security log filling up

[Neil McFadyen]

I have 2 win2000 servers as ads domain controllers, I set the audit
settings in the domain controller policy, however the security log on
one of the servers (actually the one used least) fills up much faster
than the other. I just cleared it about an hour ago and it has reached
30MB already. The other server's log hasn't been cleared for a week and
is only at 31 MB.

my audit policy is set to:

Audit account logon events Success, Failure
Audit account management Failure
Audit directory service access Success, Failure
Audit logon events Success, Failure
Audit object access Failure
Audit policy change Success, Failure
Audit priviledge use Success, Failure
Audit process tracking No auditing
Audit system events Success, Failure

so why is the one of server's security log filling up faster than the
other?
and
what is the difference between account logon events and logon events?

 

[Tim Hines [MSFT]]

How are you determining that the domain controller is used the least? Based
on the information in the log, it is probably being used more often than the
other. What type of event are you seeing the most in the log? I've
included a definition of account logon auditing and auditing logon events.

Audit account logon events
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Description
Determines whether to audit each instance of a user logging on or logging
off of another computer where this computer was used to validate the
account.

For domain controllers, this policy is defined in the Default Domain
Controllers Group Policy object (GPO). The default setting is No auditing.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not to audit the event type at all. Success
audits generate an audit entry when account logon occurs successfully.
Failure audits generate an audit entry when an attempted occurrence of the
account logon fails. You can select No auditing by defining the policy
setting and unchecking Success and Failure.

As an example, if success auditing for account logon events is enabled on a
domain controller, then an entry is logged for each user validated against
that domain controller even though the user is actually logging on to a
workstation that is joined to the domain.



Audit logon events
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Description
Determines whether to audit each instance of a user logging on, logging off,
or making a network connection to this computer.

If you are auditing successful Audit account logon events on a domain
controller, then workstation logons do not generate logon audits. Only
interactive and network logons to the domain controller itself generate
logon events. In short, "account logon events" are generated where the
account lives. "Logon events" are generated where the logon occurs.

By default, this value is set to No auditing in the Default Domain
Controller Group Policy object (GPO) and in the local policies of
workstations and servers.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not to audit the event type at all. Success
audits generate an audit entry when logon occurs successfully. Failure
audits generate an audit entry when an attempted occurrence of the logon
fails. You can select No auditing by defining the policy setting and
unchecking Success and Failure.




--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Neil McFadyen]

Tim,
the most common event was 565, so I changed the direcotries services audit to
just failure and that seems to have reduced the entries,
the other most common events are 576, 540, 538

I notice on many the of the 540 events the Workstation Name (in the description
area) is blank, why is that?

Neil

 

[Guest]

We have a similar problem - we have 2 Windows 2003 domain controllers and the only auditing setup is to audit account management (success and failure). On one of the servers the security log is filling up fast but includes logon/logoff, privilege use, account logon messages and the other only has account management messages

Can anyone help?

 

[\Richard McCall [MSFT]\]

On the Default domain controller policy define everything for auditing but
only select the success and failure that you want logged. If anything s left
as not defined the lower level policies could be setting the auditing up
that you are seeing.

 

[Guest]

Then shouldn't we see both domain controllers in a single domain with the same auditing?