enormous amounts of EventCode=4674

saschar · ‎04-24-2013

Hello everybody,

i have a server that produces per minute 13000 security logs with the EventCode=4674 (An operation was attempted on a privileged object).
what is the problem and how can i fix it?

yannK · ‎12-31-2013

You can filter those EventCodes out

see Additional method to filter since Splunk 6.*
http://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes

mykol_j · ‎08-20-2024

(how do I give negative Karma?)

sbrant_splunk · ‎04-24-2013

One option is to adjust your object-level auditing in Windows to a more appropriate level, if this is too verbose.

kristian_kolb · ‎04-24-2013

That option sure is the correct way to cure the symptom - and maybe also the disease. Even if there are a looot of events on a windows box, there might be just about nothing going on... 🙂

/k

sbrant_splunk · ‎04-24-2013

touche. I did say ONE option though 😉

kristian_kolb · ‎04-24-2013

mhmm, and perhaps figure out WHICH object, WHAT operation and WHO did (attempt) it. Just to be sure, mkay?

enormous amounts of EventCode=4674

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation

enormous amounts of EventCode=4674

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!