No Security Events showing....

I have a Win 2000 server running as a DC with AD.

In the event viewer there are no events in the Security Log folder. There
are events in all the other folders. Is there a reason this would be empty?
It looks like it's configured like the rest of the Events.
Am I missing something obvious here?

Thanks

Kelvin

Hi - any reason you've posted this in a WinXP group?
Go into event viewer and change the properties of the system log (and *all*
logs) so that "overwrite as needed" is selected, and bump up the max sizes a
lot. I'd do 20MB each if it were me.

Kelvin Beaton wrote:
> I have a Win 2000 server running as a DC with AD.
>
> In the event viewer there are no events in the Security Log folder.
> There are events in all the other folders. Is there a reason this
> would be empty? It looks like it's configured like the rest of the
> Events. Am I missing something obvious here?
>
> Thanks
>
> Kelvin

Sorry for posting this in the wrong group, my mistake.

I've made the changes like you recommented. The odd thing is that nothing is
being written to that file. I went and looked at the date of the
SecEvent.Evt file and it basically has the same create and modify date or
Sept 2002.
All the other logs seem to be collecting data. Is there a way to reset this
particular log?

Thanks

Kelvin


"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:eBHJ49LVEHA.716@TK2MSFTNGP11.phx.gbl...
> Hi - any reason you've posted this in a WinXP group?
> Go into event viewer and change the properties of the system log (and
> *all*
> logs) so that "overwrite as needed" is selected, and bump up the max sizes
> a
> lot. I'd do 20MB each if it were me.
>
> Kelvin Beaton wrote:
>> I have a Win 2000 server running as a DC with AD.
>>
>> In the event viewer there are no events in the Security Log folder.
>> There are events in all the other folders. Is there a reason this
>> would be empty? It looks like it's configured like the rest of the
>> Events. Am I missing something obvious here?
>>
>> Thanks
>>
>> Kelvin
>
>

Try purging it after resetting the settings as suggested (or export it to an
evt file & then purge it)

Kelvin Beaton wrote:
> Sorry for posting this in the wrong group, my mistake.
>
> I've made the changes like you recommented. The odd thing is that
> nothing is being written to that file. I went and looked at the date
> of the SecEvent.Evt file and it basically has the same create and
> modify date or Sept 2002.
> All the other logs seem to be collecting data. Is there a way to
> reset this particular log?
>
> Thanks
>
> Kelvin
>
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> message news:eBHJ49LVEHA.716@TK2MSFTNGP11.phx.gbl...
>> Hi - any reason you've posted this in a WinXP group?
>> Go into event viewer and change the properties of the system log (and
>> *all*
>> logs) so that "overwrite as needed" is selected, and bump up the max
>> sizes a
>> lot. I'd do 20MB each if it were me.
>>
>> Kelvin Beaton wrote:
>>> I have a Win 2000 server running as a DC with AD.
>>>
>>> In the event viewer there are no events in the Security Log folder.
>>> There are events in all the other folders. Is there a reason this
>>> would be empty? It looks like it's configured like the rest of the
>>> Events. Am I missing something obvious here?
>>>
>>> Thanks
>>>
>>> Kelvin

Thanks for the reply

I exported the Security Events and cleared them also. The system did create
one event saying I had cleared the Security Event Log.....

I logged off and back onto the domain to see if it would create an event,
but it didn't. Not 100% sure it was suppose to. I was looking for some way
to get the Domain Controller to generate an event.

Isn't the Security Event log where I would see failed domain logins?

thanks for your time....



"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:%230mCMvbVEHA.3024@TK2MSFTNGP09.phx.gbl...
> Try purging it after resetting the settings as suggested (or export it to
> an
> evt file & then purge it)
>
> Kelvin Beaton wrote:
>> Sorry for posting this in the wrong group, my mistake.
>>
>> I've made the changes like you recommented. The odd thing is that
>> nothing is being written to that file. I went and looked at the date
>> of the SecEvent.Evt file and it basically has the same create and
>> modify date or Sept 2002.
>> All the other logs seem to be collecting data. Is there a way to
>> reset this particular log?
>>
>> Thanks
>>
>> Kelvin
>>
>>
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
>> message news:eBHJ49LVEHA.716@TK2MSFTNGP11.phx.gbl...
>>> Hi - any reason you've posted this in a WinXP group?
>>> Go into event viewer and change the properties of the system log (and
>>> *all*
>>> logs) so that "overwrite as needed" is selected, and bump up the max
>>> sizes a
>>> lot. I'd do 20MB each if it were me.
>>>
>>> Kelvin Beaton wrote:
>>>> I have a Win 2000 server running as a DC with AD.
>>>>
>>>> In the event viewer there are no events in the Security Log folder.
>>>> There are events in all the other folders. Is there a reason this
>>>> would be empty? It looks like it's configured like the rest of the
>>>> Events. Am I missing something obvious here?
>>>>
>>>> Thanks
>>>>
>>>> Kelvin
>
>

Kelvin Beaton wrote:
> Thanks for the reply
>
> I exported the Security Events and cleared them also. The system did
> create one event saying I had cleared the Security Event Log.....
>
> I logged off and back onto the domain to see if it would create an
> event, but it didn't. Not 100% sure it was suppose to. I was looking
> for some way to get the Domain Controller to generate an event.
>
> Isn't the Security Event log where I would see failed domain logins?

