|
tsherwin -> Event ID 626 not being logged (12.Jun.2009 12:49:18 PM)
|
We are monitoring Windows 2003 domain controllers, and are using the default Noise, Security Events, and Security Applications event filters. We can see Event ID 629 (account disabled) written to the database, but not any associated 626 (account enabled).
I've modifed the User-based noise rule to ensure 626 is excluded from noise.
I also explicitly added 626 to the Account Disabled rule under Security Events (assuming this is how 629 is being captured), but I'm still not seeing anything.
We used to not apply any filters, but we have so much activity our database was becoming corrupt. We only have 6 domain controllers, maybe 5000 users at most. Even with our events older than 7 days being deleted every night, the db was growing to 100's of GB. Does this seem excessive?
Right now I'm more concerned about the 626 problem. It puts the whole solution in question when we know we are missing specific events.
Thank you.
|
|
|
|