Re: auditing question - single file object access creates duplicate security log messages

From: x y (jamescagney90210@excite.com)
Date: 05/20/02 

From: "x y" <jamescagney90210@excite.com>
Date: Mon, 20 May 2002 12:53:20 -0400

Sounds normal. For this reason, I usually audit failure on everything and
success on only some things, like everything except for directory access,
object access, privilege use and process tracking. Also, I believe you can
go into the NTFS permissions and audit only success on deletion, creation,
etc. if that is useful to you.

Or, if auditing successful file access is important to you, you'll probably
want to create or find a third party log viewing/searching/parsing utility
to make it something more robust than the default Windows sequential filing
system... like send everything from your windows log to a syslog or to a SQL
server.

"Steve Ruegge" <steve.ruegge@microsoft.com> wrote in message
news:u98mtxBACHA.1696@tkmsftngp04...
> I would like to audit file access on my server. I would like to have only
> one audit message in the security log when a file is read. Unfortunately
I
> get a multitude of messages in the security log every time a file is
> accessed.
>
> I have enabled auditing of object access in the Local Security Policy of a
> 2000 member server. I set auditing on individual files on the server to
> record success or failure of List Folder/Read Data.
>
> Even though a file is accessed only once I receive multiple security log
> messages. At least a half dozen messages Event 562 for "System" and same
> for Event 560 for the file object. This will make actual file access
> counts very difficult to count.
>
> Is there something wrong that I dont have a one to one relationship
between
> object access and security log messages? The flood of duplicates makes
> auditing results useless to me.
>
> Thanks
> Steve
>
>
>

Relevant Pages

  • How to determine who changed permissions on a directory?
    ... Audit Account Logon events - Success, Failure ... Audit Object Access - Success, ...
    (microsoft.public.security)
  • Re: DNS entry deletion tracking
    ... We have the following auditing in place on our Domain controllers: ... Audit account management Success, Failure ... Audit object access Success, Failure ...
    (microsoft.public.windows.server.dns)
  • Re: Event Viewer Getting Full
    ... auditing of object access must be enabled. ... http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml -- PsLogList to dump lof ... You can increase the size of the security log and by default it ... >> audit for only specific files and avoid using the users and everyone group to ...
    (microsoft.public.win2000.security)
  • Re: File Auditing
    ... The nature of auditing of object access is that there will be many seemingly ... but instead create a global group or local groups of users you want to audit. ... avoid auditing write or you will continue to large amounts in the security log. ...
    (microsoft.public.win2000.security)
  • W2K3 Object Auditing
    ... NO entries in the security log with category Object Access. ... Terminal Server. ... Policies> Audit Policy, I enabled Object Access as well as ...
    (microsoft.public.security)