Getting Data In

active directory monitoring is generating too many audit events in WinEventLog:Security

yannK
Splunk Employee
Splunk Employee

I just turned on a splunk forwarder with the active directory monitoring on my AD server.
Since the windows logs WinEventLogs:Security are generating a large number of audit success events :

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/14/2013 11:55:59 AM
Event ID: 879798
Task Category: Directory Service Access
Level: Information
Keywords: Audit Success
User: N/A
Computer: mydomain.com
Description: An operation was performed on an object.

I am also monitoring the WinEventLogs so those messages are hitting my license volume.
I know that I can filter then out at the indexer level, but this is still traffic.
How to avoid them.

Tags (1)
1 Solution

yannK
Splunk Employee
Splunk Employee

We found the solution : reducing the log level for the audit events in windows to avoid logging the audit success.

We changed the Directory Service Access subcategory to failure instead of success.
see http://support.microsoft.com/kb/232714

View solution in original post

yannK
Splunk Employee
Splunk Employee

We found the solution : reducing the log level for the audit events in windows to avoid logging the audit success.

We changed the Directory Service Access subcategory to failure instead of success.
see http://support.microsoft.com/kb/232714

Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...