Chuck,
Actually MSFT has that feature built into it:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
or Security or System]
"MaxSize"=dword:06400000
"Retention"=dword:ffffffff
"AutoBackupLogFiles"=dword:00000001
Now the host will archive and store the event logs when they reach 100MB in
the default event log directory, using the following format:
Logname-YYYY-MM-DD-HH-MM-SSS-mmm.evt
Regards,
Dave
______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE
www.SecurityBreachResponse.com
-----Original Message-----
From: Meredith, Charles (HRD)
[mailto:Charles.Meredith@state.ma.us]
Sent: Tuesday, January 24, 2006 11:38
To: security-basics@securityfocus.com
Subject: RE: Windows Log
Kind of related...
While researching a similar problem, I found a tool that
will help manage the archival of logs (you might want to
do this). We wanted to keep an archive of audit logs
(logon and logoff events) so I found a freeware utility
from SysInternals called psloglist that will automatically
clear and save your audit/security logs.
http://www.sysinternals.com/Utilities/PsLogList.html
Regards,
Chuck
-----Original Message-----
From:
security-basics-return-37793-Chuck.Meredith=hrd.state.ma.us
@securityfocus.com [mailto:security-basics-return-37793-
Chuck.Meredith=hrd.state.ma.us@securityfocus.com] On
Behalf Of List Spam
Sent: Tuesday, January 17, 2006 10:08 AM
To: security-basics@securityfocus.com
Subject: Re: Windows Log
There are many types of logins that can be performed in an
an AD environment. Among these are full desktop logins by
a user (aka interactive login), non-interactive network
logins (e.g. mount a share), computer accounts
authenticating to the domain, etc.
I would venture a guess that you don't want to disallow
the ability to log other security events, but want to
easily find login events of some type (see above) without
having to wade through the full set of logged data. If
this is the case, you could simply filter the logs to show
the event id that is specific to the action you are looking to see.
You could use the built-in "Event Viewer" application for
it, EventCombMT (Google it), one of the resource kit log
dumping utilitities, VBScripts, or just about anything
else to export this info. Some VBScript examples are below:
http://www.microsoft.com/technet/scriptcenter/scripts/logs/
eventlog/default.mspx
I dare say that if you're trying to audit security on a
box, you don't want to hack up the data collection
facility, but want to simply get better use from that data.
My two cetns.
On 1/16/06, Rod <rod.rio@gmail.com> wrote:
> Hi all,
>
> I have a Win2k Server, who is my Domain Controller, and
I'd like it to
> log only the LOGON/LOGOFF events. I know that there are
a whole class
> of logon/logoff events, but I´d like to log only when a
user logon
> into a machine in the domain.
>
> Hope I was clear... thx
>
>
> --
> Rodrigo M. T. Fernandez
> Departamento de Ciência da Computação UFRJ Grupo de Respostas a
> Incidentes de Segurança - GRIS UFRJ www.dcc.ufrj.br |
> www.gris.dcc.ufrj.br
>
>
-----------------------------------------------------------
-----------
> ----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE
- ONLINE The
> Norwich University program offers unparalleled Infosec
management
> education and the case study affords you unmatched
consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business
Continuity
> Planning, Computer Emergency Response Teams, and Digital
Investigations.
>
> http://www.msia.norwich.edu/secfocus
>
-----------------------------------------------------------
-----------
> ------
>
>
-----------------------------------------------------------
----------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec
management education and the case study affords you
unmatched consulting experience.
Tailor your education to your own professional goals with
degree customizations including Emergency Management,
Business Continuity Planning, Computer Emergency Response
Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
-----------------------------------------------------------
-----------------
-----------------------------------------------------------
----------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec
management education and the case study affords you
unmatched consulting experience.
Tailor your education to your own professional goals with
degree customizations including Emergency Management,
Business Continuity Planning, Computer Emergency Response
Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
-----------------------------------------------------------
----------------
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
