Enabling Windows Server 2003 Security Logs
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
Collecting information about the security aspects of the Web server is required to help ensure that the Web server stays secure. Windows Server 2003 uses security and system logs to store collected security events. The security and system logs are repositories for all events recorded on the Web server. Many management systems, such as Microsoft Operations Manager, periodically scan these logs and can report security problems to your operations staff.
If you audit or log too many events, the log files might become unmanageable and contain superfluous data. Before enabling the system and security logs, you need to enable auditing for the system log and establish the number of events that you want recorded in the security log. You cannot change the information that is logged in the system log: These events are preprogrammed into Windows Server 2003 services and applications. You can customize system log events by configuring auditing. Auditing is the process that tracks the activities of users and processes by recording selected types of events in the security log of the Web server. You can enable auditing based on categories of security events. At a minimum, enable auditing on the following categories of events:
Any changes to user account and resource permissions
Any failed attempts for user logon
Any failed attempts for resource access
Any modification to the system files
You can customize which types of events are recorded in the security log. The most common security events recorded by the Web server are associated with user accounts and resource permissions.
For more information about how to enable security auditing, see Enable Security Auditing.