Monitoring and reporting for Veeam Backup & Replication, VMware vSphere and Microsoft Hyper-V in a single System Center Operations Manager Console
Post Reply
Ronaldod
Novice
Posts: 4
Liked: never
Joined: Feb 28, 2012 7:54 am
Full Name: Evert
Contact:

windows log flooded

Post by Ronaldod »

after the update to 5.7 the security log is flooded with notifications.
Nworks bug or logging to strict ?

Example :

An operation was attempted on a privileged object.

Subject:
Security ID: ******\NWorks
Account Name: ******
Account Domain: VEEAM*****
Logon ID: 0x595f8888

Object:
Object Server: Security
Object Type: -
Object Name: -
Object Handle: 0x858

Process Information:
Process ID: 0x1208
Process Name: C:\Program Files\nworks\Enterprise Manager\nworksMCS.exe

Requested Operation:
Desired Access: 2031617
Privileges: SeTakeOwnershipPrivilege
Alec King
VP, Product Management
Posts: 1495
Liked: 382 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: windows log flooded

Post by Alec King »

Hi - I've not seen this error, or heard of this from other customers...
Does the service account for the nworks Enterprise Manager have all the privileges required? (we ask for local Admin - we need to run as a service, log events, access file system..etc)
I've asked my team to investigate - will update this thread with any findings.
Thanks!
Alec
Alec King
VP, Product Management
Posts: 1495
Liked: 382 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: windows log flooded

Post by Alec King »

Hi - have confirmed that this is not an issue, it seems that in your environment you have security log Auditing enabled for Privilege Use, both for failure AND success. The above are Success events.
So when we successfully utilise our admin privileges, Windows will log this event. No problem in functionality.
If you wish to remove such events, just update the Privilege Use security policy - probably just to log Failure, not Succes.

Hope that helps!
Cheers
Alec
Ronaldod
Novice
Posts: 4
Liked: never
Joined: Feb 28, 2012 7:54 am
Full Name: Evert
Contact:

Re: windows log flooded

Post by Ronaldod »

I can not imagine that we had this in the older version. And as a company policy we need to keep this logged. Problem is that now it creates that much events that even scom is back logging this server and that is not wanted.

Any other idea then just turning logging off ?

Grtz.
Alec King
VP, Product Management
Posts: 1495
Liked: 382 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: windows log flooded

Post by Alec King »

We're currently investigating Enterprise Manager internal architecture and workflows to see why there are so many privilege events - thanks for bringing this to our attention. Will update this thread with any findings.
Meantime - as I said, this does not actually break any functionality, it is purely logging on the Windows side - However I can see that there are a lot of events.....right now, the only option would be to increase the size of this log and/or the retention policy, to ensure that you do not lose any other security events.
Are you monitoring the security log and/or archiving it to some other storage?

Cheers
Alec
Ronaldod
Novice
Posts: 4
Liked: never
Joined: Feb 28, 2012 7:54 am
Full Name: Evert
Contact:

Re: windows log flooded

Post by Ronaldod »

We are using it for monitoring.
Ronaldod
Novice
Posts: 4
Liked: never
Joined: Feb 28, 2012 7:54 am
Full Name: Evert
Contact:

Re: windows log flooded

Post by Ronaldod »

Any update on this topic else i will log a call with you guys about this issue.
Alec King
VP, Product Management
Posts: 1495
Liked: 382 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: windows log flooded

Post by Alec King »

Hi - We've dived into this, and it seems it is normal behaviour. We use .Net remoting, and when we check credentials - for Collector connection, for user interaction with the UI, and so on - then Windows does log these security events as part of normal operations, when auditing is turned on.
I can see there are a lot of events, I'd suggest increasing the size of security log to eliminate the possibility of rolling, and perhaps have a scheduled archive-and-clear task on that log.
Let me know if we can answer any further questions - thanks!
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest