Audit system events

This security setting determines whether the OS audits any of the following events: 

  • Attempted system time change 
  • Attempted security system startup or shutdown 
  • Attempt to load extensible authentication components 
  • Loss of audited events due to auditing system failure 
  • Security log size exceeding a configurable warning threshold level. 

If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

If Success auditing is enabled, an audit entry is generated each time the OS performs one of these activities successfully.

If Failure auditing is enabled, an audit entry is generated each time the OS attempts and fails to perform one of these activities.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Audit Policy

Default: 

Success on domain controllers. No auditing on member servers.

Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 

Audit Policy security settings are not registry keys.

Reboot required: 

No

Related content