Windows events and Performance Logs and Alerts are recorded in the EventLog service. The EventLog service starts automatically when Windows 2000 is started. All users can view application and system logs, however, only administrators have access to security logs.

By default, security logging is turned off. Use Group Policy, as described in subsection "Configuring Audit Policies" of this document, to enable security logging. The system administrator can also set auditing policies in the registry that cause the system to halt when the security log is full. Procedures for this are provided under subsection "Shut Down System Immediately If Unable to Log Security Audits" of this document. In addition, Appendix B, Audit Categories and Events of the Windows 2000 Security Configuration Guide provides a cross reference of audit categories and audit events to the auditable events addressed by the Windows 2000 ST requirements.

The Event Viewer Security log displays the following types of events:

  • Success audit. An audited security access attempt that succeeds. For example, the successful attempt by a user to log on the system will be logged as a success audit event.

  • Failure audit. An audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt will be logged as a failure audit event.

For a complete list of audit categories and events that may appear in the Security log see Appendix B of the Windows 2000 Security Configuration Guide.