Server 2003 DC Security Log Event 565

[Mike55]

Hey All,

I've got Directory Service Access auditing turned on for some auditing
software, but the security log fills up with 565 events. I only have Success
turned on for auditing. I've tried increasing the maximum log size, but
there are just too many 565 events - it fills up a 1GB event log in less than
a day.

Any ideas what is causing all the 565 events? I do need auditing turned
on, but with the log filling up so fast, it's almost pointless to collect
useful data.

I've pasted a copy of one of the events below. My domain is carroll.edu
and the DC for this event is HERA.

Thanks!
Mike

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 9/3/2008
Time: 1:12:01 PM
User: CARROLL\administrator
Computer: HERA
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System,DC=carroll,DC=edu
Handle ID: 121482008
Operation ID: {0,1134038963}
Process ID: 400
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: HERA$
Primary Domain: CARROLL
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: CARROLL
Client Logon ID: (0x0,0x43980FA5)
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ConnectToServer
ShutdownServer
InitializeServer
CreateDomain
EnumerateDomains
LookupDomain
Undefined Access (no effect) Bit 6
Undefined Access (no effect) Bit 7
Undefined Access (no effect) Bit 8

Privileges: -

Properties:
---
samServer

Access Mask: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Tim Springston [MSFT]]

RE: Server 2003 DC Security Log Event 565

Hi Mike-

These events can occur since that object is read often in the normal course
of AD business by our SAM code. We not auditing the object access of that
object for that reason.

This is documented in a few places:

http://support.microsoft.com/kb/841001

"Keeping the noise down in your security log"
http://blogs.msdn.com/ericfitz/archive/2005/01/11/350848.aspx

Hope this helps-

Tim Springston [MSFT]
All postings are provided "AS IS" with no warranties, and confer no rights.

"Mike55" wrote:

> Hey All,
>
> I've got Directory Service Access auditing turned on for some auditing
> software, but the security log fills up with 565 events. I only have Success
> turned on for auditing. I've tried increasing the maximum log size, but
> there are just too many 565 events - it fills up a 1GB event log in less than
> a day.
>
> Any ideas what is causing all the 565 events? I do need auditing turned
> on, but with the log filling up so fast, it's almost pointless to collect
> useful data.
>
> I've pasted a copy of one of the events below. My domain is carroll.edu
> and the DC for this event is HERA.
>
> Thanks!
> Mike
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Directory Service Access
> Event ID: 565
> Date: 9/3/2008
> Time: 1:12:01 PM
> User: CARROLL\administrator
> Computer: HERA
> Description:
> Object Open:
> Object Server: Security Account Manager
> Object Type: SAM_SERVER
> Object Name: CN=Server,CN=System,DC=carroll,DC=edu
> Handle ID: 121482008
> Operation ID: {0,1134038963}
> Process ID: 400
> Process Name: C:\WINDOWS\system32\lsass.exe
> Primary User Name: HERA$
> Primary Domain: CARROLL
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: Administrator
> Client Domain: CARROLL
> Client Logon ID: (0x0,0x43980FA5)
> Accesses: DELETE
> READ_CONTROL
> WRITE_DAC
> WRITE_OWNER
> ConnectToServer
> ShutdownServer
> InitializeServer
> CreateDomain
> EnumerateDomains
> LookupDomain
> Undefined Access (no effect) Bit 6
> Undefined Access (no effect) Bit 7
> Undefined Access (no effect) Bit 8
>
> Privileges: -
>
> Properties:
> ---
> samServer
>
> Access Mask: 0
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>