Huge number of Event 565, 566 Events Expand / Collapse
Author
Message
Posted 4/18/2011 9:27:55 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/19/2011 5:01:35 AM
Posts: 2, Visits: 2
Hi,

We are receiving huge number of these events logged under correlation "

"This monitors for Changes to the OU and/or GPO settings within AD on a Domain Controller - "

All the events are logged as Success Audit.

I would like know what are the security concerns for which this needs to be logged. I see it as it can be turned off but however we are logging in. From an anlyst point of view, what specifically we need to correlate and look for when we are logging this.

Why is this event caused? I mean why an Directory access object is accessed.

 

Any help is lot required as our logs are piling up to 40 MB and reviewing them is difficult.

Post #636
Posted 4/18/2011 6:52:20 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Don't enable Directory Services auditing unless you know what you are doing and have correctly configured your audit policy on OUs and GPOs and at the root of the domain. 

I suggest this free webinar http://www.ultimatewindowssecurity.com/webinars/register.aspx?id=35 or my resource kit at http://www.ultimatewindowssecurity.com/securitylog/resourceKits/Default.aspx 

Post #637
Posted 4/19/2011 5:05:53 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/19/2011 5:01:35 AM
Posts: 2, Visits: 2
OMG, your webinar is awesome.

You just cracked my 20 days of trouble scatching my head with 565,566 events as how to proceed.
I believe SIEM should create custom alerts looking through these logs for specified keywords in the log as you have mentioned in the webinar should fix and send out alerts instead of complete log.

I believe this should fix the problem. Please comment.

Post #638
Posted 4/19/2011 10:27:51 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Thank you!  Just make sure you modify your audit policy in AD Users and Computers on the root of the domain to only audit the Writes to the appropriate properties in OUs, domainDNS and groupPolicyContainer objects as i think i directed in the webinar.  that will really cut down on the number of 565, 566 events you are getting.  you may also need resetadsacls - http://www.ultimatewindowssecurity.com/tools/resetadsacls.aspx 
Post #639
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 4:31pm