Account Logon and Logoff Auditing

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Is there a way within Windows 2000 Server to only audit user logon and
logoff events? I turned on this auditing feature on the Domain Controller,
but I keep getting useless audit information from the SYSTEM and
ComputerName$ accounts. Then I get a 100 different 528, 538, and 540 events
from every single user during the course of one day, and this just increases
the event log file tremendously. I just want to log when a user logs in and
logs off. Can this be done without logging the other stuff?

thanks

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

It is not possible to selectively audit logon events. What you can do is use filter
view in Event Viewer to look for specific events or use something like the free Event
Comb from Microsoft to search the domain controllers for specific events and text.
See the link below and read about Event Comb near the end of the white paper. There
are also third part tools to dump and filter security logs, some fee and some
ot. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml -- PsLogList
http://www.gfi.com/lanselm/ -- LanGuard S.E.L.M. -- trial download


"Allison" <no@email.com> wrote in message
news:uMhVLs1nEHA.648@tk2msftngp13.phx.gbl...
> Is there a way within Windows 2000 Server to only audit user logon and
> logoff events? I turned on this auditing feature on the Domain Controller,
> but I keep getting useless audit information from the SYSTEM and
> ComputerName$ accounts. Then I get a 100 different 528, 538, and 540 events
> from every single user during the course of one day, and this just increases
> the event log file tremendously. I just want to log when a user logs in and
> logs off. Can this be done without logging the other stuff?
>
> thanks
>
>