Event ID 577 & 578 are filling Security Event Logs

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

We have quite a few windows 2000 SP4 systems running that are
continually logging event ID 577 and 578 to the Security Event log . I
understand that a workaround to this is to turn off the privilege use
auditing policy, but this is not possible due to security requirements.
Is anyone aware of a workaround/patch to resolve this issue? It is
causing the event logs to grow to an unmanageable size.

Thanks
Tim
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Privilege use will generate a ton of events in the security log. Review your
policy to see if you can possibly audit only failures instead of success and
failure. If that is not possible you will need to increase the size of the
security logs substantially. I know of no other workaround. -- Steve


"timcapp" <timothy.cappiello@gd-ais.com> wrote in message
news:1114627448.748559.303680@g14g2000cwa.googlegroups.com...
> We have quite a few windows 2000 SP4 systems running that are
> continually logging event ID 577 and 578 to the Security Event log . I
> understand that a workaround to this is to turn off the privilege use
> auditing policy, but this is not possible due to security requirements.
> Is anyone aware of a workaround/patch to resolve this issue? It is
> causing the event logs to grow to an unmanageable size.
>
> Thanks
> Tim
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Also, review the accounts that are generating the event messages.
Often it is not that the privilege is actually being used, but that the
user token is being adjusted to reflect the privilege is granted.
Perhaps accounts are over-allocated rights ?? or individuals
should be using less privileged accounts for "normal" activities.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23Qf6YP4SFHA.2916@TK2MSFTNGP15.phx.gbl...
> Privilege use will generate a ton of events in the security log. Review
your
> policy to see if you can possibly audit only failures instead of success
and
> failure. If that is not possible you will need to increase the size of the
> security logs substantially. I know of no other workaround. -- Steve
>
>
> "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
> news:1114627448.748559.303680@g14g2000cwa.googlegroups.com...
> > We have quite a few windows 2000 SP4 systems running that are
> > continually logging event ID 577 and 578 to the Security Event log . I
> > understand that a workaround to this is to turn off the privilege use
> > auditing policy, but this is not possible due to security requirements.
> > Is anyone aware of a workaround/patch to resolve this issue? It is
> > causing the event logs to grow to an unmanageable size.
> >
> > Thanks
> > Tim
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for the advice. We currently are only logging audit policy
failures. Our log is growing on some systems by 2-5 MB a day, and
almost all of it is is due to this message. The other problem is that
we need to review these logs weekly, and this message is making that a
very difficult and time consuming process.

Thanks again.

Tim
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

OK. That does not sound like fun. If you have not tried it yet the free
Event Comb from Microsoft may make searching security logs easier for
specific events and text strings. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308471

"timcapp" <timothy.cappiello@gd-ais.com> wrote in message
news:1114683342.965526.159590@f14g2000cwb.googlegroups.com...
> Thanks for the advice. We currently are only logging audit policy
> failures. Our log is growing on some systems by 2-5 MB a day, and
> almost all of it is is due to this message. The other problem is that
> we need to review these logs weekly, and this message is making that a
> very difficult and time consuming process.
>
> Thanks again.
>
> Tim
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Which privilege is it mentioning ? which should be seen
at the end of the event log message.

--
Roger
"timcapp" <timothy.cappiello@gd-ais.com> wrote in message
news:1114683342.965526.159590@f14g2000cwb.googlegroups.com...
> Thanks for the advice. We currently are only logging audit policy
> failures. Our log is growing on some systems by 2-5 MB a day, and
> almost all of it is is due to this message. The other problem is that
> we need to review these logs weekly, and this message is making that a
> very difficult and time consuming process.
>
> Thanks again.
>
> Tim
>
 

Wilson

Distinguished
Apr 24, 2004
42
0
18,530
Archived from groups: microsoft.public.win2000.security (More info?)

