auditing question - single file object access creates duplicate security log messages

From: Andy (a_rhine@hotmail.com)
Date: 05/20/02

• Next message: markmidwest: "Security Requirement Assessment"
• Previous message: Roger Rabbit: "Hiding Parent Domain"
• In reply to: Steve Ruegge: "auditing question - single file object access creates duplicate security log messages"
• Next in thread: Eric Fitzgerald [MS]: "Re: auditing question - single file object access creates duplicate security log messages"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Andy" <a_rhine@hotmail.com>
Date: Mon, 20 May 2002 13:28:37 -0700

I also have this problem. I have to record what files
are accessed in a certain directory for legal reasons.
The multiple entries are a pain. What is a good package
for recording and sorting though these huge log files and
making sense of it?

>-----Original Message-----
>I would like to audit file access on my server. I would
like to have only
>one audit message in the security log when a file is
read. Unfortunately I
>get a multitude of messages in the security log every
time a file is
>accessed.
>
>I have enabled auditing of object access in the Local
Security Policy of a
>2000 member server. I set auditing on individual files
on the server to
>record success or failure of List Folder/Read Data.
>
>Even though a file is accessed only once I receive
multiple security log
>messages. At least a half dozen messages Event 562
for "System" and same
>for Event 560 for the file object. This will make
actual file access
>counts very difficult to count.
>
>Is there something wrong that I dont have a one to one
relationship between
>object access and security log messages? The flood of
duplicates makes
>auditing results useless to me.
>
>Thanks
>Steve
>
>
>
>.
>

• Next message: markmidwest: "Security Requirement Assessment"
• Previous message: Roger Rabbit: "Hiding Parent Domain"
• In reply to: Steve Ruegge: "auditing question - single file object access creates duplicate security log messages"
• Next in thread: Eric Fitzgerald [MS]: "Re: auditing question - single file object access creates duplicate security log messages"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Event ID 560 Problem ... >Error 560s usually refer to object access. ... >whenever a user makes a connection to something out on ... >> this repeated event in my security log that I can't ... Whenever someone log off their workstation, ... (microsoft.public.win2000.security) Re: Help!Am I being hacked? ... That is entirely normal to be seen in the security log for access to the local sam by ... NT AUTHORITY\SYSTEM when object access is enabled. ... for the administrator account. ... account can not be locked out to console logon. ... (microsoft.public.win2000.security) Re: Data access and security permissions ... protection" to "low" and see if this continues. ... >Category: Object Access ... Access databases ... security log to fill up ... (microsoft.public.inetserver.iis.security) auditing question - single file object access creates duplicate security log messages ... I would like to audit file access on my server. ... one audit message in the security log when a file is read. ... (microsoft.public.win2000.security) Re: Event Viewer Getting Full ... auditing of object access must be enabled. ... http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml -- PsLogList to dump lof ... You can increase the size of the security log and by default it ... >> audit for only specific files and avoid using the users and everyone group to ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint