Event Log Question re: changing security timeout

I believe someone may have changed my security timeout time from 2 minutes to 30 minutes and changed "require password for new apps" from yes to no. I know the approximate time when this occured but am overwhelmed by the volume of entries and the nomenclature. Is there something specific I could look for to confirm or refute my suspicion? Is there a "layman's" way to download the log without having developer tools?
Thanks

Hey raindogbc,
You can extract the device logs as outlined in this article: How to extract the event logs on a BlackBerry smartphone http://btsc.webapps.blackberry.com/btsc/KB05349.
Depending on what the logging was set to when this happened and when it happened you may not be able to find this information.
-HB
Come follow your BlackBerry Technical Team on twitter! @BlackBerryHelp
Be sure to click Kudos! for those who have helped you.Click Solution? for posts that have solved your issue(s)!

Similar Messages

Firewall activity on event log question

Hi, i have recently noticed that my event log lists a lot of IN: ACCEPT [57] Connection opened and closed events at strnage hours of the day when nobody is even awake using the home internet such as 5am.
When i checked the location of some of the ip address's some of them are in locations in the world such as Guatemala and Mexico
Would anybody be able to tell me why these events are taking place?
Many Thanks.

just the firewall do its job nothing to worry about
If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’

Event Log Question

I work in a small public library. We will begin offerring free wireless internet access (via a cable ISP) to our patrons. As our funding is tied to volume of use of our sevices, we would like to count connections and session duration. Which Cisco/Linksys products would allow us to do this?
Thanks
Andrew

Well i think with the Home router its won't be possible. I think you need to think about a Business Series Router which can log the session. Or else you need to download some 3rd party software which will log the session counts.

Questions about BT Home Hub 4A event log - WIFI c...

Hope someone can help please ?
I had BT inifinity installed 2 weeks ago with the HH 4 (type A) and everything has worked - connection found, no problem.
This week, my ipod touch was unable to join the network but the iphone 5, another ipod and a tablet could connect without a problem. The ipod touch managed to connect to another WIFI used at the property and my work wifi without a problem.
I thought it maybe the ipod touch as it was quite old but that doesn't make sense since it connects fine to other networks. I restored network settings and other options suggested by Apple but to no avail.
I have turned my attention to the Hub. My laptop (older than the ipod touch) gets the connection no problem along with the other devices. I went into the hub management page but I am not smart enough to decifer the event log so would like some help so I can fix this because I thought BT infinity was the better more reliable option?
The ipod touch Wifi IP address is 00:25:00:b7:35:f6.
On the event log, it shows STA before the address - but it shows STA before all the device IP addresses. Should I change this to DCHP ? or is this (Static ? alright)
The Lease on all the devices on the event log is set to 1440 min. (1 day) is that alright too, what does it mean ?
Do I have to keep renewing the lease ? How do I do that ? I read it can be set to 21 days ?
Going back to the IP address on the ipod it shows the Hostname as 00:25:00:B7:35:f6-2 this is different to the IP address with the -2. Could that be a cause of the unable to join network or is it because I attempted to recreate the network on the ipod so its the second version of that host name ?
Is there any setting I can change to fix this because I am concerned the same this will happen to the other devices and then the laptop....
What do I need to do to be able to get my ipod touch to connect to the BT network setting ?
I think its the hub 4A causing the 'block' on the ipod touch not the device and I think its maybe a matter of changing a setting - but then why was it all fine before when Infinity was first installed ?
Lastly my laptop (7 Years old) seems to be attached to the 5GHZ Wireless channel - is that alright ? The other more recent devices are on the 2.4ghz channel (except the ipod touch which isn't on any !!)
Is it alright to turn the hub on / off ? -I am resisting that because I don't want to make the situation worse.
Sorry but what does client disassociated mean and all the BLOCKS - do they relate to firewall ?
Please can you review the event log and my questions ?
Many thanks
angie 2601
The time frame is 3.55am 8/8/2013 - 7.16 am 8/8/2013
(Latest (7.16am) at the top
Message
07:16:39, 08AUG
(1224785.050000) Admin login successful by 192.168.1.64 on HTTP (1224766.610000) Admin login FAILED by 192.168.1.64 on HTTP (1224648.050000) New GUIsession from IP 192.168.1.64
(1224466.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disassociated
(1224362.750000) lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1224362.750000) Device connected: Hostname:Unknown-d8:d1:cb:ec:a6:feiP:
192.168.1.65 MAC:d8:dl:cb:ec:a6:fe lease time: 1440 min. link rate:90.0 Mbps
(1224362.690000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
(1224241.150000) lease for IP 192.168.1.64 renewed by host FAMILY (MAC
00:13:02:de:6d:e6). Lease duration:1440 min
(1224241.150000) Device connected: Hostname: FAMii.Y IP:192.168.1.64 MAC:
00:13:02:de:6d:e6 Lease time: 1440 min. link rate: 54.0 Mbps
(1224241.090Cl00) Lease requested
wlan1TA 00:13:02:de:6d:e6 IEEE 802.11:Client associated
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:34905->31.13.72.38:443 on ppp1)
(1223644.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlanl: STA d8:d1:cb:ec:a6:-fe IEEE 802.11:CHent diSassociated
(1223489.390000) Lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1223489.380000) Device connected:Hostname:Unknown-d8:dl:cb:ec:a6:fe IP:
192.168.1.65 MAC: d kd1:cb ec:-a6-:fe Lease time: 1440 min. Link rare: 90.0 Mbps
(1223489.330000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client associated wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disasSociated
wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
OUT;BLOCK [9] Packet i valid in connection (TCP
192.168.1.66:34375->31.13.72.38:443 on pppl)
l'N':BLOCK [16-} Remote administration {ICMP type 8 code 0
117.1.42.94->86.182.228.205 on ppp1)
IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:44156 on ppp1) IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:36615 on ppp1)
OUT: BLOCK [9] Packet invalid in connection (TCP
192.1-68.1.68:49476->173.252.103.16:443 OR ppp1)
BLOCKED 5 more packets (because of Packet invalid in connection) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.68:49443->95.100.195.205:443 on ppp1)
OUT:BLOCK {9] PaCket invalid in connection (TCP
192.168.1.68:49438->95.100.194.217:443 on ppp1)
IN:BLOCK [9] Packet invalid in connection (TCP
95.100.194.217:443->86.182.228.205:49444 on ppp1)
(1222111.810000) Lease for IP 192.168.1.68 renewed by host Unknown-
70:56:81:46:bf:d9 (MAC 70:56:81:46:bf:d9).Lease duration:1440 min
(1222111.810000) Device connected:Hostname:Unknown-70:56:81:46:bf:d9 IP:,
192.168.1.68 MAC:70:56:8:t:46:bf:d9lease time:1440 min. Link rate:52.0 Mbps
(1222111.750000) Lease requested .-
wlanO: STA 70:56:81:46:bf:d9 IEEE 802.11: Client associated • (1222093.690000) Device dlsconn: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168. MAC: 00:25:00:b7:35:f6 wlanoTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66-:43272->31.13.72.33:443 on ppp1)
221969.130000) lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1221969.130000} Devicconnected: Hostname·:Unknowwoo·:25:00:b7 35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1221969.070000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
(1220365.290000) Device disconnected: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1220348.230000) Lease for IP 192.168.1.67 renewed by host Unlmown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6).lease duration: 1440 min
(1220348.230000) Device connected: Hostname:Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1220348.170000) lease requested
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
IN: BLOCK f16] Remote administration (TCP
123.151.42.61:12233->86.182.228.205:8080 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
:t92.Hi8.1.66:53813->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:43989->31.13.72.33:443 on ppp1)
IN: BLOCK [16] Remote administration (ICMP type 8 rode 0
2.7.251.109.227->86.182.228.205 on pppl)
(1216770.650000) Device disconnected:Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6
OUT:BLOCK [9j Packet invalid in connection (TCF
192.168.1.67:49180->74.125.136.109:993 on ppp1)
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1216753.280000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1216753.270000) Device connected: Hostname: Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25.:00-:.b7.:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1216753.220000) lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client assodat
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:55944->23.21.78.229:443 on ppp1)
OUT: BLOCK [9J Packet invafid in connection (TCP
192.168.1.66:34794->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:41441->31.13.72.33:443 on ppp1)
{1213176.020000) Device disconnected:.Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC:00:25:00:b7:35:f6 wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client disassociated
(1213158.410000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min _./:\ (1213158.400000) Device connected:Hostname:Unknown-00:25:00:b7:35:ftt.Y IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min.Unk rate: 54.0
Mbps
(1213158.340000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client associated
OUT:BLOCK (9] Packet invalid in connection (TCP
192.168.1.66:59767->176.34.180.243:443 on ppp1) OUT;BLOCK [9] P.acket invalid in connection {TCP
192.168.1.66:56075->31.13.72.33:443 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66 581:1:0->31.13.72.33:443 on ppp1)
BL.OCKED 2 more packets (because of Packet invalid in connection) OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:56251->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:36959->31.13.72.33:443 on ppp1)
BlOCKED 1more packets (because of Packet invalid in connection)

It could be that the Ipod touch is having problems with both the 2.4GHz and 5GHz frequencies being named the same. If you give them separate SSids it may help. ie add a 5 to the 5GHz SSid.
If you do this you will need to re-connect all your devices that can see both frequencies to both SSids so that they will swap between the frequencies seamlessly when ever they need to
See link how to change SSid.
http://bt.custhelp.com/app/answers/detail/a_id/44504/related/1/session/L2F2LzEvdGltZS8xMzc1OTY2ODIxL...
Once you have changed the SSid I would delete the network connection on the Ipod touch and start again.

Windows Server 2008 R2 Security Event Log Maximum Size

I have a customer with logging requirements on domain controllers that are exceeding the maximum log size they have configured for the security log. When they attempted to increase the maximum size of the security event log via Group Policy, the settings
did not take effect. When an attempt was made to increase the security event log manually on the domain controller via the properties of the log, an error is generated whenever the value was changed.
The Maximum Log Size specified is not valid. It is too large or too small. The Maximum Log Size will be set to the following: 196608 KB
The 196608 KB value is the value that it is currently set at. Testing on other logs, application, system, has lead to the same result.
wevtutil.exe sl security /ms:<n> produces similar results. There is no error message given but the value doesn't change when you run wevtutil.exe gl security
When viewing the registry value MaxSize under HKLM\Current Control Set\Services\EventLog\Security the change is reflected, but the log does not seem to get any larger.
What one would expect to be a two minute change in a group policy object has turned into something much more difficult. Any idea what could be causing this?
Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator

I verified that it was not another policy - the domain is pretty simple without many policies, only policies applied are:
Default Domain Policy (no event log settings)
Company Domain Policy (no event log settings)
Default Domain Controller Policy (no event logs settings)
Company Domain Controller Policy (...\Event Log\Maximum security log size 4194240 kilobytes)
The value was 196608 before, the plan was to change the group policy setting to 4194240 and I expected it to be that easy. However, the values didn't change.
4194240 is divisible by 64
Used multiple tools to try and change
Group Policy
Event Viewer
wevtutil.exe
registry editor
While some of the methods display a larger event log, the actual size of the event log still seems to be limited to 196608 kb.
Thanks,
Joe
Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator

Audit/Log GPO changes and Logging of new addition of Domain Controllers in the Event Log

Hi all,
We am trying to log the following items in the event log for Windows 2012. This applies to a domain controller.
1) Audit any changes made to the Group Policy
2) Log the addition of new domain controllers added to the system.
We need the windows event log to record the above events for security purposes. Can anyone advise if this is doable? If yes what are the steps.
Thank you

Hi,
>>1) Audit any changes made to the Group Policy
We can enable audit for directory service object access and configure specific SACL for group policy files to do this.
Regarding how to step-to-step guide for auditing changes of group policy, the following two blogs can be referred to for more information.
Monitoring Group Policy Changes with Windows Auditing
http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx
Auditing Group Policy changes
http://blogs.msdn.com/b/canberrapfe/archive/2012/05/02/auditing-group-policy-changes.aspx
>>2) Log the addition of new domain controllers added to the system.
Based on my knowledge, when a server is successfully promoted to be domain controller, event ID 29223 will be logged in the System log.
Regarding this point, the following thread can be referred to for more information.
Is an Event ID for a completed Domain Controller promotion logged on the PDC?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/11b18816-7db0-49e2-9a65-3de0e7a9645e/is-an-event-id-for-a-completed-domain-controller-promotion-logged-on-the-pdc?forum=winserverDS
Best regards,
Frank Shen

Connection Timeout Expired in Windows Event Logs

I just recently installed SharePoint 2013 SP1 on a Windows Server 2008 R2 SP1 server and have been receiving this error message in the Windows Event logs:
Cannot connect to SQL Server. <database server name> not found. Additional error information from SQL Server is included below.
Connection Timeout Expired. The timeout period elapsed during the post-login phase. The connection could have timed out while waiting for server to complete the login process and respond; Or it could have timed out while attempting to create
multiple active connections. The duration spent while attempting to connect to this server was - [Pre-Login] initialization=12; handshake=6; [Login] initialization=0; authentication=0; [Post-Login] complete=14000;
I have never seen this error message before in my life on any prior installation of SharePoint that I have ever done. It is only occurring on this one particular installation of SharePoint. The environment is corporate built, so I have no idea
as to how to troubleshoot or determine the root cause of this error message.
I looked at the value of the database-connection-timeout in stsadm and it gets back a value of 15, however, I am unable to alter the database connection timeout using stsadm since I either get an "Object reference not sent to an instance of an object"
error message or "This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database. To connect this server to the server farm, use the SharePoint
Products Configuration Wizard, located on the Start menu in Microsoft SharePoint 2010 Products."
Please advise.

What is specification of your SQL server? i think its more CPU, RAM, I/O issue with SQL server.
under which account you are running the stsadm command?
check this one
http://stackoverflow.com/questions/21230927/sql-azure-the-timeout-period-elapsed-during-the-post-login-phase
may be you fall in this bug
http://connect.microsoft.com/VisualStudio/feedback/details/821803/connection-timeout-expired-the-timeout-period-elapsed-during-the-post-login-phase
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

VSS snapshot of 1.1TB is ending after few hours with timeout. No errors in event log

Hello,
does someone have experienced issue where starting making snapshot (forum GUI or command line) is taking a lot of time and then it just ends with timeout?
I have scenario on virtualised Windows Web Server 2008 R2 where backup is being made by Idera Backup Software but since it relies on VSS Snapshots then we can just skip this point because making snapshots from directly Windows command line or drive preferences/GUI
is ending with timeout for this single drive after few hours. Affected system has 3 drives: C - 95GB, D-1.06TB and E-120GB. C and E can be backuped correctly and only drive D has problems. System is updated with latest drivers vssadmin for writers returns
list without any errors and snapshot for drive D which ends with timeout is not generating any error in event log. I wanted to configure VSS trace like it is being instructed on this site:
http://publib.boulder.ibm.com/infocenter/tsminfo/v6/index.jsp?topic=%2Fcom.ibm.itsm.tshoot.doc%2Ft_pdg_traceprfrm.html
but I don't see any trace.txt file on given location. If I remove drive D from backup process it ends without errors. System was restarted many times. Only thing which is visible in windows Event log (application part) is that "The VSS service is shutting
down due to idle timeout." about 4 hours after snapshot making proces is starting.
I've contacted Idera backup about this but they can't help too much if Windows snapshot process is failing. They suggested that something can be wrong with this drive but since this is virtualised machine and all of my VM are being stored on RAID10 disk
array connected to my server using fiber connections then I don't think that this is hardware issue (especially when other two drives are located on the same LUN on disk array).
Any suggestions?
Regards

Hi,
Do you create VMs on Hyper-V or VMWare? Based on research, possible causes could be:
1. Files changes in the volume is very huge. So the shadow size may be big and the current shadow storage my not able to hold it. And that’s cause the shadow copy creation failure.
2. The I/O in D drive is heavy and make the shadow copy I/O failed.
3. Server is too busy to handle the request.
4. The disk is heavily defragment.
Please refer to the articles to troubleshoot the issue:
Time-out errors occur in Volume Shadow Copy service writers, and shadow copies are lost during backup and during times when there are high levels of input/output
http://support.microsoft.com/kb/826936/en-us
VSS timeouts during backup? What could contribute to that?
https://blogs.technet.com/b/askpfeplat/archive/2012/09/12/vss-timeouts-during-backup-check-fragmentation.aspx
Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Cannot generate Account Logon Events (Event ID 4624) in Security Event Log on Server 2008 R2 Domain Controller

I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
Default Domain Controllers Policy
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
System audit policy
Category/Subcategory                      Setting
System
Security System Extension               No Auditing
System Integrity                        No Auditing
IPsec Driver                            No Auditing
Other System Events                     No Auditing
Security State Change                   No Auditing
Logon/Logoff
Logon                                   No Auditing
Logoff                                  No Auditing
Account Lockout                         No Auditing
IPsec Main Mode                         No Auditing
IPsec Quick Mode                        No Auditing
IPsec Extended Mode                     No Auditing
Special Logon                           No Auditing
Other Logon/Logoff Events               No Auditing
Network Policy Server                   No Auditing
Object Access
File System                             No Auditing
Registry                                No Auditing
Kernel Object                           No Auditing
SAM                                     No Auditing
Certification Services                  No Auditing
Application Generated                   No Auditing
Handle Manipulation                     No Auditing
File Share                              No Auditing
Filtering Platform Packet Drop          No Auditing
Filtering Platform Connection           No Auditing
Other Object Access Events              No Auditing
Detailed File Share                     No Auditing
Privilege Use
Sensitive Privilege Use                 No Auditing
Non Sensitive Privilege Use             No Auditing
Other Privilege Use Events              No Auditing
Detailed Tracking
Process Termination                     No Auditing
DPAPI Activity                          No Auditing
RPC Events                              No Auditing
Process Creation                        No Auditing
Policy Change
Audit Policy Change                     No Auditing
Authentication Policy Change            No Auditing
Authorization Policy Change             No Auditing
MPSSVC Rule-Level Policy Change         No Auditing
Filtering Platform Policy Change        No Auditing
Other Policy Change Events              No Auditing
Account Management
User Account Management                 No Auditing
Computer Account Management             No Auditing
Security Group Management               No Auditing
Distribution Group Management           No Auditing
Application Group Management            No Auditing
Other Account Management Events         No Auditing
DS Access
Directory Service Changes               No Auditing
Directory Service Replication           No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access                No Auditing
Account Logon
Kerberos Service Ticket Operations      No Auditing
Other Account Logon Events              No Auditing
Kerberos Authentication Service         No Auditing
Credential Validation                   Success

Hi Lawrence,
After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
setting was applied successfully.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen

How to display system security events logs in Cisco router 4980

Hi,
in order to perform acceptance tests following the installation of a Cisco 4980 router cluster, I need to verify that any system security events are logged and I can diplay them on the CLI output (for example with the #show logging command).
By system security events logs, I mean for example bad authentification on the switch, creation/deletion/modification of a user accoount, telnet connexion attempt while this protocol is not allowed, etc...
With the #show logging command, I have security events related to access-list, or configuration changes (even if these ones are not really verbose on waht have been changed), but no "system" security events.
Here is my logging initial logging configuration on these routers:
logging rate-limit 1 except errors
logging console critical
logging monitor critical
But I also tried like this:
logging rate-limit 1 except errors
logging console informational
logging monitor critical
logging history informational
logging facility auth
But exactly the same result...
Is this feature exist or not ?
If yes, how to configure it ?
Thanks.
Julien

Here is a script that will copy the previous days events and save them to "C:\". The file name be yesterdays date ex "04-18-2010-Events.csv"
Const strComputer = "."
Dim objFSO, objWMIService, colEvents, objEvent, outFile
Dim dtmStartDate, dtmEndDate, DateToCheck, fileDate
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
'change the date form "/" to "-" so it can be used in the file name
fileDate = Replace(Date - 1,"/","-")
Set outFile = objFSO.CreateTextFile("C:\" & fileDate & "-Events.csv",True)
DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
outFile.WriteLine String(100,"-")
outFile.WriteLine "Category = " & objEvent.Category
outFile.WriteLine "ComputerName = " & objEvent.ComputerName
outFile.WriteLine "EventCode = " & objEvent.EventCode
outFile.WriteLine "Message = " & objEvent.Message
outFile.WriteLine "RecordNumber = " & objEvent.RecordNumber
outFile.WriteLine "SourceName = " & objEvent.SourceName
outFile.WriteLine "TimeWritten = " & objEvent.TimeWritten
outFile.WriteLine "Type = " & objEvent.Type
outFile.WriteLine "User = " & objEvent.User
outFile.WriteLine String(100,"-")
Next
outFile.Close
MsgBox "Finished!"
v/r LikeToCode....Mark the best replies as answers.

I logged 3 times wrong security question. please help me

I logged 3 times wrong security question. please help me

Hey annamyle91,
Thanks for the question. If you are having issues with the security questions associated with your Apple ID, follow these steps:
If you forgot the answers to your Apple ID security questions
http://support.apple.com/kb/HT6170
Reset your security questions
1. Go to My Apple ID (appleid.apple.com).
2. Select “Manage your Apple ID” and sign in.
3. Select “Password and Security” on the left side of the page.
4. If you have only one security question, you can change the question and answer now.
5. If you have more than one security question:
          - Select “Send reset security info email to [your rescue email address].” If you don't see this link or don't have access to your rescue address, contact Apple Support as described in the next section.
          - Your rescue address will receive a reset email from Apple. Follow its instructions to reset your security questions and set up new questions and answers.Didn't receive the email?
After resetting your security questions, consider turning on two-step verification. With two-step verification, you don't need security questions to secure your account or verify your identity.
If you can't reset your security questions
Contact Apple Support in either of these circumstances:
          - You don't see the link to send a reset email, which means you don't have arescue address.
          - You see the link to send a reset email, but you don't have access to email at the rescue address.
A temporary support PIN isn't usually required, but Apple may ask you to generate a PIN if your identity needs to be verified.
Thanks,
Matt M.

Need Help to extract information from Windows Security Event log

Hi Everyone,
My challenge is to create a script that queries the Security event log for event id 4624 , logon type 2 and 10, then export the result to file, hopefully tab limited.
I need the time - date - User Account - Workstation - IP address - Logon Type.
I have had a go, checking out other advice from other questions, but i'm just not getting what I want.
Kind regards,
Andrew

A good point to start is get-eventlog with where clauses.
For example:
get-eventlog -log security | where {$_.eventID -eq 4624}
So you want to get the entire security log, and then filter it client side? (Some of these logs can be massive).
I would recommend Get-WinEvent with -FilterHashTable (Filter on the left) which will filter against the log directly.
http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/24/use-powershell-cmdlet-to-filter-event-log-for-easy-parsing.aspx
You might have admin rights issues accessing the security logs.
You're right - my answer was only a first step to try "get-command *event" and eventually get-help.....