Yes, but you need to enable auditing for that in your policies.
>
> thanks for your time....
>
>
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> message news:%230mCMvbVEHA.3024@TK2MSFTNGP09.phx.gbl...
>> Try purging it after resetting the settings as suggested (or export
>> it to an
>> evt file & then purge it)
>>
>> Kelvin Beaton wrote:
>>> Sorry for posting this in the wrong group, my mistake.
>>>
>>> I've made the changes like you recommented. The odd thing is that
>>> nothing is being written to that file. I went and looked at the date
>>> of the SecEvent.Evt file and it basically has the same create and
>>> modify date or Sept 2002.
>>> All the other logs seem to be collecting data. Is there a way to
>>> reset this particular log?
>>>
>>> Thanks
>>>
>>> Kelvin
>>>
>>>
>>> "Lanwench [MVP - Exchange]"
>>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
>>> message news:eBHJ49LVEHA.716@TK2MSFTNGP11.phx.gbl...
>>>> Hi - any reason you've posted this in a WinXP group?
>>>> Go into event viewer and change the properties of the system log
>>>> (and *all*
>>>> logs) so that "overwrite as needed" is selected, and bump up the
>>>> max sizes a
>>>> lot. I'd do 20MB each if it were me.
>>>>
>>>> Kelvin Beaton wrote:
>>>>> I have a Win 2000 server running as a DC with AD.
>>>>>
>>>>> In the event viewer there are no events in the Security Log
>>>>> folder. There are events in all the other folders. Is there a
>>>>> reason this would be empty? It looks like it's configured like
>>>>> the rest of the Events. Am I missing something obvious here?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Kelvin

I'm not 100% sure how to accomplish this.

I'm looking at the "Group Policy" for my domain.
I'm looking at "Computer Confoguration\Windows Settings\Security
Settings\Local Policies\Audit Policy", is this the correct place. I have set
this to audit Sucessful and failed logins, but I'm not sure this is the
correct place as it seems to be for "Local Poliecies" to me that would
referre to the local machine, not the DC.

Am I close, or way off track?

Thanks


"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:O19eLq5VEHA.3944@tk2msftngp13.phx.gbl...
> Kelvin Beaton wrote:
>> Thanks for the reply
>>
>> I exported the Security Events and cleared them also. The system did
>> create one event saying I had cleared the Security Event Log.....
>>
>> I logged off and back onto the domain to see if it would create an
>> event, but it didn't. Not 100% sure it was suppose to. I was looking
>> for some way to get the Domain Controller to generate an event.
>>
>> Isn't the Security Event log where I would see failed domain logins?
>
> Yes, but you need to enable auditing for that in your policies.
>>
>> thanks for your time....
>>
>>
>>
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
>> message news:%230mCMvbVEHA.3024@TK2MSFTNGP09.phx.gbl...
>>> Try purging it after resetting the settings as suggested (or export
>>> it to an
>>> evt file & then purge it)
>>>
>>> Kelvin Beaton wrote:
>>>> Sorry for posting this in the wrong group, my mistake.
>>>>
>>>> I've made the changes like you recommented. The odd thing is that
>>>> nothing is being written to that file. I went and looked at the date
>>>> of the SecEvent.Evt file and it basically has the same create and
>>>> modify date or Sept 2002.
>>>> All the other logs seem to be collecting data. Is there a way to
>>>> reset this particular log?
>>>>
>>>> Thanks
>>>>
>>>> Kelvin
>>>>
>>>>
>>>> "Lanwench [MVP - Exchange]"
>>>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
>>>> message news:eBHJ49LVEHA.716@TK2MSFTNGP11.phx.gbl...
>>>>> Hi - any reason you've posted this in a WinXP group?
>>>>> Go into event viewer and change the properties of the system log
>>>>> (and *all*
>>>>> logs) so that "overwrite as needed" is selected, and bump up the
>>>>> max sizes a
>>>>> lot. I'd do 20MB each if it were me.
>>>>>
>>>>> Kelvin Beaton wrote:
>>>>>> I have a Win 2000 server running as a DC with AD.
>>>>>>
>>>>>> In the event viewer there are no events in the Security Log
>>>>>> folder. There are events in all the other folders. Is there a
>>>>>> reason this would be empty? It looks like it's configured like
>>>>>> the rest of the Events. Am I missing something obvious here?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Kelvin
>
>