security audit failure 560

J

Jim Madsen

Two of us just received new machines at work running xp.

We've noticed that our event logger fills up with security audit failure
560's. As far as I can tell, these are all generated by local programs
running on the machine. Our log file is set at 4 MB, and it eventually
fills up the 4 MB, mostly with 560's.

I did a google search, and did not find anything that really helped me
out. In fact, I'm don't really understand what this event is trying to
tell me.

All I can figure out is either:

1. Some of the programs are not happy with permissions.
or
2. The logger is set to log events it doesn't need to.

Most of the events are generated by a program which we use to process
data files (probably because we use this a lot), but there are others
too (i.e. Acrobat Reader).

All the apps seem to be working as they are supposed to, just fills the
logs with 560's. We talked to our IT dept., and they haven't been able
to determine why this is happening. Our IT dept. allows us to fix
problems on our own computers.

Bottom line: we are geeks and would like to know what is going on.

Jim
 
S

Steven L Umbach

If everything works fine I would not worry about it. You have auditing of
object access enabled which will genereate gazillions of events. It is
needed if you are auditing folder/file access for a specific reason but in
general it is best left turned off. Auditing of account logon and or logon
events can be worth auditing if you want to monitor your computer for
unathorized use or hack attempts. --- Steve
 
S

Seeker

Run 'Secpol.msc' from Start>Run and browse the >Local Policies>Audit Policy
node. Turn off auditing for Object Access and any other events you don't
feel a need to track.
 
J

Jim Madsen

Thanks Steve. I guess what bothers us is the word "failure", which
implies something hasn't worked as intended.

Regarding hack attempts, we did find something interesting. We found,
after reviewing our event logs, that someone from another building
within our agency tries to get into our Windows systems after we leave
every day. After reporting this to our IT, they said that that is the
function of that entity, in regards to checking security. What is
REALLY interesting, is that we recently installed a new model Gas
Chromatograph and Mass Spectrometer. Both of these items have their own
IP addresses and are on the LAN. They crashed during this last
"security check". We were just wondering, if the individual doing the
checking thought they were might be Windows machines and tried to "hack
in", causing them to crash.

A few years ago, before we had a firewall, we had problems with our HP
Printers, which were network printers. One of the viruses going around,
would send it's crap to the printers and they would spew pages of
gobbledygook. We contacted HP about this, and they were able to update
the firmware to prevent this, within 4 hours!!!

Jim
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Security Event 560 every 2 minutes 1
F-Prot triggers huge amounts of Security Audit Failures on Windows XP 4
Security Logs Fill with Event 560 when limited users log in 3
Help!!! Audit Failure - Event ID 560 1
Audit object access - failure audit 0
Event log fills up with Failure Audit events (XP-Pro) 2
Object Access Auditing causes security log to fill up 3
Edge Boost Server 7mm SSD 0

Top