enormous amounts of EventCode=4674

saschar · ‎04-24-2013

Hello everybody,

i have a server that produces per minute 13000 security logs with the EventCode=4674 (An operation was attempted on a privileged object).
what is the problem and how can i fix it?

yannK · ‎12-31-2013

You can filter those EventCodes out

see Additional method to filter since Splunk 6.*
http://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes

mykol_j · ‎08-20-2024

(how do I give negative Karma?)

sbrant_splunk · ‎04-24-2013

One option is to adjust your object-level auditing in Windows to a more appropriate level, if this is too verbose.

kristian_kolb · ‎04-24-2013

That option sure is the correct way to cure the symptom - and maybe also the disease. Even if there are a looot of events on a windows box, there might be just about nothing going on... 🙂

/k

sbrant_splunk · ‎04-24-2013

touche. I did say ONE option though 😉

kristian_kolb · ‎04-24-2013

mhmm, and perhaps figure out WHICH object, WHAT operation and WHO did (attempt) it. Just to be sure, mkay?

enormous amounts of EventCode=4674

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation

enormous amounts of EventCode=4674

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform