Windows Server 2008 and Vista Security Log Events

This Page is locked
Modified: 2008/01/14 21:30 by Randy Franklin Smith - Uncategorized
Windows Server 2008 and Vista introduce a totally new security log. All - and I mean ALL - the event IDs are different. There are now 57+ categories - most with their own audit policy. That's right we're going from 9 to 57 different audit policies that control what gets logged. The format of log data is different; it's now XML. And there are new features for pushing events from one computer to another and triggering scripts to run when specified events get logged.

I strongly recommend against enabling any of these entire categories; you will generate too much noise. I recommend starting with my Recommended Baseline Audit Policy for Windows Server 2008 and then tweaking from there.

For a list of all Security Log Events (several hundred),

Edit

Security Log Categories

You can still configure the 9 top level audit policies using group policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy but you can only configure the subcategories with the AuditPol command line utility.
Other security log events
For an expanded list of categories and subcategories click here.

Additional Links

A
D
V

Sick of LimitLogin? Get UserLock for real logon control

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.

Get Randy's Security Log Resource Kit

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, All rights reserved. Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. Terms and conditions.