Security Event Log exploding with 560/562 auditing entries

  • Thread starter Thread starter Mark Z.
  • Start date Start date
M

Mark Z.

Guest
I'm seeing these 2 events in my Security Event log on a member server
(non-DC) several times each second:

===== 1 =====

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/4/2008
Time: 12:26:53 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Object Open:
Object Server: Security
Object Type: Key
Object
Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security Account Manager
Handle ID: 492
Operation ID: {0,808503072}
Process ID: 1656
Image File Name: C:\Program Files\BMC Software\CONTROL-M
Links\NTAgent\WinNTAgService.exe
Primary User Name: SERVER01$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link

Privileges: -
Restricted Sid Count: 0
Access Mask: 0xF003F

===== 2 =====

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 8/4/2008
Time: 12:26:53 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Handle Closed:
Object Server: Security
Handle ID: 492
Process ID: 1656
Image File Name: C:\Program Files\BMC Software\CONTROL-M
Links\NTAgent\WinNTAgService.exe

===============================


Here's what I've done:
1. Checked the local "Audit: Audit the access of global system objects"
policy - it is confirmed as disabled. GPOs are not changing this auditing
policy either.

2. There is no special auditing set on "C:\Program Files\BMC
Software\CONTROL-M Links\NTAgent\WinNTAgService.exe" or any parent folders.

3. The only auditing set on
"REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security
Account Manager" is Success/Failure on [Set Value/Create Subkey/Delete/Write
DAC/Write Owner] which appears to be a Server 2003 default and is not causing
an issue on another server with a similar config.

The server is rebooted every morning on schedule - this issue has been
ongoing for weeks.
 
RE: Security Event Log exploding with 560/562 auditing entries

Figured it out, the agent was receiving a config from the server which was
making it hit the Security log, therefore logging these events due to the
"audit privilege use" policy being enabled for our domain.

"Mark Z." wrote:

> I'm seeing these 2 events in my Security Event log on a member server
> (non-DC) several times each second:
>
> ===== 1 =====
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 8/4/2008
> Time: 12:26:53 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER01
> Description:
> Object Open:
> Object Server: Security
> Object Type: Key
> Object
> Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security Account Manager
> Handle ID: 492
> Operation ID: {0,808503072}
> Process ID: 1656
> Image File Name: C:\Program Files\BMC Software\CONTROL-M
> Links\NTAgent\WinNTAgService.exe
> Primary User Name: SERVER01$
> Primary Domain: DOMAIN
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses: DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> Query key value
> Set key value
> Create sub-key
> Enumerate sub-keys
> Notify about changes to keys
> Create Link
>
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0xF003F
>
> ===== 2 =====
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 562
> Date: 8/4/2008
> Time: 12:26:53 PM
> User: NT AUTHORITY\SYSTEM
> Computer: SERVER01
> Description:
> Handle Closed:
> Object Server: Security
> Handle ID: 492
> Process ID: 1656
> Image File Name: C:\Program Files\BMC Software\CONTROL-M
> Links\NTAgent\WinNTAgService.exe
>
> ===============================
>
>
> Here's what I've done:
> 1. Checked the local "Audit: Audit the access of global system objects"
> policy - it is confirmed as disabled. GPOs are not changing this auditing
> policy either.
>
> 2. There is no special auditing set on "C:\Program Files\BMC
> Software\CONTROL-M Links\NTAgent\WinNTAgService.exe" or any parent folders.
>
> 3. The only auditing set on
> "REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security
> Account Manager" is Success/Failure on [Set Value/Create Subkey/Delete/Write
> DAC/Write Owner] which appears to be a Server 2003 default and is not causing
> an issue on another server with a similar config.
>
> The server is rebooted every morning on schedule - this issue has been
> ongoing for weeks.
 

Similar threads

E
Windows 10 Event 4625 keeps happening every day at (nearly) the same time - Regular personal computer, not a Windows Server machine
Replies
0
Views
106
esunaga
E
A
Fail to read Security Event log with provider name "Microsoft-Windows-Security-Auditing" on Windows Server 2008
Replies
0
Views
119
AndyGuoguo
A
A
troubleshooting 560 object access failure audit entries
Replies
0
Views
149
awrightus@gmail.com
A
A
Windows2003 R2 SP2 File Auditing Bug
Replies
0
Views
162
Andreas Wahlert
A
M
Event ID 562 and 565
Replies
3
Views
201
Meinolf Weber
M
Back
Top