Security Event Log exploding with 560/562 auditing entries

Discussion in 'Windows Server' started by Mark Z., Aug 4, 2008.

  1. Mark Z.

    Mark Z. Guest

    I'm seeing these 2 events in my Security Event log on a member server
    (non-DC) several times each second:

    ===== 1 =====

    Event Type: Success Audit
    Event Source: Security
    Event Category: Object Access
    Event ID: 560
    Date: 8/4/2008
    Time: 12:26:53 PM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER01
    Description:
    Object Open:
    Object Server: Security
    Object Type: Key
    Object
    Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security Account Manager
    Handle ID: 492
    Operation ID: {0,808503072}
    Process ID: 1656
    Image File Name: C:\Program Files\BMC Software\CONTROL-M
    Links\NTAgent\WinNTAgService.exe
    Primary User Name: SERVER01$
    Primary Domain: DOMAIN
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: -
    Client Domain: -
    Client Logon ID: -
    Accesses: DELETE
    READ_CONTROL
    WRITE_DAC
    WRITE_OWNER
    Query key value
    Set key value
    Create sub-key
    Enumerate sub-keys
    Notify about changes to keys
    Create Link

    Privileges: -
    Restricted Sid Count: 0
    Access Mask: 0xF003F

    ===== 2 =====

    Event Type: Success Audit
    Event Source: Security
    Event Category: Object Access
    Event ID: 562
    Date: 8/4/2008
    Time: 12:26:53 PM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER01
    Description:
    Handle Closed:
    Object Server: Security
    Handle ID: 492
    Process ID: 1656
    Image File Name: C:\Program Files\BMC Software\CONTROL-M
    Links\NTAgent\WinNTAgService.exe

    ===============================


    Here's what I've done:
    1. Checked the local "Audit: Audit the access of global system objects"
    policy - it is confirmed as disabled. GPOs are not changing this auditing
    policy either.

    2. There is no special auditing set on "C:\Program Files\BMC
    Software\CONTROL-M Links\NTAgent\WinNTAgService.exe" or any parent folders.

    3. The only auditing set on
    "REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security
    Account Manager" is Success/Failure on [Set Value/Create Subkey/Delete/Write
    DAC/Write Owner] which appears to be a Server 2003 default and is not causing
    an issue on another server with a similar config.

    The server is rebooted every morning on schedule - this issue has been
    ongoing for weeks.
     
    Mark Z., Aug 4, 2008
    #1
    1. Advertisements

  2. Mark Z.

    Mark Z. Guest

    Figured it out, the agent was receiving a config from the server which was
    making it hit the Security log, therefore logging these events due to the
    "audit privilege use" policy being enabled for our domain.
     
    Mark Z., Aug 4, 2008
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.