Security Event Log - 2008 - Increased Events Expand / Collapse
Author
Message
Posted 8/3/2011 2:27:12 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 2/21/2012 12:17:07 PM
Posts: 5, Visits: 5
I've noticed a massive increase of security events on 2008 R2 DC's compared to 2003. Can anyone shed any light on the new events, the volume of them, etc.?
Post #777
Posted 8/9/2011 4:02:12 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
yes, 2008 added a number of new subcategories with new events.  in particular firewall related events account for the great increase in events.  you really need to start configuring audit policy at the subcategory level and disable all unneded subcategories.  here are some links to help you http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008
Post #780
Posted 8/9/2011 4:11:41 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 2/21/2012 12:17:07 PM
Posts: 5, Visits: 5
I don't have any of the new audit categories currently enabled. Are there new sub categories to the 2003 categories?

What categorie do the firewall events go under?

Post #781
Posted 8/10/2011 9:33:30 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
I'm pretty sure you do have them enabled.  There is loads of confusion over this.  Make sure you read and understand these 2 posts. 

http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/OVERVIEW-Audit-Policy 

http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Audit-Force-audit-policy-subcategory-settings-Windows-Vista-or-later-to-override-audit-policy-category

Post #784
Posted 8/10/2011 6:31:25 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 2/21/2012 12:17:07 PM
Posts: 5, Visits: 5
Now I understand. I don't have any of the new audit categories turned on, but I do have most of the existing 2003 audit categories turned on, and from what I understand, new sub categories were added to those categories. Thank you!
Post #785
Posted 8/15/2011 10:26:02 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Exactly!
Post #788
Posted 2/7/2012 2:41:58 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 2/21/2012 12:17:07 PM
Posts: 5, Visits: 5
Is there a way to get a list of all of the categories and subcategories from a 2003 server?

On 2008 R2 I ran, auditpol /get /category:*

That worked nicely. However, that command does not work with the version of auditpol on 2003.

I would LOVE to pull them all into a spreadsheet and compare them. I cannot seem to find any documentation of what subcategories specifically were added.

Obviously my objective is to filter as much noise as I can before I collect and archive my security event logs.

Thanks,

Jim

Post #909
Posted 2/21/2012 12:17:32 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 2/21/2012 12:17:07 PM
Posts: 5, Visits: 5
Thank you for the clarification!
Post #937
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:02am