How to log ONLY Logon Type 2 events (Interactive) for eventID 4624

Using advanced logging on a 2008 R2 DC and I just want to log Interactive logon events. Logging all 4624/4634 (Logon/Logoff) events just generates waaay too much data and fills up my log file in a day. I only care about who interactively signs into the server(s). I can find all kinds of info on the 'net about how to filter security logs but I don't even want to write the other types to the file as I want to save that space for other security events.
ITGeneralAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Windows auditpol can typically give granular setting of policy (adv audit policy CLI) as below but drilling into specifics such as eventid and logon type will not be possible or at least to my best knowledge (maybe there is more for 2012 server, doubt so). The granularity is in term of filtering not setting though....

e.g. auditpol /set /subcategory:"logon" /success:enable /failure:enable

Also from http://technet.microsoft.com/en-us/library/cc755264(v=ws.10).aspx looking at the syntax, it does not drill to that level either.

Auditpol /set
[/user[:<username>|<{sid}>][/include][/exclude]]
[/category:<name>|<{guid}>[,:<name|<{guid}>…]]
[/success:<enable>|<disable>][/failure:<enable>|<disable>]
[/subcategory:<name>|<{guid}>[,:<name|<{guid}>…]]
[/success:<enable>|<disable>][/failure:<enable>|<disable>]
[/option:<option name> /value: <enable>|<disable>]

Probably is to review what is necessary or be user/group specific then...

Recommended Baseline Audit Policy for Windows Server 2008
http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008

Some practice to keep 'noise' down
http://blogs.msdn.com/b/ericfitz/archive/2005/01/11/keeping-the-noise-down-in-your-security-log.aspx

The audit policy command-line tool can be used to:
Set and query a system audit policy.
Set and query a per-user audit policy.
Set and query auditing options.
Set and query the security descriptor used to delegate access to an audit policy.
Report or back up an audit policy to a comma-separated value (CSV) text file.
Load an audit policy from a CSV text file.
Configure global resource SACLs.
0
ITGeneralAuthor Commented:
Ya I've read through most of those articles before - my problem is that the log seems to be filling up extremely quickly.  Like with just logon events being logged I might get two days worth of logging using default log sizes.  So ideally of course if I could just log interactive logons that would be my preference.  I just find it hard to believe that there's no mechanism within windows to just log interactive logons without it having to log every single interaction that any system or computer account has with the domain controller.  We're not even a big shop maybe 50 servers hundred PCs and laptops and maybe 100 users and liquor seven filling my security log in a day and a 1/2,  two days.  Even with exporting logs to file that must be near impossible to find anything that you're looking for in a large organization.
0
btanExec ConsultantCommented:
This is the issue faced by many woth overwhelming security logs hence most of the  cost went into logging for compliance. Most scheme have remote logging to central syslog and pumped to SIEMS for monitoring. Arxhival and backup is done too to offload server performance in regualr fashion. There is no size fit all from what i se in the server granularity. The filtering is granular but not the log type that can be defined for logging.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ITGeneralAuthor Commented:
Just to add to this - I ended up discovering that in Server 2008 R2 it seems TerminalServices sessions are logged by default in the event viewer.

In Server Manager under Windows Logs open up Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager and in there you will see logon and logoff info for TS sessions to your server.
0
btanExec ConsultantCommented:
thanks for sharing
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.