How to stop the Security Log being flooded with Event ID 577?

I'm running Windows Server 2003 with a Cluster File Service.
The security log is being flooded with Failure Audit Event ID 577 entries.

Example:
When a user opens a folder on the network drive on this server it creates about 80 exact same log entries at once:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      577
Date:            16.12.2013
Time:            11:30:31
User:            DOMAIN\USER
Computer:      SERVERNAME
Description:
Privileged Service Called:
       Server:            Security
       Service:            -
       Primary User Name:      SERVERNAME$
       Primary Domain:      DOMAIN
       Primary Logon ID:      LOGONID
       Client User Name:      USER
       Client Domain:      DOMAIN
       Client Logon ID:      LOGONID
       Privileges:      SeBackupPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The local policies are Setup as below and can't be changed as set by the Domain:
Security Option: Audit the use of Backup and Restore privilege - Enabled
Audit Policy: Audit privilege use - Success and Failure
da2looAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BlueComputeCommented:
Audit Policy: Audit privilege use - Success and Failure

SO you've turned your auditing up too high and now you can't see the wood for the trees.  It's similar to the scenario described in this old KB: http://support.microsoft.com/kb/264769

You can't delete events from the security log, and you've indicated that you are unable to remove the auditing.  Therefore you cannot prevent your log filling up with these entries.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
da2looAuthor Commented:
I understand that the Security log will always keep filling up when having the audit privilege use policy enabled, however, the amount being logged seems odd. There's not even space for an entire day of security logs in the 400 MB log file.

One user opening one folder produces 80 event log entries with the exactly same information all at once, is this normal with these policies enabled?

Any idea what could cause all normal users accessing the files/folders on the server attempting to use SeBackupPrivilege in the first place?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.