Windows 2000 makes it easy to keep track of events that happen on your network. These include file and folder access and modification, password changes, and logon sessions, just to name a few. The automatic recording of information about the events that happen on your network is called auditing . The file that stores this information is called a log.
How many times a day do you open, close, or save a file? How many times do you log in to or out of a system? Have you changed your password or moved a folder lately? Multiply these numbers by the number of people who have access to your network, and you begin to see that the amount of information that can be stored in log files can be enormous.
You have to decide what really needs to be audited. It’s very easy to tell Windows 2000 to keep track of an event, so you may be tempted to just track everything. That way if something goes wrong, you can search the log files for evidence of what happened. Many security-conscious system administrators take this approach, but you have to balance that with the actual benefits and the workload it will add.
If you’ve never set up auditing or dealt with log files before, the process can seem a bit overwhelming. The trick to designing a good audit system is to make a plan ahead of time, implement it, and, most importantly, use it. It is useless to tell Windows 2000 to monitor all failed and successful login attempts if you aren’t going to check the logs for suspicious activity.