Need for logging Event ID 565? Expand / Collapse
Author
Message
Posted 6/9/2009 9:45:23 AM
Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12
I am currently using GFI EventsManager as our SIM and I was wondering what the need is to log Event ID 565 - should I log only failures, or is there a need to log success as well? The reason I ask is that this Event ID is the overwhelming leader in number of events logged (within four days already over 1.6 million events logged)

Thanks,
Jeff
Post #99
Posted 6/9/2009 10:01:36 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
You need to refine your object level audit policy in Active Directory.  That means going to the root of the domain in Active Directory Users and Computers, Security tab, Advanced, Audit.  At that place configure your audit policy to audit the object types and permissions you desire and then use it to replace the audit policy on all sub-objects.

Normally the only thing I recommend auditing is changes to groupPolicyContainer objects and group policy and ACL related changes to OUs.  My Security Log Resource Kit provides details on this as well as my free webinars at this site.

Post #102
Posted 6/9/2009 1:03:48 PM
Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12
Thanks Randy - I will refine the object level audit policy in Active Directory. I have attended your webinars and they are fantastic. I am looking forward to the next webinar on reducing noise.

Thanks,
Jeff

Post #104
Posted 6/9/2009 2:34:44 PM
Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12
Randy,

Would the Windows 2008 Security Log Resource Kit provide me with all of the information I'd need to tighten auditing on my Windows DCs?

Thanks,
Jeff
Post #105
Posted 6/10/2009 11:58:51 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
The combo edition has the SLS Interactive Edition which has a chapter/session devoted to AD audit policy.
Post #106
Posted 8/14/2009 1:17:32 PM
Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12
Randy,

Is the following Auditing setting the one that generates the excessive 565 event IDs:

Type - Allow Name - Everyone Permission - Read All Properties

Thanks,
Jeff
Post #179
Posted 8/16/2009 1:38:26 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Goodness sakes yes!  Turn that off
Post #180
Posted 8/17/2009 9:31:07 AM
Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12
Randy,

I think I may have provided the wrong setting in my previous post - I pulled that setting from the Permissions tab, not the Auditing tab. Here is what I have set under the Auditing tab:

Type Name Access Apply To
Success Everyone Special
Success Everyone Special
Success Domain Users All extended rights This object only
All Domain users Special This object and all des...
Success Administrators All extended rights This object only
Success Everyone Special This object and all des...

Of these, which entry ties to Event ID 565?

Thanks,
Jeff

Post #181
Posted 8/18/2009 5:53:52 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
I can't tell from that because each entry with "Special" means you have to drill down to see which permissions are enabled.  If you drill down and look at which permissions are enabled on the Object and Properties tabs you should be able to figure it out.
Post #182
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:34pm