Event ID 577 & 578 are filling Security Event Logs

timcapp · Apr 27, 2005

We have quite a few windows 2000 SP4 systems running that are
continually logging event ID 577 and 578 to the Security Event log . I
understand that a workaround to this is to turn off the privilege use
auditing policy, but this is not possible due to security requirements.
Is anyone aware of a workaround/patch to resolve this issue? It is
causing the event logs to grow to an unmanageable size.

Thanks
Tim

Steven L Umbach · Apr 28, 2005

Privilege use will generate a ton of events in the security log. Review your
policy to see if you can possibly audit only failures instead of success and
failure. If that is not possible you will need to increase the size of the
security logs substantially. I know of no other workaround. -- Steve

Roger Abell · Apr 28, 2005

Also, review the accounts that are generating the event messages.
Often it is not that the privilege is actually being used, but that the
user token is being adjusted to reflect the privilege is granted.
Perhaps accounts are over-allocated rights ?? or individuals
should be using less privileged accounts for "normal" activities.

timcapp · Apr 28, 2005

Thanks for the advice. We currently are only logging audit policy
failures. Our log is growing on some systems by 2-5 MB a day, and
almost all of it is is due to this message. The other problem is that
we need to review these logs weekly, and this message is making that a
very difficult and time consuming process.

Thanks again.

Tim

Steven L Umbach · Apr 28, 2005

OK. That does not sound like fun. If you have not tried it yet the free
Event Comb from Microsoft may make searching security logs easier for
specific events and text strings. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308471

Roger Abell · Apr 29, 2005

Which privilege is it mentioning ? which should be seen
at the end of the event log message.

Guest · Jun 6, 2005

Steven, why don't you post a solution? we are not here to be educated on
microsoft's product we have problems and are looking into a solution.
This is a solution http://support.microsoft.com/?kbid=831905 but it is for
XP we need one for windows 2003.
Thanks

Steven L Umbach · Jun 6, 2005

Hi Wilson.

I understand your frustration. I wish I knew a specific solution but I
don't. To say that Windows auditing is quirky would be an understatement.
You might try posting in the forums at the link below for Windows auditing
and security. --- Steve

http://www.auditingwindows.com/cms/index.php

Guest · Jun 8, 2005

Thank you Steven

Steven L Umbach said:
Hi Wilson.

I understand your frustration. I wish I knew a specific solution but I
don't. To say that Windows auditing is quirky would be an understatement.
You might try posting in the forums at the link below for Windows auditing
and security. --- Steve

http://www.auditingwindows.com/cms/index.php

SeTcbPrivilege event 577 - how to determine process?	3	Aug 5, 2003
SeTcbPriviledge - Event 577	1	Jun 19, 2009
Event ID 577 & Failed Install of Microsoft Firewall Client	4	Aug 8, 2003
Event ID: 578	1	Jun 1, 2006
Event Logs	2	Apr 26, 2010
Event Error Logs with Event ID 538 and 540	1	Apr 29, 2005
Event ID 578 and HPBPRO dot exe	5	Apr 5, 2004
Event ID 643	9	Jan 25, 2005

Event ID 577 & 578 are filling Security Event Logs

timcapp

Steven L Umbach

Roger Abell

timcapp

Steven L Umbach

Roger Abell

Guest

Steven L Umbach

Guest

Ask a Question

Similar Threads