+ Post New Thread
Results 1 to 2 of 2
Windows Server 2008 R2 Thread, Security Logging in Technical; I've been having some strange issues with stuff going missing from my network drives. Suspecting that it might be down ...
  1. #1

    Join Date
    Nov 2007
    Location
    Rotherham
    Posts
    1,666
    Thank Post
    119
    Thanked 126 Times in 102 Posts
    Rep Power
    44

    Security Logging

    I've been having some strange issues with stuff going missing from my network drives. Suspecting that it might be down to someone leaving computers unlocked or a student knowing a staff members password I need to log all the file deletion's on the network drives.

    Setting the logging up, done. Advanced Auditiong options, enabling auditing for certain groups on the folders all sorted and working (I can see it happening).

    The problem is that Windows seems to be logging a huge amount of other information that's filling the security log and making it hard to spot the events I want and impossible to look back more than about an hour. (See Examples below). I can't see obviously where I am auditing this but I could do with it stopping as I'd like, for the minute, just to be logging the file deletions. Any advice?

    Code:
    An attempt was made to access an object.
    
    Subject:
    	Security ID:		SYSTEM
    	Account Name:		<ServerName>
    	Account Domain:		<DomainName>
    	Logon ID:		0x3e7
    
    Object:
    	Object Server:	Security
    	Object Type:	File
    	Object Name:	C:\Windows\SysWOW64\tasklist.exe
    	Handle ID:	0xcf8
    
    Process Information:
    	Process ID:	0x12b4
    	Process Name:	C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    
    Access Request Information:
    	Accesses:	WriteAttributes
    				
    	Access Mask:	0x100
    Event ID's tend to be 4658, 5656, 4663 which are alos the one's used when logging information correctly.
    Code:
    The state of a transaction has changed.
    
    
    Subject:
    	Security ID:		NETWORK SERVICE
    	Account Name:		<ServerName>$
    	Account Domain:		<DomainName>
    	Logon ID:		0x3e4
    
    Transaction Information:
    	RM Transaction ID:	{741bb055-5306-11e1-99a7-0026b986e57a}
    	New State:		48
    	Resource Manager:	{c90bc1e3-3b69-11df-a48e-cebb1d34c2c0}
    
    Process Information:
    	Process ID:		0x448
    	Process Name:		C:\Windows\System32\svchost.exe
    Edit: Just trying disabling logging of "Handle Manipulation" which MS suggested that I enable. See how that goes but I'm still open to sugestions.
    Last edited by Stuart_C; 9th February 2012 at 01:53 PM.

  2. #2

    Join Date
    Nov 2007
    Location
    Rotherham
    Posts
    1,666
    Thank Post
    119
    Thanked 126 Times in 102 Posts
    Rep Power
    44
    Slight update, I seem to have gotten rid of a lot of the McAfee based logging but I still have far too many incidents of the second example to be fully usefull for what I want.

    EDIT: Then again maybe not. Grr...
    Last edited by Stuart_C; 9th February 2012 at 02:02 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 18
    Last Post: 25th November 2013, 03:00 PM
  2. Security Log full... (once a week)
    By newpersn in forum Windows
    Replies: 4
    Last Post: 15th November 2011, 12:45 PM
  3. Manage Windows Security Event Logs
    By JamesMason in forum Windows
    Replies: 2
    Last Post: 10th December 2009, 01:21 PM
  4. Security log going mental
    By KWestos in forum Windows
    Replies: 9
    Last Post: 4th November 2008, 10:50 PM
  5. Stopped security event log
    By Jobos in forum Windows
    Replies: 3
    Last Post: 10th September 2007, 12:48 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •