Re: Security Logs are hard to read

Hi Jenny wu:

I was not going to go any further into this, since your reply to my question
stated so accurately what the possibilities are. But since you took the
time to message me directly to see if there are any further issues, I wanted
to thank you, and to ask you the actual specific question.

Maybe the thing I need is a link to a reference that explains what all these
events are, and what they mean.??

The actual specific question is: What filters would I use to find the logon
time for a real user. I know that this user comes to work between 0500 and
0700 hours each day, and I know that he logs on from the same client
workstation.

But there are thousands of events in the security logs during this time.
And all are successful, so the filter for successful, warning, or failure is
not helpful. I suppose I could first ask him to use an incorrect wrong
password and watch for the time of the unsuccessful event, and that would
narrow it down, but this would require cooperation on the part of the user,
which may not always be possible.

If I filter by the user name, there are still hundreds. And dozens during
that time period.

Thanks for your help

Anna


""Jenny wu [MSFT]"" <v-yanniw@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:AwqH9oruGHA.760@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Anna,

Thanks for posting here. Also thanks for Avanwey's input.

From your description, I understand that you want to know how to filter
normal security network traffic to clean the stuff in security logs. If I
am off base, please don't hesitate to let me know.

As Avanwey said, we usually use Filter function in Event Viewer to clean
the view of the logs. You can do as follows:

1. Open Event Viewer (eventvwr.msc) console, right click Security item in
the left panel to choose View -> Filter.. to open the Security properties
page.

2. Under Filter tab, you can Uncheck the checkboxes "Information",
"Success
audit" "Warning" as you needed to clean the viewer so that you can easily
find the information you need.

3. And also you can specify the exact Event source, category, Event id,
user, computer to filter information you needed. You can set different
filter conditions every time for different aim. The process can not affect
the true security log file. And we can not customize the log file such as
recorded interval, event source, category and so on in event viewer since
the log files are created for trouble shooting aim by administrators and
Microsoft engineers.

Is the server box running on the SBS 2003 server? If yes, you can use the
monitoring component to create customized server performance report and
server status report for you to monitor the server to ensure the server
running under stable status and notify you if there is any critical errors
happens on the server. You can get detail information about the monitoring
component by searching in Help and Support center.

You can find the monitoring component in Server Management console ->
Monitoring and Reporting, click Set up Monitoring Reports and Alerts to
configure performance and usage settings. The component will take about 24
hours to collect data to create reports.

More information:
================
The usage information for internet activity contained in the server usage
report includes the following information:

-- Internet Activity Web Activity by Computer.
The total and average daily hours a client computer was connected to the
Internet during the reporting period.

--Web Traffic by Hour.
The total and average daily number of connections made by all client
computers, by hour, during the reporting period.

Hope above information helps. Please let me know if you have further
question on the issue. I am happy to be of assistance to you and look
forward to your reply.


Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
From: "avanwey@xxxxxxxxxxxxx" <avanwey@xxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
Subject: Re: Security Logs are hard to read
Date: 7 Aug 2006 08:00:56 -0700
Organization: http://groups.google.com
Lines: 2
Message-ID: <1154962855.961577.43960@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <Ok2FwvhuGHA.3912@xxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 70.243.210.135
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1154962861 1689 127.0.0.1 (7 Aug 2006
15:01:01
GMT)
X-Complaints-To: groups-abuse@xxxxxxxxxx
NNTP-Posting-Date: Mon, 7 Aug 2006 15:01:01 +0000 (UTC)
In-Reply-To: <Ok2FwvhuGHA.3912@xxxxxxxxxxxxxxxxxxxx>
User-Agent: G2/0.2
X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
NET CLR 1.1.4322),gzip(gfe),gzip(gfe)
Complaints-To: groups-abuse@xxxxxxxxxx
Injection-Info: 75g2000cwc.googlegroups.com; posting-host=70.243.210.135;
posting-account=pqcEtA0AAADLxe2QgIXUArNo3d9S8toj
Path:

TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed00

sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca.

giganews.com!nntp.giganews.com!postnews.google.com!75g2000cwc.googlegroups.c
om!not-for-mail
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:287612
X-Tomcat-NG: microsoft.public.windows.server.sbs

Try using the Filter function under the View menu.





.

Relevant Pages

  • Re: Security Logs are hard to read
    ... normal security network traffic to clean the stuff in security logs. ... we usually use Filter function in Event Viewer to clean ... Is the server box running on the SBS 2003 server? ... server status report for you to monitor the server to ensure the server ...
    (microsoft.public.windows.server.sbs)
  • Re: Filter for Report not working?????
    ... Do I need to release the filter or close the TableFame? ... contFilter DynArrayString ... Your first example based on ContractNo ... I decided to go with a table in PRIV for the report. ...
    (comp.databases.paradox)
  • Re: Show all records through combo box
    ... I should not have used the term report to describe what it is I ... was refering to is a MCReport. ... the subforms to the main form using the Company_ID and the MCReport_ID. ... There is no code in the filter section. ...
    (microsoft.public.access.forms)
  • Re: March 29, 2006 total eclipse - IT admins WORST NIGHTMARE
    ... and NewsProxy is the answer for that. ... > Comcast news server. ... simply filters out what I dont want on the network. ... NewsProxy - Network level killfile and content filter for Usenet. ...
    (comp.security.firewalls)
  • Re: Show all records through combo box
    ... provided by an assortment of suppliers. ... If this basic model sounds like it would work, the report can be devised. ... the filter remains disabled. ... all of the other subforms change according to the MCReport selected ...
    (microsoft.public.access.forms)