Event ID 560's

[Guest]

Due to security regulations, I am forced to use object auditing. As a
result, I get a TON of event 560 failures. Sometimes to the tune of 30 or
more per minute. Is there any way to fix this without disabling auditing?

Most of the stuff being logged is real weird. Like
Object Server: Security

 

[Guest]

Oops. Wrong button.

Anyways, the event looks like this
Object Server: Security
Object Type: Mutant
Object Name: \BaseNamedObjects\RasPbFile

or

Object Server: Security
Object Type: Event
Object Name: \BaseNamedObjects\crypt32LogoffEvent

Or lots of these when running Task Manager
Object Server: Security
Object Type: Desktop
Object Name: \\Winlogon


Any ideas?

 

[Roger Abell]

I am not sure of the last you have displayed.

The first two may be masked if you do not enable the policy
to audit global system objects. Although this does not sound
like a good thing to do, on the other hand it is not clear how
much use most people would make of the provided info.

I have noticed that the first two are fairly commonly seen
on W2k server when one enables audit global system objects.
I have also queried internally a couple times for info on the
second (crypt32LogoffEvent) and once a year and half ago
did an exhaustive search for info and came up empty.

 

[Guest]

Unfortunately, I have to enable auditing of global system objects.

I've been searching for almost 3 weeks now and found nothing. My site
administrators are complaining about excessive log sizes.

Thanks for the info though. At least I'm not the only one.

 

[Guest]

I have the same problem. I monitor for only failures. I was told you could
try limit what you are auditing. Like get rid of extended attributes. Don't
monitor except for events like trying to change it so it will only audit on
events you need like Delete, Write, Change Permissions. You do that on the
object, ie directory on the properties->security tab-> advanced.