none
windows 2000 server event viewer security logs RRS feed

  • Question

  • Hi,

    I have a question that i hope someone will be able to answer pretty easily, im new to the server world & im pretty sure im right but if a server has a generic logon does this show up in the security logs on event viewer if you do a alt ctrl del at the console to log on & off? ( screen lock) im sure it does but i want to confirm what will show up on the logs.#

    Many Thanks

    Sean.




    Tuesday, August 26, 2008 12:58 PM

Answers

  • Hello,

          You are right ,The Security Log, in Microsoft Windows, is a log that contains records of login/logout activity and/or other security-related events specified by the system's audit policy. Auditing allows administrators to configure Windows to record operating system activity in the Security Log. The Security Log is one of three logs viewable under Event Viewer . LSAS writes events to the log.

    If you audit or log too many events, the log files might become unmanageable and contain superfluous data. Before enabling the system and security logs, you need to enable auditing for the system log and establish the number of events that you want recorded in the security log. You cannot change the information that is logged in the system log: These events are pre programmed into Windows Server 2003 services and applications. You can customize system log events by configuring auditing. Auditing is the process that tracks the activities of users and processes by recording selected types of events in the security log of the Web server. You can enable auditing based on categories of security events. At a minimum, enable auditing on the following categories of events:

    • Any changes to user account and resource permissions
    • Any failed attempts for user log on
    • Any failed attempts for resource access
    • Any modification to the system files
    http://technet.microsoft.com/en-us/library/cc779487.aspx

    Hope you Understand.

    Thanks


    Syed Khairuddin
    • Marked as answer by David Shen Wednesday, August 27, 2008 10:09 AM
    Tuesday, August 26, 2008 1:18 PM
  • seanieb said:

    thats great, just to confirm even if the server is running & you unlock the screen it will still show in the event viewer?



    Yes.

    I had some free time, and actually tested this. I went to one server, and first typed wrong password and after the right one. After unlocking i checked the event logs and it showed what i had done :)

    At Local Security policies i had


    Audit account logon events ; Success, Failure  

    Audit logon events Success (dont know if this matters, though.)
    Henry Eklöf :: Just one random IT-guy more.
    • Marked as answer by David Shen Wednesday, August 27, 2008 10:09 AM
    Wednesday, August 27, 2008 7:32 AM

All replies

  • Hello,

          You are right ,The Security Log, in Microsoft Windows, is a log that contains records of login/logout activity and/or other security-related events specified by the system's audit policy. Auditing allows administrators to configure Windows to record operating system activity in the Security Log. The Security Log is one of three logs viewable under Event Viewer . LSAS writes events to the log.

    If you audit or log too many events, the log files might become unmanageable and contain superfluous data. Before enabling the system and security logs, you need to enable auditing for the system log and establish the number of events that you want recorded in the security log. You cannot change the information that is logged in the system log: These events are pre programmed into Windows Server 2003 services and applications. You can customize system log events by configuring auditing. Auditing is the process that tracks the activities of users and processes by recording selected types of events in the security log of the Web server. You can enable auditing based on categories of security events. At a minimum, enable auditing on the following categories of events:

    • Any changes to user account and resource permissions
    • Any failed attempts for user log on
    • Any failed attempts for resource access
    • Any modification to the system files
    http://technet.microsoft.com/en-us/library/cc779487.aspx

    Hope you Understand.

    Thanks


    Syed Khairuddin
    • Marked as answer by David Shen Wednesday, August 27, 2008 10:09 AM
    Tuesday, August 26, 2008 1:18 PM
  • thats great, just to confirm even if the server is running & you unlock the screen it will still show in the event viewer?
    Tuesday, August 26, 2008 1:22 PM
  • seanieb said:

    thats great, just to confirm even if the server is running & you unlock the screen it will still show in the event viewer?



    Yes.

    I had some free time, and actually tested this. I went to one server, and first typed wrong password and after the right one. After unlocking i checked the event logs and it showed what i had done :)

    At Local Security policies i had


    Audit account logon events ; Success, Failure  

    Audit logon events Success (dont know if this matters, though.)
    Henry Eklöf :: Just one random IT-guy more.
    • Marked as answer by David Shen Wednesday, August 27, 2008 10:09 AM
    Wednesday, August 27, 2008 7:32 AM