Anonymous_User Absent Member.
Absent Member.
214 views

Winows Object Access Audit - Multiple 560 Events


Hello,

I've enable object access success audit for a folder in Windows 2003 and
I'm having the following problem, every time a user has success opening
a folder, many identical Object Open Events (560) are being generated
for the same user/folder.
Is this normal behaviour? Is there a way to filter this within
Sentinel?

I'm using snare agent for syslog.

Thanks in Advance


--
mmarchese
------------------------------------------------------------------------
mmarchese's Profile: https://forums.netiq.com/member.php?userid=1311
View this thread: https://forums.netiq.com/showthread.php?t=52599

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Winows Object Access Audit - Multiple 560 Events

My personal experience is that most of the "are the events I'm getting
correct?" questions, whether that's many events, or odd-looking events, or
missing events, can be best-answered either by the vendor or, on the
Sentinel side, by looking at a Raw Data Tap or Connector Dump. Both are
set/accessed within Event Source Management (ESM) and show you eaxctly
what Sentinel receives right after it gets off the wire and gets into the
Sentinel system. If you see a bunch of events for a given operation, then
the next step is to try to tune the windows side. If events are missing,
you'll see that lack of events by nothing (relevant) coming through the
raw data tap, or ending up in the connector dump. If events look weird in
Sentinel, then you can at least confirm how they come in and then start
using the debugger to see how they are parsed.

When it comes to filesystem events in particular, be prepared for an
onslaught of noise for every millionth piece of useful data. Depending on
how the directory is accessed, and what the client accessing it is doing
to be helpful to the end user (peeking in subdirectories to render
appropriate preview icons on them, opening files to render their previews,
etc.) you may be doing a lot more than "going into a directory" when you
access a directory. It may be worthwhile to try a command line equivalent
since, in that case, you're able to control the actual interactions much
better (because the CLI doesn't try to do silly stuff like show you
previews, or open multiple files/directories to show those previews).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.