From: Peter Foldes on
Jose

>>Do you have success audits enabled?

It is enabled by default and it always was

>Event Logs also do not accumulate forever, they wrap when they get
>full. Full is defined in the Properties of the log and defaults to
>512KB and 7 days after that, then old things get overwritten

Not so. By default the setting is {Overwrite events as needed } and the size before
that happens is 100MB. Log size by default is 16384kb which can be adjusted up or
down to your needs and that cancels out what you posted

My Audits size in the Event Viewer is 14MB and the Audits date back to Oct 2003
without any being overwritten. The Log file on the latter is sitting at 2MB and also
dates back to Oct 2003 without anything changed
--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"Jose" <jose_ease(a)yahoo.com> wrote in message
news:75323456-24af-4017-982b-f970bfce3bbc(a)f15g2000yqe.googlegroups.com...
On Feb 13, 5:51 pm, "Gerry" <ge...(a)nospam.com> wrote:
> Jose
>
> All Success Audit (lots of them), no failures here!
>
> --
>
> Gerry
> ~~~~
> FCA
> Stourport, England
> Enquire, plan and execute
> ~~~~~~~~~~~~~~~~~~~
>
>
>
> Jose wrote:
> > On Feb 13, 2:23 pm, JD <J...(a)example.invalid> wrote:
> >> Jose wrote:
> >>> On Feb 13, 9:51 am, "William B. Lurie"<billu...(a)nospam.net> wrote:
> >>>> JD wrote:
> >>>>> William B. Lurie wrote:
> >>>>>> William B. Lurie wrote:
> >>>>>>> William B. Lurie wrote:
> >>>>>>>> VanguardLH wrote:
> >>>>>>>>> William B. Lurie wrote:
>
> >>>>>>>>>> Gerry, I found that Norton System Works Premier, which
> >>>>>>>>>> has a separate menu for such things, has a place where
> >>>>>>>>>> I can choose "Turn off all automatic updates". I
> >>>>>>>>>> did that several hours ago, and now the events have
> >>>>>>>>>> trickled down to a very few.
>
> >>>>>>>>> But doesn't that also mean that you won't get signature
> >>>>>>>>> and/or program updates for your Norton security program? You
> >>>>>>>>> would end up with an out-of-
> >>>>>>>>> date Norton product.
> >>>>>>>> I turned off all *automatic* updates. I can still do
> >>>>>>>> Live Update when I choose to do so.
> >>>>>>> *************************************************
> >>>>>>> And now, some evidence and a question.
> >>>>>>> Overnight it did something every hour that
> >>>>>>> prevented it from going to hibernate. Or even screen saver!
>
> >>>>>>> Here's the event log:
>
> >>>>>>>http://bellsouthpwp.net/b/i/billurie/events.evt
>
> >>>>>>> Can someone please tell me how to interpret what it shows?
> >>>>>>> (By the way, I uploaded the file but my notepad can't read
> >>>>>>> it; I hope somebody can!)
>
> >>>>>> Here is a screen shot of the events log.......maybe more
> >>>>>> decipherable.......
>
> >>>>>>http://bellsouthpwp.net/b/i/billurie/events.jpg
>
> >>>>> Go back to the events log and double left mouse click on one of
> >>>>> the errors. That will bring up the Event Properties. On the upper
> >>>>> right side of that window will be an up and down arrow and two
> >>>>> little pages. Left mouse click on the two pages. Then open
> >>>>> Notepad and either hit Ctrl V or click on Edit and select Paste.
> >>>>> Now you have a copy of the error properties and maybe you or
> >>>>> someone here can tell you what is causing the error.
>
> >>>> Great instructions, JD, and here's one typical 'event'.
>
> >>>> Event Type: Failure Audit
> >>>> Event Source: Security
> >>>> Event Category: Policy Change
> >>>> Event ID: 615
> >>>> Date: 2/13/2010
> >>>> Time: 6:38:44 AM
> >>>> User: NT AUTHORITY\NETWORK SERVICE
> >>>> Computer: COMPAQ-2006
> >>>> Description:
> >>>> IPSec Services: IPSec Services failed to get the complete
> >>>> list of network interfaces on the machine. This can be a potential
> >>>> security hazard to the machine since some of the network interfaces
> >>>> may not get the protection as desired by the applied IPSec filters.
> >>>> Please run IPSec monitor snap-in to further diagnose the problem.
>
> >>>> That, of course, leads me to another place I've never been
> >>>> before... IPSec monitor snap-in. And now.......??
>
> >>> Is there some reason you have your system configured to monitor and
> >>> audit and log security policy settings and changes?
>
> >>> That is what puts things in the Security log. Such settings do not
> >>> usually apply to "normal" home type users. Normally, this log is
> >>> empty, or has one entry in it - "The audit log was cleared ".
>
> >>> I dare say you are seeing a self inflicted wound.
>
> >>> Unless you are in an environment where you need to be extensively
> >>> auditing your Internet traffic, searching for network connectivity
> >>> issues, etc. you do not need to be monitoring these events. This 615
> >>> probably occurred when you booted your system before the IPSec
