Audit Online Responder Operations
Applies To: Windows Server 2008, Windows Server 2012
You can monitor the operations of an Online Responder by logging events to the Windows security event log. The Online Responder allows the configuration of the following audit events:
Start/Stop the Online Responder Service. Every Start/Stop event of the Online Responder service will be logged.
Changes to the Online Responder configuration. All Online Responder configuration changes, including audit settings changes, will be logged.
Changes to the Online Responder security settings. All changes to the Online Responder service request and management interfaces access control list (ACL) will be logged.
Requests submitted to the Online Responder. All requests processed by the Online Responder service will be logged. This option can create a high load on the service and should be evaluated on an individual basis. Note that only requests that require a signing operation by the Online Responder will generate and audit events; requests for previously cached responses will not be logged.
You must have Manage Online Responder permissions on the server hosting the Online Responder to complete this procedure. For more information about administering a public key infrastructure (PKI), see Implement Role-Based Administration.
To enable auditing of Online Responder operations
Open the Online Responder snap-in, and select the Online Responder.
Click Responder Properties on the Action menu, or click Responder Properties in the Action pane.
Click the Audit tab, select the Online Responder audit options that you want to have logged, and then click OK.
Audit events will be logged to the Windows security log only if the Audit object access policy is enabled.
You must be an administrator on the server hosting the Online Responder to complete this procedure. For more information about administering a PKI, see Implement Role-Based Administration.
To enable the Audit object access policy
Open the Local Group Policy Editor.
Under Computer Configuration, expand Windows Settings, Security Settings, and Local Policies, and then click Audit Policy.
Double-click the Audit object access policy.
Select the Success and Failure check boxes, and click OK.