Ben Hart
asked on
Logon/Logoff Auditing, exclude specific user?
As the title says.. Is there a way to exclude or not audit a single domain user account's logon and logoff events?
We have a web app that uses a service account to use to verify other AD accounts, well this happens hundreds of times an hour and fills the Security event log. So I'd like to just exclude the logon and logoff events from this single user if possible.
We have a web app that uses a service account to use to verify other AD accounts, well this happens hundreds of times an hour and fills the Security event log. So I'd like to just exclude the logon and logoff events from this single user if possible.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
But, tell me. Are you concerned about it because of the disk consumption or because it's hard to look for information in the log?
I am asking because it's possible to extract information from the event viewer in many ways. I am pretty sure we can find a way to filter the information. But if you are concerned because of the disk space, so, there's not much to do.
I am asking because it's possible to extract information from the event viewer in many ways. I am pretty sure we can find a way to filter the information. But if you are concerned because of the disk space, so, there's not much to do.
What I meant is that when you turn object access policy, for instance, you will assign some folders and users to the auditing configuration. In the case of logon/logoff events, you dont point users or servers, you just turn it on or off in Active Directory (this log is showing in a domain controller, right?).
ASKER
Well honestly I guess it'd be a little of both, I just increased the log size to 50megs which I will agree is nothing, however the default 20mb log file size was eaten up by a little less than 3 hours worth of security logon events from this one particular domain account. I realized this by filtering the current log and the time frames only going back 3.5 hours.
Since I know this particular account will generate a literal crap ton of events, I thought it'd be easier just to exclude it.
Since I know this particular account will generate a literal crap ton of events, I thought it'd be easier just to exclude it.
ASKER
Yes.. on one of our two DC's. So logon events are an 'all or nothing thing'?
Yes. That's it.
ASKER
So how would larger environments handle large log files?
You might consolidate events to a dedicated server with enough storage.
Take a look at Event Subscription:
Setting up Subscriptions for Event Log Forwarding
http://www.windowsecurity.com/articles/Video_Setting_up_Subscriptions_Event_Log_Forwarding.html
Take a look at Event Subscription:
Setting up Subscriptions for Event Log Forwarding
http://www.windowsecurity.com/articles/Video_Setting_up_Subscriptions_Event_Log_Forwarding.html
1) If it's possible, you can try to change the application behavior with the software manufacturer.
2) Depending the on application behavior you might try to create an additional domain and run the application from there where you will not enable auditing.
That's what I have for now. Hope this will help you.
2) Depending the on application behavior you might try to create an additional domain and run the application from there where you will not enable auditing.
That's what I have for now. Hope this will help you.
ASKER
Thank you for the hint about Subscriptions.. I now get security related logs from both DC's on only one.
I might have found a snag I was hitting earlier in the filtering.
I setup a custom view, For the Last 12 Hours; Event Level: All; By Log:Security,System,Direct ory Service; Keywords: Audit Failure, Audit Success. Which returns over 100k events. If I got back in and add a user it returns zero.
I go into the Security log itself, I found a logoff event at 5:38:14, I then find that same event in the custom filter without the user.. but if I specify that user who logged off at 5:38:14 in the custom view it returns zero. Not sure where I'm going wrong here.
custom-filter.png
I might have found a snag I was hitting earlier in the filtering.
I setup a custom view, For the Last 12 Hours; Event Level: All; By Log:Security,System,Direct
I go into the Security log itself, I found a logoff event at 5:38:14, I then find that same event in the custom filter without the user.. but if I specify that user who logged off at 5:38:14 in the custom view it returns zero. Not sure where I'm going wrong here.
custom-filter.png
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Apparently this is an overly difficult thing to accomplish so I'll post what I've found.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(Level=4 or Level=0 or Level=5)
and (EventID=4624)
]
]
and
*[EventData[Data[@Name='TargetUserName']
and(Data='USERNAME')
]
]
</Select>
</Query>
</QueryList>
ASKER
rmrustice answered my question.. however I'm accepting mine and his because part of the issue was wading thru the event logs and NOT seeing the one user I wanted to exclude. While there is no way apparently to stop Audit logs from Auditing one individual user, I can exclude that user from appearing in the event logs.
ASKER