locked
Security Event Log RRS feed

  • Question

  • A little frustrated here, the Windows Security log on our server is out of control. It is generating 250,000+ events in less than a day at which point it prunes the log. About 80% of them are logon/logoff events. We have a total of 35 users which should generate less than 100 actual tangible logons/logoffs (I know there are other logon types).

    I understand that there needs to be more records than I want in order to provide useful information. But the current settings are the polar opposite making it very difficult to parse any kind of usable information out of the mountain of data. Even if I didn't care about my limited time, it is ridiculous to be logging 150mb of Kerberos tickets and other minutia daily. If I wanted to store 6 months of logs it would require 27 GB of space.

    There must be a happy medium for normal small businesses that want useful information but don't need forensic level logging. For example, the application log. Also noisy, but I can scroll through a few days of events and pick out obvious problems that need my attention.

    Thanks for listening to me whine :) and for any help/suggestions.

    Thursday, March 12, 2015 8:39 PM

Answers

  • Hi,

    You may consider configure Advanced Security Audit policy settings,there are sub categories of account logon such as Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations you may disable.

    Please note that if you want to modify settings within Advanced Security Audit policy , make sure to enable this policy Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, which is under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, otherwise, modified settings within Advanced Security Audit policy won't apply.

    More information for you:

    Advanced Security Audit Policy Settings

    https://technet.microsoft.com/en-us/library/dd772712%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Account Logon

    https://technet.microsoft.com/en-us/library/dd772662%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

    https://technet.microsoft.com/en-us/library/jj852246(v=ws.10).aspx

    Best Regards,
    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_ Friday, March 13, 2015 3:59 PM
    • Proposed as answer by Amy Wang_ Thursday, March 19, 2015 3:33 AM
    • Marked as answer by Amy Wang_ Tuesday, March 24, 2015 3:55 AM
    Friday, March 13, 2015 3:56 PM
  • Hi,

    Is there a way to not log events generated by particular user accounts?

    Yes, there is.

    We can use Auditpol.exe to configure audit policy, and /exclude switch to prevent auditing for specified accounts. Please note that this setting is ignored for users who are members of the local administrators group.

    More information for you:

    Auditpol set

    https://technet.microsoft.com/en-us/library/cc755264.aspx

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Thursday, March 19, 2015 3:33 AM
    • Marked as answer by Amy Wang_ Tuesday, March 24, 2015 3:55 AM
    Tuesday, March 17, 2015 2:54 AM

All replies

  • Hi,

    You may consider configure Advanced Security Audit policy settings,there are sub categories of account logon such as Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations you may disable.

    Please note that if you want to modify settings within Advanced Security Audit policy , make sure to enable this policy Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, which is under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, otherwise, modified settings within Advanced Security Audit policy won't apply.

    More information for you:

    Advanced Security Audit Policy Settings

    https://technet.microsoft.com/en-us/library/dd772712%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Account Logon

    https://technet.microsoft.com/en-us/library/dd772662%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

    https://technet.microsoft.com/en-us/library/jj852246(v=ws.10).aspx

    Best Regards,
    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_ Friday, March 13, 2015 3:59 PM
    • Proposed as answer by Amy Wang_ Thursday, March 19, 2015 3:33 AM
    • Marked as answer by Amy Wang_ Tuesday, March 24, 2015 3:55 AM
    Friday, March 13, 2015 3:56 PM
  • Thanks for the help!

    Is there a way to exclude SYSTEM user and computer account authentication? I cant think of an instance where I would actually care to know about those events.

    Is there a way to not log events generated by particular user accounts? For example I have a monitoring tool that is accounting for a significant portion of the noise, it uses a domain user account for its work. I don't care what it is doing from a security log perspective and would like to omit it.

    Friday, March 13, 2015 7:57 PM
  • Hi,

    Is there a way to not log events generated by particular user accounts?

    Yes, there is.

    We can use Auditpol.exe to configure audit policy, and /exclude switch to prevent auditing for specified accounts. Please note that this setting is ignored for users who are members of the local administrators group.

    More information for you:

    Auditpol set

    https://technet.microsoft.com/en-us/library/cc755264.aspx

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Thursday, March 19, 2015 3:33 AM
    • Marked as answer by Amy Wang_ Tuesday, March 24, 2015 3:55 AM
    Tuesday, March 17, 2015 2:54 AM