enormous amounts of EventCode=4674

saschar · ‎04-24-2013

Hello everybody,

i have a server that produces per minute 13000 security logs with the EventCode=4674 (An operation was attempted on a privileged object).
what is the problem and how can i fix it?

yannK · ‎12-31-2013

You can filter those EventCodes out

see Additional method to filter since Splunk 6.*
http://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes

mykol_j · ‎08-20-2024

(how do I give negative Karma?)

sbrant_splunk · ‎04-24-2013

One option is to adjust your object-level auditing in Windows to a more appropriate level, if this is too verbose.

kristian_kolb · ‎04-24-2013

That option sure is the correct way to cure the symptom - and maybe also the disease. Even if there are a looot of events on a windows box, there might be just about nothing going on... 🙂

/k

sbrant_splunk · ‎04-24-2013

touche. I did say ONE option though 😉

kristian_kolb · ‎04-24-2013

mhmm, and perhaps figure out WHICH object, WHAT operation and WHO did (attempt) it. Just to be sure, mkay?

enormous amounts of EventCode=4674

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

enormous amounts of EventCode=4674

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+