Steven, why don't you post a solution? we are not here to be educated on
microsoft's product we have problems and are looking into a solution.
This is a solution http://support.microsoft.com/?kbid=831905 but it is for
XP we need one for windows 2003.
Thanks


"Steven L Umbach" wrote:

> Privilege use will generate a ton of events in the security log. Review your
> policy to see if you can possibly audit only failures instead of success and
> failure. If that is not possible you will need to increase the size of the
> security logs substantially. I know of no other workaround. -- Steve
>
>
> "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
> news:1114627448.748559.303680@g14g2000cwa.googlegroups.com...
> > We have quite a few windows 2000 SP4 systems running that are
> > continually logging event ID 577 and 578 to the Security Event log . I
> > understand that a workaround to this is to turn off the privilege use
> > auditing policy, but this is not possible due to security requirements.
> > Is anyone aware of a workaround/patch to resolve this issue? It is
> > causing the event logs to grow to an unmanageable size.
> >
> > Thanks
> > Tim
> >
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hi Wilson.

I understand your frustration. I wish I knew a specific solution but I
don't. To say that Windows auditing is quirky would be an understatement.
You might try posting in the forums at the link below for Windows auditing
and security. --- Steve

http://www.auditingwindows.com/cms/index.php

"Wilson" <Wilson@discussions.microsoft.com> wrote in message
news:622B7584-D1F2-4A47-B236-B97B356439DB@microsoft.com...
> Steven, why don't you post a solution? we are not here to be educated on
> microsoft's product we have problems and are looking into a solution.
> This is a solution http://support.microsoft.com/?kbid=831905 but it is for
> XP we need one for windows 2003.
> Thanks
>
>
> "Steven L Umbach" wrote:
>
>> Privilege use will generate a ton of events in the security log. Review
>> your
>> policy to see if you can possibly audit only failures instead of success
>> and
>> failure. If that is not possible you will need to increase the size of
>> the
>> security logs substantially. I know of no other workaround. -- Steve
>>
>>
>> "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
>> news:1114627448.748559.303680@g14g2000cwa.googlegroups.com...
>> > We have quite a few windows 2000 SP4 systems running that are
>> > continually logging event ID 577 and 578 to the Security Event log . I
>> > understand that a workaround to this is to turn off the privilege use
>> > auditing policy, but this is not possible due to security requirements.
>> > Is anyone aware of a workaround/patch to resolve this issue? It is
>> > causing the event logs to grow to an unmanageable size.
>> >
>> > Thanks
>> > Tim
>> >
>>
>>
>>
 

Wilson

Distinguished
Apr 24, 2004
42
0
18,530
Archived from groups: microsoft.public.win2000.security (More info?)

Thank you Steven :)

"Steven L Umbach" wrote:

> Hi Wilson.
>
> I understand your frustration. I wish I knew a specific solution but I
> don't. To say that Windows auditing is quirky would be an understatement.
> You might try posting in the forums at the link below for Windows auditing
> and security. --- Steve
>
> http://www.auditingwindows.com/cms/index.php
>
> "Wilson" <Wilson@discussions.microsoft.com> wrote in message
> news:622B7584-D1F2-4A47-B236-B97B356439DB@microsoft.com...
> > Steven, why don't you post a solution? we are not here to be educated on
> > microsoft's product we have problems and are looking into a solution.
> > This is a solution http://support.microsoft.com/?kbid=831905 but it is for
> > XP we need one for windows 2003.
> > Thanks
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> Privilege use will generate a ton of events in the security log. Review
> >> your
> >> policy to see if you can possibly audit only failures instead of success
> >> and
> >> failure. If that is not possible you will need to increase the size of
> >> the
> >> security logs substantially. I know of no other workaround. -- Steve
> >>
> >>
> >> "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
> >> news:1114627448.748559.303680@g14g2000cwa.googlegroups.com...
> >> > We have quite a few windows 2000 SP4 systems running that are
> >> > continually logging event ID 577 and 578 to the Security Event log . I
> >> > understand that a workaround to this is to turn off the privilege use
> >> > auditing policy, but this is not possible due to security requirements.
> >> > Is anyone aware of a workaround/patch to resolve this issue? It is
> >> > causing the event logs to grow to an unmanageable size.
> >> >
> >> > Thanks
> >> > Tim
> >> >
> >>
> >>
> >>
>
>
>