Since we have upgraded to Windows 2000/AD, our security logs have grown very large. There seems to be a lot of logon/logoff (successful) activity between the workstation$ accounts and the Domain. I work for a hospital and must track all logon activity for users, is there a way to filter out workstation logon/logoff events and only log user activity. This is wreaking havoc on my archiving scheme. Thanks!
The granularity of the policy for logging of events does not permit the exclusion of the machine accounts. However, if you are using a scripted solution for archiving, or are willing to use such a solution you can filter the events from the logs when they are archived. The VBScript along with WMI can be utilized to pull information from event logs of multiple machines and centrally store the information. If you use this process in conjunction with an appropriate Group Policy governing size and how the information is cleared from event logs -- you can effectively store the logs after filtering unnecessary information. The logs can then be stored for long durations, backed up to tape, and reviewed at will.
Additional Expert Help: Be sure to check our Answer FAQ for more expert advice. For faster answers, visit ITKnowledge...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.