Guest Mike55 Posted September 3, 2008 Posted September 3, 2008 Hey All, I've got Directory Service Access auditing turned on for some auditing software, but the security log fills up with 565 events. I only have Success turned on for auditing. I've tried increasing the maximum log size, but there are just too many 565 events - it fills up a 1GB event log in less than a day. Any ideas what is causing all the 565 events? I do need auditing turned on, but with the log filling up so fast, it's almost pointless to collect useful data. I've pasted a copy of one of the events below. My domain is carroll.edu and the DC for this event is HERA. Thanks! Mike Event Type: Success Audit Event Source: Security Event Category: Directory Service Access Event ID: 565 Date: 9/3/2008 Time: 1:12:01 PM User: CARROLL\administrator Computer: HERA Description: Object Open: Object Server: Security Account Manager Object Type: SAM_SERVER Object Name: CN=Server,CN=System,DC=carroll,DC=edu Handle ID: 121482008 Operation ID: {0,1134038963} Process ID: 400 Process Name: C:\WINDOWS\system32\lsass.exe Primary User Name: HERA$ Primary Domain: CARROLL Primary Logon ID: (0x0,0x3E7) Client User Name: Administrator Client Domain: CARROLL Client Logon ID: (0x0,0x43980FA5) Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ConnectToServer ShutdownServer InitializeServer CreateDomain EnumerateDomains LookupDomain Undefined Access (no effect) Bit 6 Undefined Access (no effect) Bit 7 Undefined Access (no effect) Bit 8 Privileges: - Properties: --- samServer Access Mask: 0 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Quote
Guest Tim Springston [MSFT] Posted October 9, 2008 Posted October 9, 2008 Hi Mike- These events can occur since that object is read often in the normal course of AD business by our SAM code. We not auditing the object access of that object for that reason. This is documented in a few places: http://support.microsoft.com/kb/841001 "Keeping the noise down in your security log" http://blogs.msdn.com/ericfitz/archive/200.../11/350848.aspx Hope this helps- Tim Springston [MSFT] All postings are provided "AS IS" with no warranties, and confer no rights. "Mike55" wrote: <span style="color:blue"> > Hey All, > > I've got Directory Service Access auditing turned on for some auditing > software, but the security log fills up with 565 events. I only have Success > turned on for auditing. I've tried increasing the maximum log size, but > there are just too many 565 events - it fills up a 1GB event log in less than > a day. > > Any ideas what is causing all the 565 events? I do need auditing turned > on, but with the log filling up so fast, it's almost pointless to collect > useful data. > > I've pasted a copy of one of the events below. My domain is carroll.edu > and the DC for this event is HERA. > > Thanks! > Mike > > Event Type: Success Audit > Event Source: Security > Event Category: Directory Service Access > Event ID: 565 > Date: 9/3/2008 > Time: 1:12:01 PM > User: CARROLLadministrator > Computer: HERA > Description: > Object Open: > Object Server: Security Account Manager > Object Type: SAM_SERVER > Object Name: CN=Server,CN=System,DC=carroll,DC=edu > Handle ID: 121482008 > Operation ID: {0,1134038963} > Process ID: 400 > Process Name: C:WINDOWSsystem32lsass.exe > Primary User Name: HERA$ > Primary Domain: CARROLL > Primary Logon ID: (0x0,0x3E7) > Client User Name: Administrator > Client Domain: CARROLL > Client Logon ID: (0x0,0x43980FA5) > Accesses: DELETE > READ_CONTROL > WRITE_DAC > WRITE_OWNER > ConnectToServer > ShutdownServer > InitializeServer > CreateDomain > EnumerateDomains > LookupDomain > Undefined Access (no effect) Bit 6 > Undefined Access (no effect) Bit 7 > Undefined Access (no effect) Bit 8 > > Privileges: - > > Properties: > --- > samServer > > Access Mask: 0 > > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.