Windows Vista Event Viewer Problem

[arash]

My Windows Vista Event Viewer used to log all logon and logoff events, and I
could audit all user account activities. But recently it just logs the logon
event for user accounts and doesn't show any logoff event. I know how to turn
on and off the auditing feature in Windows XP. But I can't find same thing in
Windows Vista. I will appreciate if someone helps me.

 

[C.B.]

My Windows Vista Event Viewer used to log all logon and logoff events, and
I
could audit all user account activities. But recently it just logs the
logon
event for user accounts and doesn't show any logoff event. I know how to
turn
on and off the auditing feature in Windows XP. But I can't find same thing
in
Windows Vista. I will appreciate if someone helps me.

arash,


Open the Control Panel. In Control Panel select Administrative Tools.
Select Local Security Policy and then expand Local Policies in the left
pane. Select Audit Policy and read the results in the right pane at which
time you can select what you desire.
You can also select Security Options, under Local Policies in the left
pane and check out the results in the right pane.

C.B.

 

[arash]

C.B.,

Thank for your help. I look for the Local Security Policy in the Control
Panel, but I couldn't find it! I use Windows Vista Home Premium, is that why
it's not there?! Is there any other way to do same thing in another place?

Thanks again for your consideration,

Arash

 

[C.B.]

arash,

This is from Microsoft. I have copied and pasted it for you below:

Windows Auditing Issue
Auditing is a vital step in detecting system intrusions or malicious
activity on your systems and network. The Windows Event Viewer does not log
event entries in the security log unless you enable auditing on the system.

Solution
Enable auditing on each Microsoft® Windows® operating system on your
network. After you enable auditing, you can choose which events to monitor,
such as successful or failed logon attempts. In addition, certain files and
directories can be audited on NTFS file systems for modifications or
deletions. View the links under the Additional Resources section below for
more information on configuring audit policies.

Instructions
To enable auditing on a computer running Windows Server "Longhorn", Windows
Server 2003, Windows Vista, Windows XP, or Windows 2000

Open the Control Panel.
In Control Panel, double-click Administrative Tools, and then click Local
Security Policy.
In Local Security Settings, double-click Local Policies, double-click Audit
Policy, and then click the events that you want to audit. We recommend that
you audit the following events:
Audit account logon events (Success, Failure)

Audit account management (Success, Failure)

Audit directory service access (Failure)

Audit logon events (Success, Failure)

Audit object access (Failure)

Audit policy change (Success, Failure)

Audit system events (Success, Failure)



To view the event logs, click Start, point to Programs, point to
Administrative Tools, and then click Event Viewer.

Additional Resources
Chapter 3 - Audit Policy (Threats and Countermeasures Guide)

Chapter 9 - Auditing and Intrusion Detection (Securing Windows 2000 Server)
Windows Server 2003: Auditing Security Events Best Practices



©2002-2007 Microsoft Corporation. All rights reserved.

I hope this helps you.

C.B.