Link to home
Create AccountLog in
Avatar of Ben Hart
Ben HartFlag for United States of America

asked on

Logon/Logoff Auditing, exclude specific user?

As the title says.. Is there a way to exclude or not audit a single domain user account's logon and logoff events?

We have a web app that uses a service account to use to verify other AD accounts, well this happens hundreds of times an hour and fills the Security event log.  So I'd like to just exclude the logon and logoff events from this single user if possible.
ASKER CERTIFIED SOLUTION
Avatar of Renato Montenegro Rustici
Renato Montenegro Rustici
Flag of Brazil image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Ben Hart

ASKER

Not sure I follow.. its a result of the normal Server 08 local audit policy covering logon events, or so I thought.  But I want to not log the success or failure logon events for one specific user..
But, tell me. Are you concerned about it because of the disk consumption or because it's hard to look for information in the log?

I am asking because it's possible to extract information from the event viewer in many ways. I am pretty sure we can find a way to filter the information. But if you are concerned because of the disk space, so, there's not much to do.
What I meant is that when you turn object access policy, for instance, you will assign some folders and users to the auditing configuration. In the case of logon/logoff events, you dont point users or servers, you just turn it on or off in Active Directory (this log is showing in a domain controller, right?).
Well honestly I guess it'd be a little of both, I just increased the log size to 50megs which I will agree is nothing, however the default 20mb log file size was eaten up by a little less than 3 hours worth of security logon events from this one particular domain account.  I realized this by filtering the current log and the time frames only going back 3.5 hours.

Since I know this particular account will generate a literal crap ton of events, I thought it'd be easier just to exclude it.
Yes.. on one of our two DC's.  So logon events are an 'all or nothing thing'?
Yes. That's it.
So how would larger environments handle large log files?
You might consolidate events to a dedicated server with enough storage.

Take a look at Event Subscription:

Setting up Subscriptions for Event Log Forwarding
http://www.windowsecurity.com/articles/Video_Setting_up_Subscriptions_Event_Log_Forwarding.html
1) If it's possible, you can try to change the application behavior with the software manufacturer.

2) Depending the on application behavior you might try to create an additional domain and run the application from there where you will not enable auditing.

That's what I have for now. Hope this will help you.
Thank you for the hint about Subscriptions.. I now get security related logs from both DC's on only one.

I might have found a snag I was hitting earlier in the filtering.

I setup a custom view,  For the Last 12 Hours; Event Level: All; By Log:Security,System,Directory Service; Keywords: Audit Failure, Audit Success.  Which returns over 100k events.  If I got back in and add a user it returns zero.

I go into the Security log itself, I found a logoff event at  5:38:14, I then find that same event in the custom filter without the user.. but if I specify that user who logged off at 5:38:14 in the custom view it returns zero.  Not sure where I'm going wrong here.
custom-filter.png
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Apparently this is an overly difficult thing to accomplish so I'll post what I've found.



<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(Level=4 or Level=0 or Level=5) 
                and (EventID=4624) 
                 ]
            ]
           and
            *[EventData[Data[@Name='TargetUserName']
                    and(Data='USERNAME')
             ]
                       ]
      </Select>
  </Query>
</QueryList>

Open in new window

rmrustice answered my question.. however I'm accepting mine and his because part of the issue was wading thru the event logs and NOT seeing the one user I wanted to exclude.  While there is no way apparently to stop Audit logs from Auditing one individual user, I can exclude that user from appearing in the event logs.