Windows Server TechCenter. Sign in. United States English. Ask a question. Quick access. Search related threads. Remove From My Forums. Asked by:. Archived Forums. Windows Server General Forum. Sign in to vote. Thursday, October 23, PM. Consider that if the event log size is insufficient, overwrites may occur before data is written to the Long-Term Archive and the Audit Database, and some audit data may be lost. This refers to the following event logs:. The procedure below provides a possible way to specify the event log settings manually.
However, if you have multiple target computers, consider configuring these settings via Group Policy as also described in this section.
Make sure Do not overwrite events Clear logs manually is cleared. If selected, change the retention method to Overwrite events as needed oldest events first. With that option enabled, you may want to adjust the retention settings for log archives backups. Related procedures are described in this Knowledge Base article.
Go Up. Account Settings Logout. I think you were correct in that the "Audit object access" was causing all the log entries. I am now seeing some good log entries that actually tell me stuff Especially the section "Optional section: Roll back security audit policy from Advanced Audit Policy to basic audit policy" which shows you how to roll back to your basic audit policy in the event that you tweaked with the advanced audit policy. So you're not using Advanced Audit Policies and use the old-style pre policies?
The new fine-grained policies is something you should look into if you want to optimize your auditing even further and turn off some more junk that's preventing you from seeing the needed audit records. What you audit and how much can be very dependent on what your security requirements are. Fortunately most of my equipment is at least DoD Secret, and the guidelines are pretty specific about what needs to be audited, what files need to be watched, and how long audit files need to be kept.
There are tradeoffs between increased auditing, which may catch things you'd otherwise miss, and decreased auditing so you don't get overwhelmed by so many benign audit records that you miss the red flags. On my larger networks I have software which collects and summarizes the security logs from all my machines, highlighting potential trouble spots while hiding the "normal" activity. That's right, getting rid of the "noise" is the key to successful auditing and it's impossible without automated tools.
0コメント