windows log flooded

Unleash the power of System Center for vSphere and Hyper-V | Veeam Task Manager for Hyper-V

windows log flooded

Veeam Logoby Ronaldod » Tue Feb 28, 2012 8:00 am

after the update to 5.7 the security log is flooded with notifications.
Nworks bug or logging to strict ?

Example :

An operation was attempted on a privileged object.

Subject:
Security ID:******\NWorks
Account Name:******
Account Domain:VEEAM*****
Logon ID:0x595f8888

Object:
Object Server:Security
Object Type:-
Object Name:-
Object Handle:0x858

Process Information:
Process ID:0x1208
Process Name:C:\Program Files\nworks\Enterprise Manager\nworksMCS.exe

Requested Operation:
Desired Access:2031617
Privileges:SeTakeOwnershipPrivilege
Ronaldod
Novice
 
Posts: 4
Liked: never
Joined: Tue Feb 28, 2012 7:54 am
Full Name: Evert

Re: windows log flooded

Veeam Logoby Alec King » Tue Feb 28, 2012 2:26 pm

Hi - I've not seen this error, or heard of this from other customers...
Does the service account for the nworks Enterprise Manager have all the privileges required? (we ask for local Admin - we need to run as a service, log events, access file system..etc)
I've asked my team to investigate - will update this thread with any findings.
Thanks!
Alec
Alec King
Veeam Software
 
Posts: 700
Liked: 116 times
Joined: Sun Jan 01, 2006 1:01 am

Re: windows log flooded

Veeam Logoby Alec King » Tue Feb 28, 2012 4:10 pm

Hi - have confirmed that this is not an issue, it seems that in your environment you have security log Auditing enabled for Privilege Use, both for failure AND success. The above are Success events.
So when we successfully utilise our admin privileges, Windows will log this event. No problem in functionality.
If you wish to remove such events, just update the Privilege Use security policy - probably just to log Failure, not Succes.

Hope that helps!
Cheers
Alec
Alec King
Veeam Software
 
Posts: 700
Liked: 116 times
Joined: Sun Jan 01, 2006 1:01 am

Re: windows log flooded

Veeam Logoby Ronaldod » Thu Mar 01, 2012 7:26 am

I can not imagine that we had this in the older version. And as a company policy we need to keep this logged. Problem is that now it creates that much events that even scom is back logging this server and that is not wanted.

Any other idea then just turning logging off ?

Grtz.
Ronaldod
Novice
 
Posts: 4
Liked: never
Joined: Tue Feb 28, 2012 7:54 am
Full Name: Evert

Re: windows log flooded

Veeam Logoby Alec King » Thu Mar 01, 2012 8:04 am

We're currently investigating Enterprise Manager internal architecture and workflows to see why there are so many privilege events - thanks for bringing this to our attention. Will update this thread with any findings.
Meantime - as I said, this does not actually break any functionality, it is purely logging on the Windows side - However I can see that there are a lot of events.....right now, the only option would be to increase the size of this log and/or the retention policy, to ensure that you do not lose any other security events.
Are you monitoring the security log and/or archiving it to some other storage?

Cheers
Alec
Alec King
Veeam Software
 
Posts: 700
Liked: 116 times
Joined: Sun Jan 01, 2006 1:01 am

Re: windows log flooded

Veeam Logoby Ronaldod » Fri Mar 09, 2012 10:18 am

We are using it for monitoring.
Ronaldod
Novice
 
Posts: 4
Liked: never
Joined: Tue Feb 28, 2012 7:54 am
Full Name: Evert

Re: windows log flooded

Veeam Logoby Ronaldod » Fri Mar 16, 2012 10:10 am

Any update on this topic else i will log a call with you guys about this issue.
Ronaldod
Novice
 
Posts: 4
Liked: never
Joined: Tue Feb 28, 2012 7:54 am
Full Name: Evert

Re: windows log flooded

Veeam Logoby Alec King » Mon Mar 19, 2012 7:21 pm

Hi - We've dived into this, and it seems it is normal behaviour. We use .Net remoting, and when we check credentials - for Collector connection, for user interaction with the UI, and so on - then Windows does log these security events as part of normal operations, when auditing is turned on.
I can see there are a lot of events, I'd suggest increasing the size of security log to eliminate the possibility of rolling, and perhaps have a scheduled archive-and-clear task on that log.
Let me know if we can answer any further questions - thanks!
Alec King
Veeam Software
 
Posts: 700
Liked: 116 times
Joined: Sun Jan 01, 2006 1:01 am


Return to Veeam Management Pack for Microsoft System Center



Who is online

Users browsing this forum: Yahoo [Bot] and 4 guests