Link to home
Create AccountLog in
Avatar of Rammy Charles
Rammy CharlesFlag for United States of America

asked on

Filter what is written to Windows Security Event Log

Is there a way to filter what is written to the Windows Security Logs?

The Custom Views and filtering are only visibility subsets of the log.  I want to prevent Windows from writing certain events into the log.
For example, I do not want to see successful log on and log off events in the security log.  I only want to see fails.
Avatar of David
David
Flag of United States of America image

No, because, by definition, if one could filter what information gets logged, then it wouldn't be secure.  (Now some apps have mechanisms to do things like go into a debug logging mode where you get everything from what field name a user clicks on, but there is no mechanism to prevent any arbitrary program from not logging specific events)
Yes (in a way).  You can't filter individual events, but you can choose a number of categories.  What you are looking for is the Audit Policy.  The standard audit policy settings in Group Policy are found under Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy.  With Vista+ you have audit subcategories for more fine-grained control.  With Vista/2008 you had to set these with the auditpol command, but with Win7/2008R2 you can use Group Policy.  The settings are found under Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration.  You may also want to use the setting in Local Policies | Security Options > "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings".
See here for a good recommendation on what to configure using audit subcategories.
http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008
Avatar of btan
btan

I was thinking just filter based on event id such as 4625 (under logon, an account failed to log on.). See all security event id  - http://support.microsoft.com/kb/947226

fyi - Event 4771 is an authentication failure which in this case occurs at the domain controller. Event 4625 is in the Logon category which can occur at any server, domain controller or workstation. They are two completely different categories.

one example that I saw is  @ http://sbs.codeplex.com/releases/view/23747
- more (if interested) - http://sbs.codeplex.com/

You can go granular if wanted using custom xml filter. This blog has good info
@ http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx

In case, you are interested in xls on security audit event id
 @ http://blogs.msdn.com/b/ericfitz/archive/2008/04/16/windows-server-2003-security-events-posted.aspx
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Rammy Charles

ASKER

Good
So I guess my explanation of how to set this with Group Policy and a link to using auditpol for a number of recommended settings wasn't useful at all?