Event ID 626 not being logged

	Forums Register Login My Profile Inbox Address Book My Subscription My Forums Member List Search FAQ Ticket List Log Out

Event ID 626 not being logged

Logged in as: Guest

Users viewing this topic: none

Printable Version

All Forums >> [Networking & Security] >> GFI EventsManager >> Event ID 626 not being logged

Page: [1]

Message

<< Older Topic Newer Topic >>

Event ID 626 not being logged - 12.Jun.2009 12:49:18 PM

tsherwin

Posts: 3
Score: 0
Joined: 12.Jun.2009
Status: offline

We are monitoring Windows 2003 domain controllers, and are using the default Noise, Security Events, and Security Applications event filters. We can see Event ID 629 (account disabled) written to the database, but not any associated 626 (account enabled).

I've modifed the User-based noise rule to ensure 626 is excluded from noise.
I also explicitly added 626 to the Account Disabled rule under Security Events (assuming this is how 629 is being captured), but I'm still not seeing anything.

We used to not apply any filters, but we have so much activity our database was becoming corrupt. We only have 6 domain controllers, maybe 5000 users at most. Even with our events older than 7 days being deleted every night, the db was growing to 100's of GB. Does this seem excessive?

Right now I'm more concerned about the 626 problem. It puts the whole solution in question when we know we are missing specific events.

Thank you.

Post #: 1

RE: Event ID 626 not being logged - 15.Jun.2009 8:57:09 AM

DrewE

Posts: 1032
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline

A useful tool in this situation may be the Program Files\GFI\EventsManager 8\ExportRules.exe application. Once run, you can examine the GFI\EventsManager\ConfigurationReports folder. Inside this folder you should see the Rulesets folder which will help examine all event ids we should be collecting.

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to tsherwin)

Post #: 2