• Getting Data In

    enormous amounts of EventCode=4674

    saschar
    New Member

    Hello everybody,

    i have a server that produces per minute 13000 security logs with the EventCode=4674 (An operation was attempted on a privileged object).
    what is the problem and how can i fix it?

    Tags (1)
    0 Karma

    yannK
    Splunk Employee
    Splunk Employee

    You can filter those EventCodes out

    see Additional method to filter since Splunk 6.*
    http://answers.splunk.com/answers/116817/filter-wineventlog-events-based-on-the-eventcodes

    mykol_j
    Communicator

    (how do I give negative Karma?)

     

    0 Karma

    sbrant_splunk
    Splunk Employee
    Splunk Employee

    One option is to adjust your object-level auditing in Windows to a more appropriate level, if this is too verbose.

    kristian_kolb
    Ultra Champion

    That option sure is the correct way to cure the symptom - and maybe also the disease. Even if there are a looot of events on a windows box, there might be just about nothing going on... 🙂

    /k

    0 Karma

    sbrant_splunk
    Splunk Employee
    Splunk Employee

    touche. I did say ONE option though 😉

    0 Karma

    kristian_kolb
    Ultra Champion

    mhmm, and perhaps figure out WHICH object, WHAT operation and WHO did (attempt) it. Just to be sure, mkay?

    Get Updates on the Splunk Community!

    Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

    WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

    Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

    Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

    Enterprise Security Content Update (ESCU) | New Releases

    In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...