Account Logon and Logoff Auditing

A

Allison

Is there a way within Windows 2000 Server to only audit user logon and
logoff events? I turned on this auditing feature on the Domain Controller,
but I keep getting useless audit information from the SYSTEM and
ComputerName$ accounts. Then I get a 100 different 528, 538, and 540 events
from every single user during the course of one day, and this just increases
the event log file tremendously. I just want to log when a user logs in and
logs off. Can this be done without logging the other stuff?

thanks
 
S

Steven L Umbach

It is not possible to selectively audit logon events. What you can do is use filter
view in Event Viewer to look for specific events or use something like the free Event
Comb from Microsoft to search the domain controllers for specific events and text.
See the link below and read about Event Comb near the end of the white paper. There
are also third part tools to dump and filter security logs, some fee and some
ot. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml -- PsLogList
http://www.gfi.com/lanselm/ -- LanGuard S.E.L.M. -- trial download
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Auditing User logon/logoff events. 2
Unexplained 540 Events in Security log on W2K workstation in a dom 0
users logon and Logoff Auditing 1
Auditing Logon Events 2
Authentication Auditing 5
Logoff Events do not get logged...Why? 4
FTP login to Win2k sp4 with IIS not all audited 1
Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng? 0

Top