> >>> service started and was then followed by a successful 615.
>
> >>> If you don't know what these things mean or how to begin to
> >>> interpret them you should turn them all off since they slow your
> >>> system down with all the unnecessary activity logging. More logging
> >>> is not always good logging unless you are troubleshooting a problem.
>
> >>> If you don't know how to use the security auditing and IPSec tools
> >>> and don't need to know, turn off all that extra stuff you don't
> >>> need and your system will thank you for it by rewarding you with
> >>> better performance and fewer mysteries.
>
> >>> If you care to delve into all the settings, what they mean, how to
> >>> interpret them, etc. you should take a class, read a book, do some
> >>> Internet searching.
>
> >> Thanks for a non-response. Which book would you suggest he read? Or
> >> how does he turn off the security log? Oh wait though, I have 2,012
> >> events in my Security log and I've never turned it on. And not one
> >> of those says "The audit log was cleared". I'm not being a smarty
> >> pants, I'm just curious as to the explanation of your response.
>
> >> --
> >> JD..
>
> > Yeah - maybe I was coming on too strong or rude. I now have a better
> > Security Event Log message for the future.
>
> > Here is what I have seen...
>
> > Sometimes people wonder why the Security log is empty and think it is
> > a problem that nothing is being logged. All the other logs have stuff
> > and know I want some security on my system so they read some, poke
> > around and end up turning on Security Auditing from Control Panel,
> > Administrative Tools, Local Security Policy.
>
> > Everything for Security Auditing is turned off by default with "No
> > Auditing", so sometimes the thought is that some kind of additional
> > security auditing must be a good thing either because they are having
> > some problem they can't figure out or maybe they are curious.
> > Security is good, therefore I will put some security on everything!
>
> > The logging goes on unnoticed, they may resolve whatever the original
> > problem was and sometime later they peek at the Security log and see
> > all the failure messages and wonder what is wrong with their system.
> > Failure messages must mean something is wrong!
>
> > Turn all that logging on and reboot your system and you will get a lot
> > of failure events. Now folks think they have an issue and things are
> > failing all over the place, but it is an understanding issue (usually)
> > or they forgot they turned on the logging and never turned it off.
>
> > Event Logs also do not accumulate forever, they wrap when they get
> > full. Full is defined in the Properties of the log and defaults to
> > 512KB and 7 days after that, then old things get overwritten
> > (luckily). The logs are usually in the c:\windows\system32\config
> > folder where those registry files are. You know those files... the
> > event logs are there too. Maybe yours wrapped or was never cleared -
> > or both.
>
> > Excess logging slows things down (any logging slows things down).
> > Maybe not much for this stuff, but if something has to read/write or
> > to even check to see if it needs to or even consider it, it takes some
> > CPU time that I would rather be spent someplace else. If you are
> > "tuning up" a system for performance, you can turn all that extra junk
> > off unless you need it to troubleshoot a problem. If you turn it on,
> > turn it off when you are done if you remember.
>
> > There is a similar story with the Internet Explorer log - why is it
> > always empty and is that my IE problem? An empty IE log can't be good
> > if I'm having IE problems. I can tell you, mine is empty and it
> > better stay that way.
>
> > You can buy books on Amazon that discuss Windows security,
> > performance, forensic analysis, malware - there are even Dummies books
> > for these things.
>
> > Like I mentioned before, no event in the Event Log should defy
> > explanation. If you have things in your Security Event Log, most
> > certainly they are there for a reason and should be explainable. Some
> > people will say the security events can be ignored. Well, I want to
> > explain them, then maybe I'll decide to ignore them.
>
> > I generally only have the one security event noting that my log was
> > cleared and I don't even need to have that. I only keep it so I know
> > my Security Event Log is working. Sometimes I use the Security
> > logging for troubleshooting or understanding somebody else's problem,
> > but generally not - it is extra I/O I don't need.
>
> > I sometimes keep an unused entry in my msconfig Startup tab and a
> > unused non MS service - just so I know msconfig is working. Seeing
> > those empty tabs is a little creepy.

Good for you!

Such was not the case for the OP.

