Changing Audit log locations

Posted on 2006-11-17
Medium Priority
Last Modified: 2013-12-04
We have a situation where there are files that are sensitive enough we need them audited but only a select subset of users should be able to see those logs.  I need to seperate the auditing logs of those files from the auditing logs of the rest of the files on the system.  I have found the code to create more event logs but how can I direct certain security logs to that newly created event log instead of the standard Security event log.

Thank you
Question by:SAIonline
LVL 24

Accepted Solution

SunBow earned 1500 total points
ID: 17969719
I dunno. Which ones?
You can try to search registry for filename, and change each one.
You 'should' have option available through menu system to get it right, I doubt that is well available
For some, such as Security log for the Event viewer, a right click gets allowance to display properties
From there, see C:\WINDOWS\System32\config\SecEvent.Evt as name of file (default)
Mine is changeable but greyed out. Yours?
You might have to reboot to local, off-net, then login as administrator, often meaning physically present at KB

I advise to NOT try. Reasoning is that there are far too many updates required, where too many things can go wrong such as, those who write update code neglect that there are possibilities other than defaults, and they may either set all back ( a tug of war) or end up with some messages going nowhere (if not crashing systems)

>  only a select subset of users should be able to see those logs

Sometimes it helps to have users read them to help desk. Too rarely, no one ever checks the logs for resolving problems. Users can also be a form of check and balance, where too many installers can cause a problem yet deny that they ever touched the machines (remotely). My preference would be dealing with users, try denying them access to directory store using Windows Explorer (or similar tool).

Check Local Security Settings \ Local Policies \ User Rights Assignments
for items like
Managing auditing and security log

Author Comment

ID: 17979098
I am able to change where the default security entries are logged, but that doesn't get me to where I need to be.  On our file server there is a directory that only certain director and VP level users should be able to see.  We want to audit that directory but I am told that even our security team should not know what is in that directory.  That presents a problem because the security log will log the name of the file when someone attempts to gain (succefully or not) access to that file. The rest of the files should be (and are) audited normally by our security team.  I wanted to generate the logs for that directory and child objects to a different log file accessible by only those they deem fit.  Does that make more sense now?  I told them because of the nature of the directory that maybe it should be moved to a different server, but they wanted to try and leave it where it is for ease of use (VP's) if we can.  Any other ideas, even thrid party apps are on the table.  I need something that will only write events for a single directory to a seperate log of some kind, without disturbing the auditing already in place.  (Yes I know it may be futile)

Thank you

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…
From store locators to asset tracking and route optimization, learn how leading companies are using Google Maps APIs throughout the customer journey to increase checkout conversions, boost user engagement, and optimize order fulfillment. Powered …

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question