Buck, > I have both systems configured so that the event > logger logs everything that is sent to it. Unfortunately, this tells me nothing whatsoever. I'm not trying to obtuse or difficult, just absolutely clear. Could you dump the audit config w/ auditpol.exe, and post that? It would certainly be more helpful and instructive. [superfluous information snipped for brevity] > Just checked arp and it again failed to log the > process termination. Unfortunately, whatever identifier the EventLog assigns to a process creation, it does NOT use the same identifier when the process terminates. Do you get ANY process termination log entries at all? > Looking back through the event log, I find several > instances between May 31 > and Dec 23 where arp logged termination correctly. > Starting on Dec 31 it > failed to log termination of arp commands. I did > find that I have a much > more frequent event showing a process being created, > but with no > corresponding termination event being logged. When looking for corresponding termination events, what exactly are you looking for? Are you just looking for any number of creation events to match the same number of termination events, or are you looking at particular fields in the EventLog entry? > As usual, I find a new quirk in Microsoft's > operating systems and it leads > me to whole new set of questions with no easy > answers. Sometimes when I review the lists, the "quirks" that are identified aren't really "quirks" at all, just normal operations for the operating system environment, and most usually something that the poster thinks 'should' happen, rather than what really does. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sat Jan 04 2003 - 10:44:34 PST