Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to stop the Security Log being flooded with Event ID 577?

Posted on 2013-12-16
3
Medium Priority
?
1,575 Views
Last Modified: 2013-12-31
I'm running Windows Server 2003 with a Cluster File Service.
The security log is being flooded with Failure Audit Event ID 577 entries.

Example:
When a user opens a folder on the network drive on this server it creates about 80 exact same log entries at once:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      577
Date:            16.12.2013
Time:            11:30:31
User:            DOMAIN\USER
Computer:      SERVERNAME
Description:
Privileged Service Called:
       Server:            Security
       Service:            -
       Primary User Name:      SERVERNAME$
       Primary Domain:      DOMAIN
       Primary Logon ID:      LOGONID
       Client User Name:      USER
       Client Domain:      DOMAIN
       Client Logon ID:      LOGONID
       Privileges:      SeBackupPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The local policies are Setup as below and can't be changed as set by the Domain:
Security Option: Audit the use of Backup and Restore privilege - Enabled
Audit Policy: Audit privilege use - Success and Failure
0
Comment
Question by:da2loo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 14

Accepted Solution

by:
BlueCompute earned 1500 total points
ID: 39721865
Audit Policy: Audit privilege use - Success and Failure

SO you've turned your auditing up too high and now you can't see the wood for the trees.  It's similar to the scenario described in this old KB: http://support.microsoft.com/kb/264769

You can't delete events from the security log, and you've indicated that you are unable to remove the auditing.  Therefore you cannot prevent your log filling up with these entries.
0
 

Author Comment

by:da2loo
ID: 39722670
I understand that the Security log will always keep filling up when having the audit privilege use policy enabled, however, the amount being logged seems odd. There's not even space for an entire day of security logs in the 400 MB log file.

One user opening one folder produces 80 event log entries with the exactly same information all at once, is this normal with these policies enabled?

Any idea what could cause all normal users accessing the files/folders on the server attempting to use SeBackupPrivilege in the first place?
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39722698
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question