Why are days missing from event viewer??

[russellhancock]

Hi,
When I open up event viewer on my server it has hours or days of activity missing,

i.e. there will be logon / logoff events for 8/4/02 but then on the 9/4/02 there will be none shown! I know that people are logging on and off on these days, me for one!

Is this a known problem or is someone deleting these events.

All help much appreciated

P.S. the server is running NT4 server SP6a with Small Business Server 4.5.

 

[AllanBowker]

Are people authenticating on your BDC ?

 

[russellhancock]

Hi Allan,

Thanks for the quick response

We only have one server in the office so there is no BDC

Russell

 

[danysun]

Hi!
Did you check if you have the audit option for the logon/logoff events (in ther user manager)?!?

 

[AllanBowker]

If the domain name matches the name of the SAM database, the authentication is processed on that machine. Maybe local authentication is happening? Are PC's shut down at night and powered down or are some left on or even worse left logged in?

All logons to Windows NT machines that are not members of a domain process requests locally.

Are all of the clients NT4 also or are they Win9x, etc?
Non NT4 clients or non Domain members/workgroup users may have the affect that you are experiencing.

DANYSUN is quite correct in saying that you need to check if the required audit options are selected.

 

[russellhancock]

Not quite sure what you mean!

but i think it must be as it shows up on one login and not the next, i.e. they will logout to go to lunch and then when they login later it won't show in the event viewer!

 

[russellhancock]

Hi Allen,

Thanks for getting back to me again.

All workstations run win2k and are left logged off but running over night. As far as i know all the machines are part off the domain and they all logon to the domain as they cannot access the network resources other wise.

one question: would someone be able to delete the log events to cover thier activity, i.e. a hacker?

 

[AllanBowker]

Possible but unlikely about a hacker. Think about what type of external connections you have. Do you have a firewall? I can recommend the Cisco PIX firewall.

Also think about how secure your server is to your staff.
Can you lock it away? This is one of the best ways to secure your NT server!

Try powering down your PC's overnight for a week and see if that makes a difference. This maybe something to do with WIN2K event loggin issues that MS are currently looking into or it maybe something to do with how often windows updates the SAM database on the local PC.

Have you enabled user audits?
In NT4 server use the USER MANAGER and select the drop down menu called POLICIES. Select AUDIT from the menu. From here you can enable auditing of LOGON/LOGOFF events. Ensure that you tick both boxes for SUCCESS & FAILURE.

Another thing I recommend for Windows and that's a nice 12 year old single malt whisky, but only one in a day!

May the force be with you!

 

[russellhancock]

Thanks Allen,

will try your ideas and see what happens

Russell

 

[russellhancock]

Hi Allan,

Have fixed problem, when i was looking at the settings for the security log had conflicting settings, i.e. it would only overwrite events older than seven days, however the log was limited to the smallest size possible, therefore once the size limit had been reached it would just stop logging the events!

and i'm a burbon wiskey man!!


Thanks Everyone for the help!



cheers Russell