Security Auditing

[Willis]

Hello,

Does anyone here have any good suggestions for security auditing in a SMB
Server 2003 environment?

We need a record of every time a user logins, logouts or unlocks windows xp
on their local computer and preferably a central location to manage these
records.

I've been trying to use the DC security log to monitor events but it is so
tedious sorting through object and login events by every program and user
and it doesn't log when the user unlocks their windows session. It also
fills up extrememly fast. We get barely get 20 hours with a 32MB file.
There has to be a better way to manage these without spending a ton of money
on a 3rd party event manager, right?

Any help is appreciated.

Thanks,
Andrew

 

[PA Bear [MS MVP]]

[Crosspost much?]

 

[Paul Bergson [MVP-DS]]

If you are looking at the growth on the dc and you have a lot of clients,
that growth is relatively normal. We ended up purchasing a third party
product and outputting it to a SQL Server DB that stay at about 8 gb for 30
days of logs. The third party product does allow us to par back with logs
we save but we just keep them all. We use Event Sentry.

You can log the activity on a single machine but unless you are interested
in a specific machine this would be a bad idea.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.