Object Access Auditing causes security log to fill up

G

Guest

I have turned on object access auditing for 'Success' and 'Failure' in the local security policy on a Windows 2000 SP3 file server. In addition I have configured auditing on a particular folder on the file server to audit only certain success and failure events. After doing so I have noticed hundreds of 'object access' security events (event id 560) are logged by the System account in the security log. The volume of event id 560's is so great it fills my 20MB security log in a matter of a few hours!

Audit setting are as follows:

Policy Local Setting Effective Setting
Audit account logon events Success, Failure Success, Failure
Audit account management Failure Failure
Audit directory service access No auditing No auditing
Audit logon events Success, Failure Success, Failure
Audit object access Success, Failure Success, Failure
Audit policy change Success, Failure Success, Failure
Audit privilege use Success, Failure Success, Failure
Audit process tracking Failure Failure
Audit system events Success, Failure Success, Failure

Is there any way I can prevent the logging of 'object access' security events by the System Account?
 
B

Buz [MSFT]

Disable Anti-Virus real time scanning of that directory?

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.



Dave Williams said:
I have turned on object access auditing for 'Success' and 'Failure' in the
local security policy on a Windows 2000 SP3 file server. In addition I have
configured auditing on a particular folder on the file server to audit only
certain success and failure events. After doing so I have noticed hundreds
of 'object access' security events (event id 560) are logged by the System
account in the security log. The volume of event id 560's is so great it
fills my 20MB security log in a matter of a few hours!
 
G

Guest

I shall give it a try!

Thanks

Dave

----- Buz [MSFT] wrote: -----

Disable Anti-Virus real time scanning of that directory?

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.



Dave Williams said:
I have turned on object access auditing for 'Success' and 'Failure' in the
local security policy on a Windows 2000 SP3 file server. In addition I have
configured auditing on a particular folder on the file server to audit only
certain success and failure events. After doing so I have noticed hundreds
of 'object access' security events (event id 560) are logged by the System
account in the security log. The volume of event id 560's is so great it
fills my 20MB security log in a matter of a few hours!
 
G

Guest

Hello again

I've disabled NAV real time protection as suggested which has reduced the size of the security log considerably, however the log is still reaching around 12MB for one day's activitiy, 75% of which are still events recorded by the SYSTEM account! Because the log is still quite large, it also makes it incredibly difficult to run off an audit report using a VB script

Is there anything else that you can think of that I can do to further reduce the number of entries logged for the SYSTEM account

Many Thank

Dav


----- Buz [MSFT] wrote: ----

Disable Anti-Virus real time scanning of that directory

Buz Brodi
MCSE NT4 / Win2
Microsoft Enterprise Domain Suppor

Get Secure! - www.microsoft.com/securit

This posting is provided "as is" with no warranties and confers no rights

Please do not send e-mail directly to this alias. This alias is fo
newsgroup purposes only



Dave Williams said:
I have turned on object access auditing for 'Success' and 'Failure' in th
local security policy on a Windows 2000 SP3 file server. In addition I hav
configured auditing on a particular folder on the file server to audit onl
certain success and failure events. After doing so I have noticed hundred
of 'object access' security events (event id 560) are logged by the Syste
account in the security log. The volume of event id 560's is so great i
fills my 20MB security log in a matter of a few hours
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top