"Audit Object Access" floods the Security Log - Why?

Greetings -

I want to audit when any users read or write to a specific folder.  I opened up my Local Security Policy editor and enabled both Success and Failure for the "Audit Object Access" setting.

Now I *DID NOT* go enable auditing on the folder I'm interested in yet!  I simply went into the Security Log and found thousands of entries for the SYSTEM account accessing objects.  The log was flooded within minutes and kept growing and growing.

What's going on here?  Shouldn't I have to turn on auditing for a specific object (i.e. a folder) before anything gets audited?

What is the system looking at here...???  Thoughts?
amendalaAsked:
Who is Participating?
 
iCoreKCConnect With a Mentor Commented:
By the way there are many tools that you can use to sift your Event Security Logs and generate reports.  

We use Event Analyst.  http://www.doriansoft.com/eventanalyst

But there are others that are free ware.  Just Google "Event Log Reporting" to find them.
0
 
iCoreKCCommented:
Auditing is a system specific setting.  You will need to dig through the results in Event Viewer in the Security Log.  

0
 
ormerodrutterCommented:
Thought you said on your first paragraph "opened up my Local Security Policy editor and enabled both Success and Failure for the "Audit Object Access" setting"??

Anyway, you now have a feel of how auditing works :) If you audit on successful access you will have tons of records in your log - each successful access has 2 records one for open and one for close.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.