Getting Data In

active directory monitoring is generating too many audit events in WinEventLog:Security

yannK
Splunk Employee
Splunk Employee

I just turned on a splunk forwarder with the active directory monitoring on my AD server.
Since the windows logs WinEventLogs:Security are generating a large number of audit success events :

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/14/2013 11:55:59 AM
Event ID: 879798
Task Category: Directory Service Access
Level: Information
Keywords: Audit Success
User: N/A
Computer: mydomain.com
Description: An operation was performed on an object.

I am also monitoring the WinEventLogs so those messages are hitting my license volume.
I know that I can filter then out at the indexer level, but this is still traffic.
How to avoid them.

Tags (1)
1 Solution

yannK
Splunk Employee
Splunk Employee

We found the solution : reducing the log level for the audit events in windows to avoid logging the audit success.

We changed the Directory Service Access subcategory to failure instead of success.
see http://support.microsoft.com/kb/232714

View solution in original post

yannK
Splunk Employee
Splunk Employee

We found the solution : reducing the log level for the audit events in windows to avoid logging the audit success.

We changed the Directory Service Access subcategory to failure instead of success.
see http://support.microsoft.com/kb/232714

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!