Do you have success audits enabled?

If you don't know what they mean, post some up for interpretation if
you want, or post some anyway so I can add them to my list if I don't
have them already.

I find them all annoying in day to day activities.

From: Hot-text on


"William B. Lurie" <billurie(a)nospam.net> wrote in message
news:OuhxpdKrKHA.4752(a)TK2MSFTNGP04.phx.gbl...
http://bellsouthpwp.net/b/i/billurie/events.evt
The page cannot be found
The page you are looking for might have been removed, had its name changed,
or is temporarily unavailable.
--------------------------------------------------------------------------------

Please try the following:

Make sure that the Web site address displayed in the address bar of your
browser is spelled and formatted correctly.
If you reached this page by clicking a link, contact the Web site
administrator to alert them that the link is incorrectly formatted.
Click the Back button to try another link.
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Go to Microsoft Product Support Services and perform a title search for the
words HTTP and 404.
Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for
topics titled Web Site Setup, Common Administrative Tasks, and About Custom
Error Messages.


> Can someone please tell me how to interpret what it shows?
> (By the way, I uploaded the file but my notepad can't read
> it; I hope somebody can!)

From: Hot-text on
http://en.wikipedia.org/wiki/IPsec <<< Read <<< Standards status

Important Information
Call AT&T for Help on IPSec << AT&T is the one making the Error
I Believe it's Not Norton or Windows do it
But your .AT&T routers firewall is running IPsec with IPv6



"William B. Lurie" <billurie(a)nospam.net> wrote in message
news:uxnCEUBrKHA.3464(a)TK2MSFTNGP06.phx.gbl...
> Bruce Chambers wrote:
>> William B. Lurie wrote:
>>> You nice folks led me to Event Viewer not too long ago, and
>>> in studying it, I find under Applications that Automatic Live
>>> Update is being run every 3 hours. It isn't my Norton Anti-
>>> Virus Live Update, and I do not allow Windows Live Update to
>>> run. Or at least I think I have it set so that I run Windows
>>> Update when I choose to do so.
>>>
>>> How can I track down what is running so often, and preventing
>>> my system from hibernating as a result?
>>>
>>> Thank you.
>>
>>
>>
>> Many applications now install automatic update "features," so it's a
>> bit hard to narrow it down. Do you have, for instance, Java or Acrobat
>> Reader installed? Both have automatic updates features that the computer
>> user is not warned about when installing them. Also, while I don't think
>> this is the cause in this particular case, do you have your WinXP clock
>> configured to automatically synchronize with an Internet time server?
>> (Haven't used WinXP for a couple of years, so I've forgotten some of the
>> details, such as the frequency of those checks.)
>>
>> To try narrowing down which application is doing this, double-click
>> on the pertinent entry in the application log to see if it will identify
>> a specific executable file's name. You can also use MSConfig to see what
>> is starting with the computer. Also, just in case someone tried to be
>> clever, you can check for Scheduled Tasks that would show up in the usual
>> "Startup" locations.
>>
>>
> Thanks for the added clues, Bruce. I do get notices about
> downloading updates for Adobe Reader, but never Java. The
> only clock reset that I have pings an atomic clock site,
> but only on my request.
>
> As I messaged, I found in Norton System Works a place
> that ostensibly turns off auto updates, and I'll look
> again tomorrow to see what happened overnight.
>
> And it's back to hibernating after an hour so maybe
> the intrusions have ceased.

From: Hot-text on
http://www.att.com/esupport/search.jsp?srch=IPSec+Services+failed&cv=801&x=22&y=10

"William B. Lurie" <billurie(a)nospam.net> wrote in message
news:Ow43hUOrKHA.4284(a)TK2MSFTNGP04.phx.gbl...
> Gerry wrote:
>> William
>>
>> http://www.eventid.net/display.asp?eventid=615&eventno=3595&source=Security&phase=1
> Thanks for the referral, Gerry. I appreciate your effort
> to be helpful.....but I found nothing there that would help
> me understand the source of the message, or lead me to a
> solution. I surmise that I am just not up to it.

From: Gerry on
Jose

>>Do you have success audits enabled?

Obviously the answer is Yes; otherwise there would not be any reports!
The computer has Windows XP Home Edition installed. I have never altered
the default with regard to Auditing Entries. I realise as a result of
Peter's response that I could and that the Security tabs can be
displayed if a default is changed.
http://www.dougknox.com/xp/tips/xp_security_tab.htm

What is the point in investigating a Success Audit? An Audit Failure
makes more sense because it is reporting some wrong. Understanding a
Failure could pinpoint what is causing a problem. I have seen Failures
in the past but not recently.

