Adam Chaney
asked on
Filtering windows event logs
As our company is getting larger we are having an issue with security event logs running over the size limit quickly. I was wondering if there is a way to filter the log for the bad password event ID and save the last 5MB of the filtered events. I found the create custom log, but it only seems to create a preselected filter for the existing events.
You shouldn't log anything - maybe it would be better to revise what is being logged.
Is the security log set it's maximum (4 GB)?
https://technet.microsoft.com/en-us/library/cc938399.aspx?f=255&MSPPError=-2147217396
Could write a power script to handle your requirements.
Have you thought about a log collection and alerting tool such as splunk?
https://technet.microsoft.com/en-us/library/cc938399.aspx?f=255&MSPPError=-2147217396
Could write a power script to handle your requirements.
Have you thought about a log collection and alerting tool such as splunk?
ASKER
Not sure that I understand. Why wouldn't we want to log anything? We use the default security log on the domain controller for trouble shooting bad password attempts. Usually I can track where the password attempts are coming from (radius server, exchange server, ect) to let the user know they need to updated a password in specific location.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
How to Trace the Source of a Bad Password and Account Lockout in AD:
http://expert-advice.org/active-directory/how-to-trace-the-source-of-a-bad-password-and-account-lockout-in-ad/
How to track and troubleshoot User Account Lockouts:
https://www.lepide.com/how-to/track-and-troubleshoot-user-account-lockouts-with-lepideauditor.html
http://expert-advice.org/active-directory/how-to-trace-the-source-of-a-bad-password-and-account-lockout-in-ad/
How to track and troubleshoot User Account Lockouts:
https://www.lepide.com/how-to/track-and-troubleshoot-user-account-lockouts-with-lepideauditor.html
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Accept: McKnife (https:#a42455622)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Accept: McKnife (https:#a42455622)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer