• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 96
  • Last Modified:

Server 2008 R2: Filtering out a specific event from being logged in the Security log?

I enabled audit access on a file server by following the instructions here: https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/

It has worked very well. The only issue is that we have a file sync process running on the server which is constantly reading many files. The activity from this process is populating the logs extremely quickly to the point that it is generating several 300MB log files a day.
If just this one software was not included, the logs would not grow so quickly.

How can I configure it so WIndows will not log the events started from this one process?
0
SeeDk
Asked:
SeeDk
  • 3
  • 3
1 Solution
 
McKnifeCommented:
You can setup auditing for certain user groups. Only audit groups that don't contain the account that you use for your sync process.
0
 
SeeDkAuthor Commented:
We have been using the domain admin account for the sync process. And it is one of the accounts we want to monitor given the level of access it has.
There is no way to filter by process or file name? The process is started by a batch file, can that file be filtered out from logging?
1
 
McKnifeCommented:
Wait, you use the domain admin for a simple sync? Don't. Use another account, think of the least privilege principle. Other accounts can be granted the permissions needed for this task easily.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
SeeDkAuthor Commented:
I guess it was the easiest way to set it up back when it was done.
It should be simple to change.
So after I create an account just for this process, where do I find the option to edit out this account?
0
 
McKnifeCommented:
"edit out"? What do you mean? I cannot advise how to handle your (unknown) sync software.
The plan is to edit the audit policies so that not everyone is audited. So that new account you switch to for the sync should not be part of the groups that you audit. If at this time you audit the "everyone" group, this obviously needs to be changed.
0
 
SeeDkAuthor Commented:
Thanks, I get it now. Yeah, I only meant changing the group that is audited, nothing about the sync software.
 I have it set as "Everyone" so I need to change this.
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now