CSA User authentication auditing rule and Policy conflicts

Unanswered Question
May 9th, 2009
User Badges:

Hi there

We have CSA 5.2 in our environment and i created a custom policy and added the 'user authentication auditing' rule and enabled auditing failure events on windows XP machine but i dont see any failure attempts in the CSA MC event log even though i tried to logon on with invalid passwords.What could be the reason for this.

Secondly i was wondering what happens when i apply two policies, Are the policy settings added and applied to the group or one policy gets priority over the other

Thanks for your anwers


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jan.nielsen Tue, 05/12/2009 - 02:05
User Badges:
  • Gold, 750 points or more

All rules in all policies that are attached to a group get compared and prioritized by their specificity and action type, so if you attach two policies to a group, csa will generate a ruleset containing all the individual rules from those policies.

tsteger1 Wed, 05/13/2009 - 12:49
User Badges:
  • Red, 2250 points or more

Have you checked the security event logs on the machines in question? If there are no events there, CSA cannot report them.

That's where CSA gets the info and by default, there is no account auditing in Windows XP.

You have to enable it either via group or local policy.



This Discussion