Viewing security logs

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Viewing security logs

Auditing a local object creates an entry in the security log. The security entries that appear in the security log depend on the auditing categories that you select for your audit policy. For events that are related to object access, the entries in the security log also depend on the auditing policy settings that are defined for each object. For more information about auditing, see Auditing Security Events.

For example, if your audit policy specifies the auditing of files and folders, and a file's properties specify that failed deletions of that file are to be audited, each failed attempt by a user to delete the file appears in the security log.

You can view the security log by using Event Viewer.

Size of the security log

It is important that you set the size of the security log appropriately. Because the security log is limited in size, choose which events you audit carefully. Also, consider the amount of disk space that you are willing to devote to the security log. The maximum amount is defined in Event Viewer.

For information on what to do when the security log is full, see Audit: Shut down system immediately if unable to log security audits.

For more information about security events, see "Security Events" at the Microsoft Windows Resource Kits Web site.