Hello everybody,
i have a server that produces per minute 13000 security logs with the EventCode=4674 (An operation was attempted on a privileged object).
what is the problem and how can i fix it?
You can filter those EventCodes out
see Additional method to filter since Splunk 6.*
http://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes
(how do I give negative Karma?)
One option is to adjust your object-level auditing in Windows to a more appropriate level, if this is too verbose.
That option sure is the correct way to cure the symptom - and maybe also the disease. Even if there are a looot of events on a windows box, there might be just about nothing going on... 🙂
/k
touche. I did say ONE option though 😉
mhmm, and perhaps figure out WHICH object, WHAT operation and WHO did (attempt) it. Just to be sure, mkay?