Rammy Charles
asked on
Filter what is written to Windows Security Event Log
Is there a way to filter what is written to the Windows Security Logs?
The Custom Views and filtering are only visibility subsets of the log. I want to prevent Windows from writing certain events into the log.
For example, I do not want to see successful log on and log off events in the security log. I only want to see fails.
The Custom Views and filtering are only visibility subsets of the log. I want to prevent Windows from writing certain events into the log.
For example, I do not want to see successful log on and log off events in the security log. I only want to see fails.
No, because, by definition, if one could filter what information gets logged, then it wouldn't be secure. (Now some apps have mechanisms to do things like go into a debug logging mode where you get everything from what field name a user clicks on, but there is no mechanism to prevent any arbitrary program from not logging specific events)
Yes (in a way). You can't filter individual events, but you can choose a number of categories. What you are looking for is the Audit Policy. The standard audit policy settings in Group Policy are found under Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy. With Vista+ you have audit subcategories for more fine-grained control. With Vista/2008 you had to set these with the auditpol command, but with Win7/2008R2 you can use Group Policy. The settings are found under Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration. You may also want to use the setting in Local Policies | Security Options > "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings".
See here for a good recommendation on what to configure using audit subcategories.
http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008
See here for a good recommendation on what to configure using audit subcategories.
http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008
I was thinking just filter based on event id such as 4625 (under logon, an account failed to log on.). See all security event id - http://support.microsoft.com/kb/947226
fyi - Event 4771 is an authentication failure which in this case occurs at the domain controller. Event 4625 is in the Logon category which can occur at any server, domain controller or workstation. They are two completely different categories.
one example that I saw is @ http://sbs.codeplex.com/releases/view/23747
- more (if interested) - http://sbs.codeplex.com/
You can go granular if wanted using custom xml filter. This blog has good info
@ http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
In case, you are interested in xls on security audit event id
@ http://blogs.msdn.com/b/ericfitz/archive/2008/04/16/windows-server-2003-security-events-posted.aspx
fyi - Event 4771 is an authentication failure which in this case occurs at the domain controller. Event 4625 is in the Logon category which can occur at any server, domain controller or workstation. They are two completely different categories.
one example that I saw is @ http://sbs.codeplex.com/releases/view/23747
- more (if interested) - http://sbs.codeplex.com/
You can go granular if wanted using custom xml filter. This blog has good info
@ http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
In case, you are interested in xls on security audit event id
@ http://blogs.msdn.com/b/ericfitz/archive/2008/04/16/windows-server-2003-security-events-posted.aspx
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Good
So I guess my explanation of how to set this with Group Policy and a link to using auditpol for a number of recommended settings wasn't useful at all?