I am aware of multiple "auditing" questions around SF, however I feel as though this question is slightly different.
The Goal: Audit only user logons and logoffs in my domain. The domain functional level is 2003 right now, however I'm hoping to raise it shortly to 2008 and then 2008 R2.
As it stands, this is the auditing policy
This is the result of that policy
What I'm not concerned with is the Directory Service Access / Other object Access, etc events. I just want logons and logoffs as the other events bloat the logs. Can anyone spot what I'm doing wrong here?
Best Answer
What you're doing wrong may not be what you want to hear.
What you're currently attempting to do is limit your logging to just what you want to see. What you should be doing is letting the logging collect and accumulate and then use another tool to filter out what you need to find relevant. This is what a log collection device does. As for "bloating the logs" unless these logs are approaching hundreds of megabytes in size I don't think you need to worry about that. Windows has a rotation mechanism for dealing with logs.
So... be sure account logon events are logged... this should be applied by default at your domain controller policy. Then look into the Windows facilities for centralizing those events, which were new features in the 2008 or 2008R2 systems.