We help IT Professionals succeed at work.

Security Event ID 560, 562, 567 success audit every second

bbarac
bbarac asked
on
2,455 Views
Last Modified: 2008-01-09
I have a new XP machine that runs one single application, this machine is part of the domain and has nothing installed except symantec the one SAP application and that's it.  It has SP2 installed with all the latest updates.  For a couple of months everything was fine on the machine but a couple weeks ago I noticed that the events in the Security event log are HUGE, each second I get hundreds of Success Audit events 560, 562, 567.  The event fill up the log file twice a day to a maximum of about 500MB and then they clear them selves.  Due to sox regulations I need to save these logs each month, but right now I can't even keep a day worth of logs.  Anyone know what is going on here?????

I am attaching below some of the event id audit properties for everyone to see.  Also the event logging is all set to default, nothing was changed for this extra logging to occur.  

I should mention that the first one lists landesk as the source, this software we use for remote control and software inventory but it's idling when these events occur, the landesk software is installed on all of our machines with no problems.

CATEGORY FOR ALL THESE EVENTS IS: OBJECT ACCESS
---------------------------------------------------------------------------------------------
Handle Closed:
       Object Server:      Security
       Handle ID:      284
       Process ID:      5400
       Image File Name:      C:\Program Files\LANDesk\LDClient\tmcsvc.exe

-----------------------------------------------------------------------------------------------
Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      \Device\SAVRT
       Handle ID:      3768
       Operation ID:      {0,2456325515}
       Process ID:      1780
       Image File Name:      C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
       Primary User Name:      TSZO-6345$
       Primary Domain:      TECKCOMINCO
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:            READ_CONTROL
                  SYNCHRONIZE
                  ReadData (or ListDirectory)
                  WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
                  ReadEA
                  WriteEA
                  ReadAttributes
                  WriteAttributes
                  
       Privileges:            -
       Restricted Sid Count: 0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------------------------------------------------------------
Object Access Attempt:
       Object Server:      Security
       Handle ID:      1148
       Object Type:      Directory
       Process ID:      748
       Image File Name:      C:\WINDOWS\system32\services.exe
       Access Mask:      Query directory
                  



Any ideas anyone??

Thanks.

Comment
Watch Question

Author

Commented:
I should add that I have logged in as a different user on this machine and the event log was still reporting the same events
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks for the links.

I'm not using norton, I am using Symantec Corporate and that was not the problem.  Problem was the local logged in user had to be removed from the power users group , after rebooting all the events cleared.
CERTIFIED EXPERT

Commented:
thanks for the points that was generous of you. Thanks for the soultion too
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.