Thread: Events not posted in security section
View Single Post
  #8  
Old May 23rd 09, 07:03 PM posted to microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general
Jose
external usenet poster
  
Posts: 3,140
Default Events not posted in security section
On May 23, 1:31*pm, "Gerry" wrote:
Jose

I spend a lot of investigating what Event Viewer Reports mean, You may
have noticed G. However, I have never investigated *the meaning of
Security events for others. System and Application Events give more than
enough to keep me occupied.

I just counted the Security Events listed when I booted this morning.
Quite surprised to find 61 Success Audits. Looked through the whole log
and there are only 4 Failures. All about the same time last Wednesday an
hour after booting.

--

Gerry
*~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
.

Jose wrote:
On May 23, 4:13 am, "Gerry" wrote:
Jose

"Logging of Security Events in disabled by default in XP"

I do not think you are right here. I have never made any changes when
reinstalling and the Security log has always been populated. I only
use Home Edition. The situation could be different with
Professional, where the Administrator can set Policy options.

--

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Jose wrote:
On May 22, 8:40 pm, karthikaravind
wrote:
I could see no events are posted under the security section
All the necessary options are enabled
overwritte events older than 7 days
Maximum log size 512 KB
under the filter section
All the event types are checked
Event source - all
category - All
I am working under administrative pr
Could some one please tell me what is wrong ?

Logging of Security Events in disabled by default in XP, so unless
someone enables security auditing by establishing a security policy
and specifying things to watch for, it will remain empty. Nothing is
wrong if it is empty.

Here is a KB to get you started:
http://support.microsoft.com/kb/157662

You can check out your security policies by going to Start, Run,
secpol.msc

All the audit polices are probably set to No auditing (default).
Turn on a simple one like audit logon events, then logoff and back
on and you should see something.

The Security log can fill up fast (and then be overwritten).

Jose

Poor choice of words based on assumption. *I am not using Home, and
the OP didn't specify, so we have to guess.

The default installation of XP Pro has the Security Auditing Policies
set to No auditing. *I thought I read once that it was just XP in
general now I read Pro and Home are different in this area.

XP Home has some default security policies enabled that "cannot be
administered". *That is good to know.

In Pro, the mechanism is there and "enabled", but there is probably
nothing set up to audit to cause something to be written to the
Security log. *In Pro this is through the secpol.msc snapin. *The
closest equivalent in Home might be lusrmgr.msc which is not on a Pro
system.

If you are using Home and have stuff in your Security log, it would be
interesting to see what your security policies setting are for what
events to log. *You can open the events and figure out what is being
audited and then check your policies. *I can't do that here.

I can easily get way too much information in the log by choosing to
audit certain events, but just being us chickens here, I don't care.

Even running the Event Viewer to look a the log creates entries in the
Security log since it is an administrative tool!

Back to No auditing for me.

Jose

Yeah - I bet. I turned on some simple policy, ran Event Viewer, and
that put 6 in just for starting EV. Ican imagine if it was set to
full throttle.

I will log it in as one of those many available, yet unexploited XP
features that will remain inactive until I think I need it.

Jose
Ads