain Controllers Policy found this: Under Computer Configuration/ Windows/ Security/ Local Policies you have: Generate Security Audits object, where by default system accounts like NETWORK SERVICE and LOCAL SERVICE are defined. In the description of the policy object is written: "This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events ". So I disabled both accounts' auditing, in a new custom DC policy. *The same applies to the Local Policy settings, so I applied my custom DC Policy enforced , and did a gpupdate /force . Still I get multiple logs.Now let's see some of these logs: First a Microsoft Windows Security, Event ID 4624 : An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: SYSTEM Account Name: 2008R2$ Account Domain: AI Logon ID: 0x2e827f6 Logon GUID: {6d7bbe59-4af1-662a-f91b-aa41785bea78} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: ::1 Source Port: 62157 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Then a Microsoft Windows Security, Event ID 4672 : Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: 2008R2$ Account Domain: AI Logon ID: 0x2e827f6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeEnableDelegationPrivilege And finally a Microsoft Windows Security, Event ID 4634 : An account was logged off. Subject: Security ID: SYSTEM Account Name: 2008R2$ Account Domain: AI Logon ID: 0x2e827f6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer I also get this one multiple times (EventID 4769 ): A Kerberos service ticket was requested. Account Information: Account Name: 2008R2$@AI.LOCAL Account Domain: AI.LOCAL Logon GUID: {17cab577-b9ef-6b9f-bdbd-534ec50ceaa6} Service Information: Service Name: 2008R2$ Service ID: AI\2008R2$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. To summarize the issue here please take a look at this . Every minute I get this pattern of 4624, 4672 and 4634 most probably a service authenticating with Kerberos and logging off.For 40 minutes of having cleared security event log you can see at the picture I have over 300 new events. This is beyond the nature of auditing as someone has to spend some serious time and effort to use this log list. Thanks for helping.
March 7th, 2011 11:06am

Anyone please?
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2011 2:54am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics