Highest Voted 'audit' Questions - Server Fault Stack Exchange

0

votes

1 answer

Event 4771 (Bad Password Logon) Does not show proper client

We are having issues with frequently locked out accounts. We are having 4771 {Bad Password} events on our main DC. Issue: Within the event, the client machine is not properly shown. Instead another DC is shown as client host name: only in rare…

asked Sep 16 '21 at 08:24

Julian Bechtold

123
6

0

votes

1 answer

daemonized alternative to tcpdump to save mirrored traffic

I need to save mirrored traffic for audit purposes. Traffic for audited server is send to other server. I need to capture that traffic on dedicated interface, save it to pcap files of reasonable scope (rotation by date/size), and (may be) upload and…

networking tcpdump audit

asked Aug 30 '21 at 13:58

George Shuklin

296
2
11

0

votes

2 answers

How log commands executed by user

First at all, I have working some years with snoopy and it's not what I need, also checking history file isn't a solution for me. I have to give ROOT access to a developer to install a program on the server and I know that he will remove history…

linux bash logging audit

asked Aug 08 '21 at 11:13

Nimafire

1
5

0

votes

1 answer

Event ID 566 - Deleted Objects - Exchange Server

Getting alot of these on one of the DCs security log: *Event Type: Failure Audit Event Source: Security Event Category: Directory Service Access Event ID: 566 Date: 27/01/2010 Time: 10:12:41 User: Domain\Exchangeserver$ Computer:…

windows-server-2003 exchange windows-event-log audit

asked Jan 27 '10 at 15:31

Ethos

456
3
9

0

votes

1 answer

Identifying user activity/processes from log message on remote machine - 10.0.0.2 - user A, using service account B trying to connect to 10.0.0.3

I just inherited an older Linux server. I am getting asked to identify and stop a process initiated by a user. How can I go about identifying what process a user is executing that matches the logs seen on a remote machine? Local machine =…

linux logging process audit

asked Mar 23 '21 at 18:10

kawi1000

1

0

votes

1 answer

How long should accounts be deactivated before being deleted?

How long should accounts be deactivated before being deleted? Should accounts be deactivated? For example, our organization uses 1Password Business, which allows for accounts to be deactivated. How long should we keep deactivated accounts around?…

security user-accounts audit compliance

asked Feb 08 '21 at 21:49

dr_pardee

1

0

votes

0 answers

Windows Server 2019 - Audit which human-user who restart a service

Trying to audit which AD-user who actually restart a service on a particular service. The service (MyService) is using a serviceaccount to run and get access to different resources. I want to audit when my user or any actual human user manually…

service windows-server-2019 audit eventviewer

asked Nov 29 '20 at 15:45

TheSwede86

21
3

0

votes

0 answers

pam_tty_audit collect only TTY events

I'm trying to put together a TTY logging feature under Ubuntu 18.04 server and created /etc/pam.d/tty-audit with the following content: session required pam_tty_audit.so enable=* and added that to /etc/pamd.d/common-auth: @include…

pam audit tty

asked Nov 16 '20 at 18:39

mc88

3
1

0

votes

1 answer

How to enable file auditing for exchange server V15 folder

So I want to enable auditing on this specific folder V15 located under program files>Microsoft>Exchange server But on the auditing tab I get a Message "you must be an administrator or have been given the appropriate privileges to view the auditing…

security exchange windows-server-2016 user-permissions audit

asked Oct 05 '20 at 05:17

David Kent

37
1
6

0

votes

0 answers

Logging SSH commands on Linux - is custom kernel the only way?

I've done some research and it looks like that the way linux keeps history is less about security and audit and more about helping the user. Even after making changes to instantly log the command and space commands the command still wont log till…

linux security logging user-accounts audit

asked Sep 15 '20 at 12:18

Jason

3,931
19
66
107

0

votes

1 answer

Logging all failed authentication attempts against Active Directory

I need to log all failed authentication attempts against my Active Directory domain. An external app binds to MS AD via LDAPS and uses AD for user authentication requests. When the wrong user or password is used, I do not see audit events on the DC…

active-directory audit windows-authentication

asked Aug 10 '20 at 05:57

Dave M

71
2
11

0

votes

1 answer

How do you enable Trace Rollover for audit traces on SQL Server 2005?

I need to find out if Trace Rollover is enabled on my SQL Server 2005 machine. Where can I find this out and turn it on if I need to?

sql-server sql-server-2005 audit

asked Dec 02 '09 at 14:46

wahle509

333
1
2
8

0

votes

1 answer

how to audit a reboot?

Quick and simple question: How to I use auditd to log a system reboot? I tried using the reboot syscall to no avail. I could imagine that the audit daemon is stopped before the actual syscall is made. I then set a hook on /sbin/reboot. But this is a…

linux audit

asked Jul 21 '20 at 16:11

Arpton

1
2

0

votes

3 answers

Security Log Event ID 4625 - An account failed to log on every few minutes - random source IP addresses

A fairly new MS Windows Server 2019 VM installation is logging over a hundred Security Log Audit Failures a day with Event ID 4625. RDP for the server is enabled only for a single trusted WAN source IP through the Draytek Firewall. The server hosts…

security exchange audit

asked Jul 04 '20 at 00:44

cb2791

11
1
3

0

votes

0 answers

Updating Advanced Audit Policy Conifguration via auditpol

I just started a new job last week as a software developer and one of the first tasks I was give was to update a script my company sends out to the client laptops. Basically all it is supposed to do is delete a file (which I have written) and update…

group-policy audit

asked Jun 12 '20 at 18:46

Dave

61
4

Questions tagged [audit]