> I find them all annoying in day to day activities.

Why so?


--


Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Jose wrote:
> On Feb 13, 5:51 pm, "Gerry" <ge...(a)nospam.com> wrote:
>> Jose
>>
>> All Success Audit (lots of them), no failures here!
>>
>> --
>>
>> Gerry
>> ~~~~
>> FCA
>> Stourport, England
>> Enquire, plan and execute
>> ~~~~~~~~~~~~~~~~~~~
>>
>>
>>
>> Jose wrote:
>>> On Feb 13, 2:23 pm, JD <J...(a)example.invalid> wrote:
>>>> Jose wrote:
>>>>> On Feb 13, 9:51 am, "William B. Lurie"<billu...(a)nospam.net> wrote:
>>>>>> JD wrote:
>>>>>>> William B. Lurie wrote:
>>>>>>>> William B. Lurie wrote:
>>>>>>>>> William B. Lurie wrote:
>>>>>>>>>> VanguardLH wrote:
>>>>>>>>>>> William B. Lurie wrote:
>>
>>>>>>>>>>>> Gerry, I found that Norton System Works Premier, which
>>>>>>>>>>>> has a separate menu for such things, has a place where
>>>>>>>>>>>> I can choose "Turn off all automatic updates". I
>>>>>>>>>>>> did that several hours ago, and now the events have
>>>>>>>>>>>> trickled down to a very few.
>>
>>>>>>>>>>> But doesn't that also mean that you won't get signature
>>>>>>>>>>> and/or program updates for your Norton security program? You
>>>>>>>>>>> would end up with an out-of-
>>>>>>>>>>> date Norton product.
>>>>>>>>>> I turned off all *automatic* updates. I can still do
>>>>>>>>>> Live Update when I choose to do so.
>>>>>>>>> *************************************************
>>>>>>>>> And now, some evidence and a question.
>>>>>>>>> Overnight it did something every hour that
>>>>>>>>> prevented it from going to hibernate. Or even screen saver!
>>
>>>>>>>>> Here's the event log:
>>
>>>>>>>>> http://bellsouthpwp.net/b/i/billurie/events.evt
>>
>>>>>>>>> Can someone please tell me how to interpret what it shows?
>>>>>>>>> (By the way, I uploaded the file but my notepad can't read
>>>>>>>>> it; I hope somebody can!)
>>
>>>>>>>> Here is a screen shot of the events log.......maybe more
>>>>>>>> decipherable.......
>>
>>>>>>>> http://bellsouthpwp.net/b/i/billurie/events.jpg
>>
>>>>>>> Go back to the events log and double left mouse click on one of
>>>>>>> the errors. That will bring up the Event Properties. On the
>>>>>>> upper right side of that window will be an up and down arrow
>>>>>>> and two little pages. Left mouse click on the two pages. Then
>>>>>>> open Notepad and either hit Ctrl V or click on Edit and select
>>>>>>> Paste. Now you have a copy of the error properties and maybe
>>>>>>> you or someone here can tell you what is causing the error.
>>
>>>>>> Great instructions, JD, and here's one typical 'event'.
>>
>>>>>> Event Type: Failure Audit
>>>>>> Event Source: Security
>>>>>> Event Category: Policy Change
>>>>>> Event ID: 615
>>>>>> Date: 2/13/2010
>>>>>> Time: 6:38:44 AM
>>>>>> User: NT AUTHORITY\NETWORK SERVICE
>>>>>> Computer: COMPAQ-2006
>>>>>> Description:
>>>>>> IPSec Services: IPSec Services failed to get the complete
>>>>>> list of network interfaces on the machine. This can be a
>>>>>> potential security hazard to the machine since some of the
>>>>>> network interfaces may not get the protection as desired by the
>>>>>> applied IPSec filters. Please run IPSec monitor snap-in to
>>>>>> further diagnose the problem.
>>
>>>>>> That, of course, leads me to another place I've never been
>>>>>> before... IPSec monitor snap-in. And now.......??
>>
>>>>> Is there some reason you have your system configured to monitor
>>>>> and audit and log security policy settings and changes?
>>
>>>>> That is what puts things in the Security log. Such settings do not
>>>>> usually apply to "normal" home type users. Normally, this log is
>>>>> empty, or has one entry in it - "The audit log was cleared ".
>>
>>>>> I dare say you are seeing a self inflicted wound.
>>
>>>>> Unless you are in an environment where you need to be extensively
>>>>> auditing your Internet traffic, searching for network connectivity
>>>>> issues, etc. you do not need to be monitoring these events. This
>>>>> 615 probably occurred when you booted your system before the IPSec
>>>>> service started and was then followed by a successful 615.
>>
>>>>> If you don't know what these things mean or how to begin to
>>>>> interpret them you should turn them all off since they slow your
>>>>> system down with all the unnecessary activity logging. More
>>>>> logging is not always good logging unless you are troubleshooting
>>>>> a problem.
>>
>>>>> If you don't know how to use the security auditing and IPSec tools
>>>>> and don't need to know, turn off all that extra stuff you don't
>>>>> need and your system will thank you for it by rewarding you with
