T
Trust No One®
Hi Folks,
Need your advice. In keeping with best practices we've enabled auditing
(success and failure) of account logon events on our domain controllers.
Our AD is largish - over 15 thousand users and increasing daily.
We've noticed though that our security logs on our DCs are going into
meltdown with huge amounts of 538 and 540 events being continuously logged
for both user and computer accounts. We recently set the size of our
security logs to 256 Mb, but this size is typically exhausted within 3 days!
Furthermore, a Microsoft consultant advised us a while back that the
security log is held in memory on domain controllers, so setting it to such
large sizes can have an adverse performance impact.
I understand that setting the audit account logon events policy results in
the centralized logging of user authentications on the DCs, so the amount of
users/workstations in the domain is directly proportional to the volume of
security events logged on the DCs. I understand also that quite a few events
eg mapping of shares, group policy application etc generate authentication
events.
I know that several posters on the newsgroup manage large AD
implementations, and I am very much interested in whether you have
implemented the audit account logon events policy. If so are you
experiencing similar problems with the volumes of events written to the
security log?
Comments as to the way forward welcomed. Our security department has decreed
that we go with Audit account logon events policy for audit purposes.
Sarbanes-Oxley is a popular buzzword these days
Brgds,
Need your advice. In keeping with best practices we've enabled auditing
(success and failure) of account logon events on our domain controllers.
Our AD is largish - over 15 thousand users and increasing daily.
We've noticed though that our security logs on our DCs are going into
meltdown with huge amounts of 538 and 540 events being continuously logged
for both user and computer accounts. We recently set the size of our
security logs to 256 Mb, but this size is typically exhausted within 3 days!
Furthermore, a Microsoft consultant advised us a while back that the
security log is held in memory on domain controllers, so setting it to such
large sizes can have an adverse performance impact.
I understand that setting the audit account logon events policy results in
the centralized logging of user authentications on the DCs, so the amount of
users/workstations in the domain is directly proportional to the volume of
security events logged on the DCs. I understand also that quite a few events
eg mapping of shares, group policy application etc generate authentication
events.
I know that several posters on the newsgroup manage large AD
implementations, and I am very much interested in whether you have
implemented the audit account logon events policy. If so are you
experiencing similar problems with the volumes of events written to the
security log?
Comments as to the way forward welcomed. Our security department has decreed
that we go with Audit account logon events policy for audit purposes.
Sarbanes-Oxley is a popular buzzword these days
Brgds,