Gonzalo, If you are generating object access events too rapidly then you need to re-evaluate your audit policy or your SACL policy. Event 560 means that an application requested (from the OS) access to an object. You don't give a sample event so I can't say what kind of object is being accessed. Event 562 means that the application released the handle to the object. Events 560 and 562 are generated when (1) the "Object Access" audit category is enabled for Success or Failure auditing (562 can only be a success audit), AND (2) the object being accessed has a SACL which overlaps with the user requesting access and the actual access that was requested. The most common reasons that we see large numbers of 560 and 562 events are: 1) [Usually following the recommendation in the NSA guide] The administrator enabled the security policy option "Audit access to base system objects". This causes a SACL to be placed on kernel objects such as mutexes when they are created, and results in a very large number of object access audits being generated during normal operation of the system. Unless you *need* these events, I recommend that you do NOT enable this setting. 2) Flawed SACL policy on the file system or registry, such as a broad SACL (Everyone:Full:S+F) applied at the root of the registry hive or volume and propagated to the entire tree. SACLs should be set very narrowly, only on the objects of interest, and should only audit accesses that represent a threat to system security (for example, a user reading a .INI file for an application is not a threat, a user writing to such a file would be, so an appropriate SACL to monitor this threat would only include specific accesses that imply a write such as WRITE_DATA, WRITE_DAC, and DELETE). Please let me know if you have any more questions. Eric Fitzgerald Program Manager, Windows Auditing & Intrusion Detection Microsoft Corporation -----Original Message----- From: Gonzalo Garcia [mailto:GO_GARCIAat_private] Sent: Thursday, February 07, 2002 11:46 AM To: loganalysisat_private Subject: RE: [logs] NT Logs <snip> When I start to test the script I've found this problem: the DCs (about 50 country wide), generate logs faster than I can read, most of them are 560 562 events, according with this trend in a few time I'll be missing many logs entries. Does any of you know the meaning of the EventID 560 and EventID 562 ? When are and why are they generated ? Is there any way to stop this logs events ? Should I miss too many information doing this ? <snip> The audit policies are: ------------------------ Audit account logon events ( Success, Failure ) Audit account management ( Success, Failure ) Audit directory service access ( Success, Failure ) Audit login events ( Success, Failure ) Audit object access ( Success, Failure ) Audit policy change ( Success, Failure ) Audit privilege use ( Success, Failure ) Audit process tracking ( No auditing ) Audit system events ( Success, Failure ) --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 14:49:20 PST