amendala
asked on
"Audit Object Access" floods the Security Log - Why?
Greetings -
I want to audit when any users read or write to a specific folder. I opened up my Local Security Policy editor and enabled both Success and Failure for the "Audit Object Access" setting.
Now I *DID NOT* go enable auditing on the folder I'm interested in yet! I simply went into the Security Log and found thousands of entries for the SYSTEM account accessing objects. The log was flooded within minutes and kept growing and growing.
What's going on here? Shouldn't I have to turn on auditing for a specific object (i.e. a folder) before anything gets audited?
What is the system looking at here...??? Thoughts?
I want to audit when any users read or write to a specific folder. I opened up my Local Security Policy editor and enabled both Success and Failure for the "Audit Object Access" setting.
Now I *DID NOT* go enable auditing on the folder I'm interested in yet! I simply went into the Security Log and found thousands of entries for the SYSTEM account accessing objects. The log was flooded within minutes and kept growing and growing.
What's going on here? Shouldn't I have to turn on auditing for a specific object (i.e. a folder) before anything gets audited?
What is the system looking at here...??? Thoughts?
Auditing is a system specific setting. You will need to dig through the results in Event Viewer in the Security Log.
Thought you said on your first paragraph "opened up my Local Security Policy editor and enabled both Success and Failure for the "Audit Object Access" setting"??
Anyway, you now have a feel of how auditing works :) If you audit on successful access you will have tons of records in your log - each successful access has 2 records one for open and one for close.
Anyway, you now have a feel of how auditing works :) If you audit on successful access you will have tons of records in your log - each successful access has 2 records one for open and one for close.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.