The ACS report System_Integrity_-_Audit_Log_Cleared displays any instance of the security event log being cleared. This reports displays the proper data when the audit log is cleared from the local machine. If the audit log is cleared by a remote machine, however, the remote machine name is displayed as having its event log cleared. For example, if I use computer management from workstation wrk101 to clear the security log from svr101, the report displays. The computer column should display srv101.
To workaround this, I've created a new report (from the existing report) and added the Computer field. The field used by the RTM report (labeled Computer) uses the Event Machine field.
RTM report
|
|
| ||||||
WRK101 | Jeff | 4/20/2007 1:29 PM |
The report I created, displays the following:
|
No comments:
Post a Comment