K
K
krivoruchkomp2014-05-27 09:02:37
Windows
krivoruchkomp, 2014-05-27 09:02:37

Why is the Security log full of events after installing Netwrix File Server Audit?

Good day.
Faced the following problem.
After installing Netwrix File Server Audit, too many events appear in the Security log.
The audit was configured only on one directory, on change events.
However, events about other directories also get into the log, and not only for changes, but also for reading.
The strange thing is, if you disable the Audit policy at all through Group Policy, nothing happens, events continue to pour into the log.
I sin on Netwrix, since this is the only software installed recently.
Previously, there were no problems with the audit.
I wanted to ask a question to a Netwrix representative, but so far karma does not allow :-)
I would be grateful for your help.
OS: Windows Server 2012 R2

Answer the question

In order to leave comments, you need to log in

2 answer(s)
K
krivoruchkomp, 2014-05-30
@krivoruchkomp

Received a response from technical support:
Events of the Audit Detailed File Share and Audit Removable Storage categories were found in the Security log
. These policies audit access to all files and folders with shared access (regardless of the settings of SACL lists, described in more detail here. technet.microsoft .com/en-us/library/dn319118.aspx), so the folder settings you specify do not affect the number of events.
In order to remove these events, you need to turn off advisory policies - either from Security Settings -> Advanced Audit Policy Configuration -> Audit Policy -> Object Access, or completely disable the standard Audit Object Access policy (Security Settings -> Local Policies -> Audit Policy), and configure via Advanced.
Note: You can view the enabled policies through the auditpol /get /category:"Object Access" command.
Netwrix Auditor requires other advanced audit policies. You need to do the following on the servers you want to track changes to:
• Run secpol.msc and go to Security Settings -> Local Policies -> Security Options and set the Audit: Force audit policy subcategory settings (Windows Vista or later) to Enabled.
• Go to Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access and enable the following subcategories: Audit File System and Audit Handle Manipulation.
• Update the group policies through the gpupdate /force command at the command line.
For more information on configuring them through Local Policies or Group Policies, you can refer to our article www.netwrix.com/kb/1266
And it helped.
Thanks for the prompt help!

N
NetwrixRu, 2014-05-28
@NetwrixRu

Hello!
Have you contacted our technical support?
Write to [email protected] or [email protected] (two addresses at once).
Engineers will quickly help you figure it out :)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question