Security Event Log Performance for File and Folder Auditing

Secure Home | Search | About

Lost Password?

Microsoft Applications Security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject	Author	Date
Security Event Log Performance for File and Folder Auditing	jwgoerlich	01-26-2007

Posted by on January 26, 2007, 3:59 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Hello,

I am putting together a secure file server. Auditing on files and
folders will be enabled and, of course, performance is a concern. I am
estimating 1-2 events per second, or around 100K events per day.

To minimize impact of the logging, I am considering the following:

- Keeping the SACL small
- Setting the Security log to be 4 GB in size
- Dedicating a 5 GB Raid-10 volume for the logging partition
- Moving the Security log to this partition

As for the SACL, I think "List Folder / Read Data", "Create Folder /
Append Data", and "Delete Subfolders and Files" will capture all of the
important activity.

Is there anything that I am missing? Any other suggestions on how to
improve auditing and security event logging?

Thank you,

J Wolfgang Goerlich

Similar Threads	Posted
Auditing Whom delete an file or folder.	June 15, 2005, 3:06 am
Auditing / File Security	May 22, 2008, 1:02 pm
Execute File Auditing on a File Share	April 25, 2007, 11:46 pm
Desktop.ini auditing filling event logs	July 29, 2005, 10:33 am
Auditing shared folder	April 7, 2008, 1:02 pm
Auditing Attempted Shared Folder Access	March 5, 2007, 10:28 am
Auditing File deletion	April 19, 2006, 3:26 am
Filtering the auditing of file access	May 10, 2006, 4:20 am
Enable file auditing on many servers	December 22, 2006, 2:21 pm
File auditing for MOVED files.	May 30, 2008, 11:26 am

The site map in XML format XML site map