Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How do I edit what is logged under security audit for SBS 2011?

Posted on 2014-08-18
4
Medium Priority
?
233 Views
Last Modified: 2014-09-03
Users are reporting that folders keep mysteriously moving and nobody will take credit.  I would like to track this via the security audit logs.  Because I'm logging about 5-10 events per second, I can't obtain more than a few hours of logs when I really needs weeks worth of logs.

I would like to temporarily turn off all security logs except for this particular log but I'm not sure how to configure what is logged.

Any advice would be helpful.
0
Comment
Question by:ABT, Inc.
  • 3
4 Comments
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 2000 total points
ID: 40269231
you can get very granular with auditing. The standard  audit  all encompassing, go into the securuity properties of the folder, advanced, autiing , WHO do you want to audit add everyone check "delete" and check "delete folders and files"  When it happens again open the audit log and filter on event id 580.. there you go.
http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/
0
 

Author Comment

by:ABT, Inc.
ID: 40274244
Thanks for the advice David.  I'll certainly do that to track the changes.

I still have an issue of not being able to find anything in the event log because it's inundated with logon/logoff events, multiple times per second (i.e. event 4624 and 4634).  I tried disabling all of these through the group policy management editor for the default domain policy.  I disabled them under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.  I'm pretty sure I've done something wrong because the logs continue to fill.

I would really like to disable these logs.
0
 

Accepted Solution

by:
ABT, Inc. earned 0 total points
ID: 40293525
If anyone else has this problem, I solved the issue.

To disable the logon/logoff events (events 4624 and 4634),  Run secpol.msc > Advanced Audit Policy Configuration > Logon/Logoff.
0
 

Author Closing Comment

by:ABT, Inc.
ID: 40300568
Figured it out myself
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question