You can monitor the operations of an Online Responder by logging events to the Windows security event log. The Online Responder allows the configuration of the following audit events:
- Start/Stop the Online Responder
Service. Every Start/Stop event of the Online Responder service
will be logged.
- Changes to the Online Responder
configuration. All Online Responder configuration changes,
including audit settings changes, will be logged.
- Changes to the Online Responder security
settings. All changes to the Online Responder service request
and management interfaces access control list (ACL) will be
logged.
- Requests submitted to the Online
Responder. All requests processed by the Online Responder
service will be logged. This option can create a high load on the
service and should be evaluated on an individual basis. Note that
only requests that require a signing operation by the Online
Responder will generate and audit events; requests for previously
cached responses will not be logged.
You must have Manage Online Responder permissions on the server hosting the Online Responder to complete this procedure. For more information about administering a public key infrastructure (PKI), see Implement Role-Based Administration.
To enable auditing of Online Responder operations |
-
Open the Online Responder snap-in, and select the Online Responder.
-
Click Responder Properties on the Action menu, or click Responder Properties in the Action pane.
-
Click the Audit tab, select the Online Responder audit options that you want to have logged, and then click OK.
Audit events will be logged to the Windows security log only if the Audit object access policy is enabled.
You must be an administrator on the server hosting the Online Responder to complete this procedure. For more information about administering a PKI, see Implement Role-Based Administration.
To enable the Audit object access policy |
-
Open the Local Group Policy Editor.
-
Under Computer Configuration, expand Windows Settings, Security Settings, and Local Policies, and then click Audit Policy.
-
Double-click the Audit object access policy.
-
Select the Success and Failure check boxes, and click OK.
Additional references
- Managing Online
Responders
- Audit Revocation Configuration
Changes