waseem
04-08-2004, 12:34 AM
I enabled the "object access" auditing, for a domain
controler that is also a file server, to monitor the
folder/file access. But I am getting lot of unwanted
events in security log after that. I increased the size
security log from 2MB to 10 MB but it was full again in
few minutes. Examples of unwanted events are given at the
end. I just want to enable successfull and unsuccessful
attempts logging for file and folder access at this time.
Can some one suggest how to stop rest of the object
access logs.
============
Example1
=============
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/7/2004
Time: 2:20:34 PM
User: NT AUTHORITY\SYSTEM
Computer: XYZ
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\NetBT_Tcpip_{8EECD387-
694E-40D4-BCC8-3E681490E840}
New Handle ID: 740
Operation ID: {0,160210673}
Process ID: 1776
Primary User Name: XYZ$
Primary Domain: CORPHQ
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
Privileges -
=========================================================
Example-2
=========
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/7/2004
Time: 2:20:34 PM
User: NT AUTHORITY\SYSTEM
Computer: XYZ
Description:
Object Open:
Object Server: Security
Object Type: Event
Object Name:
\BaseNamedObjects\SvcctrlStartEvent_A3752DX
New Handle ID: 1016
Operation ID: {0,160210620}
Process ID: 2336
Primary User Name: XYZ$
Primary Domain: CORPHQ
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses SYNCHRONIZE
Privileges -
==========
Example-3
==========
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/7/2004
Time: 2:20:33 PM
User: NT AUTHORITY\SYSTEM
Computer: ZYZ
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: \??\NAVAP
New Handle ID: 1836
Operation ID: {0,160210550}
Process ID: 1960
Primary User Name: XYZ$
Primary Domain: CORPHQ
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or
CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges -
controler that is also a file server, to monitor the
folder/file access. But I am getting lot of unwanted
events in security log after that. I increased the size
security log from 2MB to 10 MB but it was full again in
few minutes. Examples of unwanted events are given at the
end. I just want to enable successfull and unsuccessful
attempts logging for file and folder access at this time.
Can some one suggest how to stop rest of the object
access logs.
============
Example1
=============
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/7/2004
Time: 2:20:34 PM
User: NT AUTHORITY\SYSTEM
Computer: XYZ
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\NetBT_Tcpip_{8EECD387-
694E-40D4-BCC8-3E681490E840}
New Handle ID: 740
Operation ID: {0,160210673}
Process ID: 1776
Primary User Name: XYZ$
Primary Domain: CORPHQ
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
Privileges -
=========================================================
Example-2
=========
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/7/2004
Time: 2:20:34 PM
User: NT AUTHORITY\SYSTEM
Computer: XYZ
Description:
Object Open:
Object Server: Security
Object Type: Event
Object Name:
\BaseNamedObjects\SvcctrlStartEvent_A3752DX
New Handle ID: 1016
Operation ID: {0,160210620}
Process ID: 2336
Primary User Name: XYZ$
Primary Domain: CORPHQ
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses SYNCHRONIZE
Privileges -
==========
Example-3
==========
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/7/2004
Time: 2:20:33 PM
User: NT AUTHORITY\SYSTEM
Computer: ZYZ
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: \??\NAVAP
New Handle ID: 1836
Operation ID: {0,160210550}
Process ID: 1960
Primary User Name: XYZ$
Primary Domain: CORPHQ
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or
CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges -