Windows 2000 Server audit policy ?

[Moonark]

I am working on a way so that when we get our clients data here at work I can place it in a secure directory. There are a few poeple that need to access it, and I figure I can monitor this with an auditing policy. The question I have is what type of options do I have available and where are the log files kept. It is in the even't log, are there ways to extract them to a text file or can I log to a text file? Also if anyone has better logging suggestions, please feel free to list them.

 

[Poontos]

$Drive:/Winnt/System32/Logfiles

Is where they are stored by default. Not sure how to have them written somewhere else.
Probably a registry adjustment, if at all.

Good luck!

Make sure it's setup right in the Local Security Policy... to audit some more activity
than the default, especially if you are picky.

 

[Woodie]

Audit policy in w2k is set with a GPO. (You are running in a W2K domain, right?)

Create the GPO, using the MMC & Policy Editor.
Set the audit policies:
success/failure, and there are like 8 categories.
All the entries are logged to the server Event Log (the Security Log). Only server admins can view the Security Log.

This is in M$'s proprietary format, but you can export it to CSV or TXT, using the GUI Event Viewer. (I'll warn you, it's very slow.)

To audit user-level access to files/directories, you'll have to turn on "Object Access" auditing. And be prepared for s-loads of data (mostly junk).

Make sure you only link this GPO to the servers you're interested in. and don't put it on DCs. BTW, all the Event Log settings (size, wrap, etc.) can also be set in the same GPO.

If you're not in a W2K domain, then set all the above settings in the Local System Policy.

<end braindump>

--Woodie