Ok so I am missing some event logs...I think. In the system log, a few days are missing, and the security log WILL NOT make entries. IOW, if I try to log in using the wrong password it doesnt create a log. There are absolutely zero logs for security. My only thought is that somebody got in. Or could this possibly be the work of a virus? I found 4 on my machine yesterday. All java class file viri if that matters. If somebody did get in, I am impressed. Im behind a dedicated gateway firewall box and two routers.

AC

Have you double checked it is set to log? Roughly what time did it stop logging? Can you check proxies and the like for suspicious activity around that time?

Any chance you could list the exact viri? If they are keylodgers, they it is likly they simply recorded your user/password and changed stuff.

It figures that I deleted the log in my AV :( I know of two for sure. One was dummy.class, one was GetAccess.class, I think one was dialer or something...They were all viruses, none listed as keyloggers. AFAIK the security logger is set to be running. Its not catching anything though thats for sure. This is irritating. Looking at the system logs, some days have only 3 or 4 entries, some days are missing, and some days have alot of entries.

AC

What OS are you running, and is it all patched up?

XP Pro. Patched up AFAIK. Except SP2. I havent taken the plunge yet...Also, I figured out that no auditing options were enabled for the security log. I went in and enabled them and now it logs fine. Are the audit options supposed to be disabled by default? Heres another interesting little tidbit. If I set my password policy to allow two logon attempts before locking the account, it locks my account on the first try. I know Im typing the password right and it still locks the account. If I change the policy back to where it wont lock the account, it works fine. I just dont get it. Maybe its operator error in this case too :D Talk about alot of little strange things at once though.

Thanks

AC

I would confirm the operator error. ;)

There is nothing that will appear in the security log unless you configure auditing and policy AFAIK. Not sure on that, but I think that to be so.

Great. Thats actually good to hear LOL. At least that explains the security log. Still doesnt explain the system log issue though. I mean, why delete certain days when you can either delete the whole thing or just doctor out malicious activity? Also doesnt explain the strange behaviour of the account lockout policy. Ugh.

AC