Data Access Service is unable to log audit events to the security event log

Hi,
Scenario: SCOM 2012 R2 UR4. (Windows 2012 R2)
Today SCOM have generated 4 alerts Data Access Service is unable to log audit events to the security event log.
The service account for "System Center Data Access Service" service is "Local System".
The users at "Generate security audits" are: LOCAL SERVICE and NETWORK SERVICE.
The question is:
how to resolve this alert? (Where look for to obtain more information to resolve this problem)
Thanks in advance!

Local system account is differet to local service account. Fo detail description of these accounts, pls. refer
LocalService Account
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684188(v=vs.85).aspx
LocalSystem Account
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx
Generate security audits which is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment of Group policy, determines which accounts can be used by a process to add entries to the security log. This user right
is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, only the LocalSystem account has the privilege to be used by processes to generate security audits.
For identified the SDK account
1) open services.msc
2) From the system Center Data Access Service, you can see the SDK logon on as account
Roger

HT201303 How do I change the security questions without changing my password?

When I am trying to buy something from the iTunes store it askes me two security questions. I know what the answers should be but they do not seem to match what Apple has. So, I tried to change the questions but now it also wants me to change teh password. I don't want to change the password. How can I eitehr find out my answers or change the questions without changing a password I obviously know!?!?!

Reset Security Questions
Frequently asked questions about Apple ID
Manage My Apple ID
Or you can email iTunes Support at iTunes Store Support.
If all else fails:
1. Go to: Apple Express Lane;
2. Under Product Categories choose iTunes;
3. Then choose iTunes Store;
4. Then choose Account Management;
5. Now choose iTunes Store Security and answer the bullet questions, then click
      Continue;
6. Sign in with your Apple ID and press Continue;
7. Under Contact Options fill out the information and advise iTunes that you would
      like your security/challenge questions reset;
8. Click Send/Continue.
You should get a response within 24 hours by email.
In the event you are unsuccessful then contact AppleCare - Contacting Apple for support and service.
Another user had success doing the following:
I got some help from an apple assistant on the phone. It is kind of round about way to get in.
Here is what he said to do and it is working for me...
a. on the device that is asking you for the security questions go to "settings", > "store" >
      tap the Apple ID and choose view"Apple ID" and sign in.
b. Tap on payment information and add a credit/debit card of your preference then select
      "done", in the upper right corner
c. sign out and back into iTunes on the device by going to "settings"> "store" > tap the
      Apple ID and choose "sign-out" > Tap "sign -in" > "use existing Apple ID" and you
      should be asked to verify your security code for the credit /debit card and NOT the
      security questions.
d. At this time you can remove the card by going back in to edit the payment info and
      selecting "none" as the card type then saving the changes by selecting "done". You
      should now be able to use your iTunes store credit without answering the security
      questions.
It's working for me ...I just have to put in my 3 digit security pin from the credit card I am using.
Good Luck friends!

HT5312 how to change security questions

how to change security questions

If you can remember their current answers then you can login here and change them : https://appleid.apple.com
If you can't remember their answers and you have a rescue email address (which is not the same thing as an alternate email address) set up on your account then you can try going to https://appleid.apple.com/ and click 'Manage your Apple ID' on the right-hand side of that page and log into your account. Then click on 'Password and Security' on the left-hand side of that page and on the right-hand side you might see an option to send security question reset info to your rescue email address.
If you don't have a rescue email address then see if the instructions on this user tip helps : https://discussions.apple.com/docs/DOC-4551

Event Log Question re: changing security timeout

Similar Messages

Maybe you are looking for