>>>>> better performance and fewer mysteries.
>>
>>>>> If you care to delve into all the settings, what they mean, how to
>>>>> interpret them, etc. you should take a class, read a book, do some
>>>>> Internet searching.
>>
>>>> Thanks for a non-response. Which book would you suggest he read? Or
>>>> how does he turn off the security log? Oh wait though, I have 2,012
>>>> events in my Security log and I've never turned it on. And not one
>>>> of those says "The audit log was cleared". I'm not being a smarty
>>>> pants, I'm just curious as to the explanation of your response.
>>
>>>> --
>>>> JD..
>>
>>> Yeah - maybe I was coming on too strong or rude. I now have a better
>>> Security Event Log message for the future.
>>
>>> Here is what I have seen...
>>
>>> Sometimes people wonder why the Security log is empty and think it
>>> is a problem that nothing is being logged. All the other logs have
>>> stuff and know I want some security on my system so they read some,
>>> poke around and end up turning on Security Auditing from Control
>>> Panel, Administrative Tools, Local Security Policy.
>>
>>> Everything for Security Auditing is turned off by default with "No
>>> Auditing", so sometimes the thought is that some kind of additional
>>> security auditing must be a good thing either because they are
>>> having some problem they can't figure out or maybe they are curious.
>>> Security is good, therefore I will put some security on everything!
>>
>>> The logging goes on unnoticed, they may resolve whatever the
>>> original problem was and sometime later they peek at the Security
>>> log and see all the failure messages and wonder what is wrong with
>>> their system. Failure messages must mean something is wrong!
>>
>>> Turn all that logging on and reboot your system and you will get a
>>> lot of failure events. Now folks think they have an issue and
>>> things are failing all over the place, but it is an understanding
>>> issue (usually) or they forgot they turned on the logging and never
>>> turned it off.
>>
>>> Event Logs also do not accumulate forever, they wrap when they get
>>> full. Full is defined in the Properties of the log and defaults to
>>> 512KB and 7 days after that, then old things get overwritten
>>> (luckily). The logs are usually in the c:\windows\system32\config
>>> folder where those registry files are. You know those files... the
>>> event logs are there too. Maybe yours wrapped or was never cleared -
>>> or both.
>>
>>> Excess logging slows things down (any logging slows things down).
>>> Maybe not much for this stuff, but if something has to read/write or
>>> to even check to see if it needs to or even consider it, it takes
>>> some CPU time that I would rather be spent someplace else. If you
>>> are "tuning up" a system for performance, you can turn all that
>>> extra junk off unless you need it to troubleshoot a problem. If you
>>> turn it on, turn it off when you are done if you remember.
>>
>>> There is a similar story with the Internet Explorer log - why is it
>>> always empty and is that my IE problem? An empty IE log can't be
>>> good if I'm having IE problems. I can tell you, mine is empty and it
>>> better stay that way.
>>
>>> You can buy books on Amazon that discuss Windows security,
>>> performance, forensic analysis, malware - there are even Dummies
>>> books for these things.
>>
>>> Like I mentioned before, no event in the Event Log should defy
>>> explanation. If you have things in your Security Event Log, most
>>> certainly they are there for a reason and should be explainable.
>>> Some people will say the security events can be ignored. Well, I
>>> want to explain them, then maybe I'll decide to ignore them.
>>
>>> I generally only have the one security event noting that my log was
>>> cleared and I don't even need to have that. I only keep it so I know
>>> my Security Event Log is working. Sometimes I use the Security
>>> logging for troubleshooting or understanding somebody else's
>>> problem, but generally not - it is extra I/O I don't need.
>>
>>> I sometimes keep an unused entry in my msconfig Startup tab and a
>>> unused non MS service - just so I know msconfig is working. Seeing
>>> those empty tabs is a little creepy.
>
> Good for you!
>
> Such was not the case for the OP.
>
> Do you have success audits enabled?
>
> If you don't know what they mean, post some up for interpretation if
> you want, or post some anyway so I can add them to my list if I don't
> have them already.
>
> I find them all annoying in day to day activities.