How can i make 578 appear on windows 2003... Expand / Collapse
Author
Message
Posted 5/3/2011 8:44:42 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/12/2011 7:13:51 AM
Posts: 4, Visits: 16
I want to create an audit trail over who is reading the security event log. I have read that you have to activate "audit privelige use" and look for event 578, but that windows 2003 does not log that event when viewing event log. So is there another way to create this audit trail?
Post #655
Posted 5/3/2011 11:05:25 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
What service pack are you running on Win2003?
Post #656
Posted 5/4/2011 2:56:32 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/12/2011 7:13:51 AM
Posts: 4, Visits: 16
RandyFranklinSmith (5/3/2011)
What service pack are you running on Win2003?

SP2

Post #657
Posted 5/4/2011 6:35:35 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
You know I think that changed in SP2 and is no longer logged because they changed the permissions required.  What you will see now is a object access event showing that a registry key related to the event log was accessed - each time you view the log.
Post #659
Posted 5/5/2011 7:36:40 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/12/2011 7:13:51 AM
Posts: 4, Visits: 16
Ok, thanks alot. Do you know which registry key to monitor?
Post #665
Posted 5/9/2011 9:41:31 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Had to go try it.  See Object Name below.

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date:  5/9/2011
Time:  9:39:55 AM
User:  CL-T138-370CN\rsmith
Computer: CL-T138-370CN
Description:
Object Open:
  Object Server: Security
  Object Type: Key
  Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security
  Handle ID: 556
  Operation ID: {0,228567789}
  Process ID: 8272
  Image File Name: C:\WINDOWS\system32\mmc.exe
  Primary User Name: rsmith
  Primary Domain: CL-T138-370CN
  Primary Logon ID: (0x0,0x1D28086)
  Client User Name: -
  Client Domain: -
  Client Logon ID: -
  Accesses: Set key value
   
  Privileges: -
  Restricted Sid Count: 0
  Access Mask: 0x2


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Post #669
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:42pm