[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


"Audit Object Access" floods the Security Log - Why?

Posted on 2007-07-31
Medium Priority
Last Modified: 2010-03-05
Greetings -

I want to audit when any users read or write to a specific folder.  I opened up my Local Security Policy editor and enabled both Success and Failure for the "Audit Object Access" setting.

Now I *DID NOT* go enable auditing on the folder I'm interested in yet!  I simply went into the Security Log and found thousands of entries for the SYSTEM account accessing objects.  The log was flooded within minutes and kept growing and growing.

What's going on here?  Shouldn't I have to turn on auditing for a specific object (i.e. a folder) before anything gets audited?

What is the system looking at here...???  Thoughts?
Question by:amendala
  • 2

Expert Comment

ID: 19605521
Auditing is a system specific setting.  You will need to dig through the results in Event Viewer in the Security Log.  

LVL 23

Expert Comment

ID: 19607410
Thought you said on your first paragraph "opened up my Local Security Policy editor and enabled both Success and Failure for the "Audit Object Access" setting"??

Anyway, you now have a feel of how auditing works :) If you audit on successful access you will have tons of records in your log - each successful access has 2 records one for open and one for close.

Accepted Solution

iCoreKC earned 1500 total points
ID: 19613367
By the way there are many tools that you can use to sift your Event Security Logs and generate reports.  

We use Event Analyst.  http://www.doriansoft.com/eventanalyst

But there are others that are free ware.  Just Google "Event Log Reporting" to find them.

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question