Focus on Microsoft
Re: Windows event logs to filter/ignore Sep 22 2010 03:21PM
diciccone ppg com
Hi, you may consider to change your policy to no longer audit the success of privilege use. See http://support.microsoft.com/kb/264769 .

576 event log exercise of rights, being nice to have to track some Administrative logons. The event is the same no matter the object is (user or computer accounts).

You may keep your policy and :

- filter out the event 576 when the user last caracter is $ (SeSecurityPrivilege)

- filter out Computer's event related: filter the event 576 when the user is SYSTEM. (all others Se....Privilege)

christophe

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus