Auditing Active Directory and Reviewing Audit Logs - Page 2

 By Brien M. Posey
Page 2 of 2   |  Back to Page 1
Print Article

Reviewing the Audit Logs

The final step in the auditing process is to review your audit logs. I strongly recommend making this a daily process. For example, I make it a point to review my audit logs every morning, right after I change my backup tapes.

To review an audit log, select Start | Programs | Administrative Tools | Event Viewer. When the Event Viewer console opens, you'll see a list of all of the existing log files. Select the Security Log to see the results of your auditing.

As you browse through the list for the first time, you may discover that you've audited too many events to be meaningful. However, you can use this as a learning experience. By looking through the audit logs, you can get a feel for whether any of the currently audited events shouldn't be audited. I recommend auditing as few events as practical, for two reasons: First, the more events that you audit, the harder it is to locate a specific event in the log file; second, each event that you audit consumes system resources, such as processing power, disk space, and memory.

Even if you've been very selective about which events you audit, you may have trouble finding exactly the event you're looking for. Fortunately, you can use a search to make this process easier. To do so, select the Security Log and then select the Find command from the Event Viewer's View Menu. The Find In Local Security Log dialog box will open, as shown in Figure 4. This dialog box lets you perform a targeted search on a number of criteria. For example, you can search for information, warnings, or errors. You can further search by specifying whether you're looking for a success audit or a failure audit. Finally, you can search for things like event source, category, event ID, user, computer, or description.

Figure 4
Figure 4: The Find In Local Security Log dialog box lets you perform a targeted search.

When you find a specific event in the audit log, keep in mind that the information presented to you is merely a summary of the event that has occurred. You can view more detailed information on any event by double-clicking on it.


As you can see, the auditing process is a very important part of your network's security. In this article series, I've walked you through the process of implementing various types of auditing. I've also shown you how to locate specific events within the audit logs. //

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.

This article was originally published on Feb 6, 2001
Get the Latest Scoop with Networking Update Newsletter