How do I edit what is logged under security audit for SBS 2011?

Posted on 2014-08-18
Last Modified: 2014-09-03
Users are reporting that folders keep mysteriously moving and nobody will take credit.  I would like to track this via the security audit logs.  Because I'm logging about 5-10 events per second, I can't obtain more than a few hours of logs when I really needs weeks worth of logs.

I would like to temporarily turn off all security logs except for this particular log but I'm not sure how to configure what is logged.

Any advice would be helpful.
Question by:ABT, Inc.
    LVL 77

    Assisted Solution

    by:David Johnson, CD, MVP
    you can get very granular with auditing. The standard  audit  all encompassing, go into the securuity properties of the folder, advanced, autiing , WHO do you want to audit add everyone check "delete" and check "delete folders and files"  When it happens again open the audit log and filter on event id 580.. there you go.

    Author Comment

    by:ABT, Inc.
    Thanks for the advice David.  I'll certainly do that to track the changes.

    I still have an issue of not being able to find anything in the event log because it's inundated with logon/logoff events, multiple times per second (i.e. event 4624 and 4634).  I tried disabling all of these through the group policy management editor for the default domain policy.  I disabled them under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.  I'm pretty sure I've done something wrong because the logs continue to fill.

    I would really like to disable these logs.

    Accepted Solution

    If anyone else has this problem, I solved the issue.

    To disable the logon/logoff events (events 4624 and 4634),  Run secpol.msc > Advanced Audit Policy Configuration > Logon/Logoff.

    Author Closing Comment

    by:ABT, Inc.
    Figured it out myself

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    This video discusses moving either the default database or any database to a new volume.

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now