-
- Novice
- Posts: 4
- Liked: never
- Joined: Feb 28, 2012 7:54 am
- Full Name: Evert
- Contact:
windows log flooded
after the update to 5.7 the security log is flooded with notifications.
Nworks bug or logging to strict ?
Example :
An operation was attempted on a privileged object.
Subject:
Security ID: ******\NWorks
Account Name: ******
Account Domain: VEEAM*****
Logon ID: 0x595f8888
Object:
Object Server: Security
Object Type: -
Object Name: -
Object Handle: 0x858
Process Information:
Process ID: 0x1208
Process Name: C:\Program Files\nworks\Enterprise Manager\nworksMCS.exe
Requested Operation:
Desired Access: 2031617
Privileges: SeTakeOwnershipPrivilege
Nworks bug or logging to strict ?
Example :
An operation was attempted on a privileged object.
Subject:
Security ID: ******\NWorks
Account Name: ******
Account Domain: VEEAM*****
Logon ID: 0x595f8888
Object:
Object Server: Security
Object Type: -
Object Name: -
Object Handle: 0x858
Process Information:
Process ID: 0x1208
Process Name: C:\Program Files\nworks\Enterprise Manager\nworksMCS.exe
Requested Operation:
Desired Access: 2031617
Privileges: SeTakeOwnershipPrivilege
-
- VP, Product Management
- Posts: 1495
- Liked: 382 times
- Joined: Jan 01, 2006 1:01 am
- Contact:
Re: windows log flooded
Hi - I've not seen this error, or heard of this from other customers...
Does the service account for the nworks Enterprise Manager have all the privileges required? (we ask for local Admin - we need to run as a service, log events, access file system..etc)
I've asked my team to investigate - will update this thread with any findings.
Thanks!
Alec
Does the service account for the nworks Enterprise Manager have all the privileges required? (we ask for local Admin - we need to run as a service, log events, access file system..etc)
I've asked my team to investigate - will update this thread with any findings.
Thanks!
Alec
-
- VP, Product Management
- Posts: 1495
- Liked: 382 times
- Joined: Jan 01, 2006 1:01 am
- Contact:
Re: windows log flooded
Hi - have confirmed that this is not an issue, it seems that in your environment you have security log Auditing enabled for Privilege Use, both for failure AND success. The above are Success events.
So when we successfully utilise our admin privileges, Windows will log this event. No problem in functionality.
If you wish to remove such events, just update the Privilege Use security policy - probably just to log Failure, not Succes.
Hope that helps!
Cheers
Alec
So when we successfully utilise our admin privileges, Windows will log this event. No problem in functionality.
If you wish to remove such events, just update the Privilege Use security policy - probably just to log Failure, not Succes.
Hope that helps!
Cheers
Alec
-
- Novice
- Posts: 4
- Liked: never
- Joined: Feb 28, 2012 7:54 am
- Full Name: Evert
- Contact:
Re: windows log flooded
I can not imagine that we had this in the older version. And as a company policy we need to keep this logged. Problem is that now it creates that much events that even scom is back logging this server and that is not wanted.
Any other idea then just turning logging off ?
Grtz.
Any other idea then just turning logging off ?
Grtz.
-
- VP, Product Management
- Posts: 1495
- Liked: 382 times
- Joined: Jan 01, 2006 1:01 am
- Contact:
Re: windows log flooded
We're currently investigating Enterprise Manager internal architecture and workflows to see why there are so many privilege events - thanks for bringing this to our attention. Will update this thread with any findings.
Meantime - as I said, this does not actually break any functionality, it is purely logging on the Windows side - However I can see that there are a lot of events.....right now, the only option would be to increase the size of this log and/or the retention policy, to ensure that you do not lose any other security events.
Are you monitoring the security log and/or archiving it to some other storage?
Cheers
Alec
Meantime - as I said, this does not actually break any functionality, it is purely logging on the Windows side - However I can see that there are a lot of events.....right now, the only option would be to increase the size of this log and/or the retention policy, to ensure that you do not lose any other security events.
Are you monitoring the security log and/or archiving it to some other storage?
Cheers
Alec
-
- Novice
- Posts: 4
- Liked: never
- Joined: Feb 28, 2012 7:54 am
- Full Name: Evert
- Contact:
Re: windows log flooded
We are using it for monitoring.
-
- Novice
- Posts: 4
- Liked: never
- Joined: Feb 28, 2012 7:54 am
- Full Name: Evert
- Contact:
Re: windows log flooded
Any update on this topic else i will log a call with you guys about this issue.
-
- VP, Product Management
- Posts: 1495
- Liked: 382 times
- Joined: Jan 01, 2006 1:01 am
- Contact:
Re: windows log flooded
Hi - We've dived into this, and it seems it is normal behaviour. We use .Net remoting, and when we check credentials - for Collector connection, for user interaction with the UI, and so on - then Windows does log these security events as part of normal operations, when auditing is turned on.
I can see there are a lot of events, I'd suggest increasing the size of security log to eliminate the possibility of rolling, and perhaps have a scheduled archive-and-clear task on that log.
Let me know if we can answer any further questions - thanks!
I can see there are a lot of events, I'd suggest increasing the size of security log to eliminate the possibility of rolling, and perhaps have a scheduled archive-and-clear task on that log.
Let me know if we can answer any further questions - thanks!
Who is online
Users browsing this forum: No registered users and 1 guest