Event ID 577 & 578 are filling Security Event Logs

Archived from groups: microsoft.public.win2000.security (More info?)

We have quite a few windows 2000 SP4 systems running that are
continually logging event ID 577 and 578 to the Security Event log . I
understand that a workaround to this is to turn off the privilege use
auditing policy, but this is not possible due to security requirements.
Is anyone aware of a workaround/patch to resolve this issue? It is
causing the event logs to grow to an unmanageable size.

Thanks
Tim
8 answers Last reply
More about event filling security event logs
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Privilege use will generate a ton of events in the security log. Review your
    policy to see if you can possibly audit only failures instead of success and
    failure. If that is not possible you will need to increase the size of the
    security logs substantially. I know of no other workaround. -- Steve


    "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
    news:1114627448.748559.303680@g14g2000cwa.googlegroups.com...
    > We have quite a few windows 2000 SP4 systems running that are
    > continually logging event ID 577 and 578 to the Security Event log . I
    > understand that a workaround to this is to turn off the privilege use
    > auditing policy, but this is not possible due to security requirements.
    > Is anyone aware of a workaround/patch to resolve this issue? It is
    > causing the event logs to grow to an unmanageable size.
    >
    > Thanks
    > Tim
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Also, review the accounts that are generating the event messages.
    Often it is not that the privilege is actually being used, but that the
    user token is being adjusted to reflect the privilege is granted.
    Perhaps accounts are over-allocated rights ?? or individuals
    should be using less privileged accounts for "normal" activities.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:%23Qf6YP4SFHA.2916@TK2MSFTNGP15.phx.gbl...
    > Privilege use will generate a ton of events in the security log. Review
    your
    > policy to see if you can possibly audit only failures instead of success
    and
    > failure. If that is not possible you will need to increase the size of the
    > security logs substantially. I know of no other workaround. -- Steve
    >
    >
    > "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
    > news:1114627448.748559.303680@g14g2000cwa.googlegroups.com...
    > > We have quite a few windows 2000 SP4 systems running that are
    > > continually logging event ID 577 and 578 to the Security Event log . I
    > > understand that a workaround to this is to turn off the privilege use
    > > auditing policy, but this is not possible due to security requirements.
    > > Is anyone aware of a workaround/patch to resolve this issue? It is
    > > causing the event logs to grow to an unmanageable size.
    > >
    > > Thanks
    > > Tim
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks for the advice. We currently are only logging audit policy
    failures. Our log is growing on some systems by 2-5 MB a day, and
    almost all of it is is due to this message. The other problem is that
    we need to review these logs weekly, and this message is making that a
    very difficult and time consuming process.

    Thanks again.

    Tim
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    OK. That does not sound like fun. If you have not tried it yet the free
    Event Comb from Microsoft may make searching security logs easier for
    specific events and text strings. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;308471

    "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
    news:1114683342.965526.159590@f14g2000cwb.googlegroups.com...
    > Thanks for the advice. We currently are only logging audit policy
    > failures. Our log is growing on some systems by 2-5 MB a day, and
    > almost all of it is is due to this message. The other problem is that
    > we need to review these logs weekly, and this message is making that a
    > very difficult and time consuming process.
    >
    > Thanks again.
    >
    > Tim
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Which privilege is it mentioning ? which should be seen
    at the end of the event log message.

    --
    Roger
    "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
    news:1114683342.965526.159590@f14g2000cwb.googlegroups.com...
    > Thanks for the advice. We currently are only logging audit policy
    > failures. Our log is growing on some systems by 2-5 MB a day, and
    > almost all of it is is due to this message. The other problem is that
    > we need to review these logs weekly, and this message is making that a
    > very difficult and time consuming process.
    >
    > Thanks again.
    >
    > Tim
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Steven, why don't you post a solution? we are not here to be educated on
    microsoft's product we have problems and are looking into a solution.
    This is a solution http://support.microsoft.com/?kbid=831905 but it is for
    XP we need one for windows 2003.
    Thanks


    "Steven L Umbach" wrote:

    > Privilege use will generate a ton of events in the security log. Review your
    > policy to see if you can possibly audit only failures instead of success and
    > failure. If that is not possible you will need to increase the size of the
    > security logs substantially. I know of no other workaround. -- Steve
    >
    >
    > "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
    > news:1114627448.748559.303680@g14g2000cwa.googlegroups.com...
    > > We have quite a few windows 2000 SP4 systems running that are
    > > continually logging event ID 577 and 578 to the Security Event log . I
    > > understand that a workaround to this is to turn off the privilege use
    > > auditing policy, but this is not possible due to security requirements.
    > > Is anyone aware of a workaround/patch to resolve this issue? It is
    > > causing the event logs to grow to an unmanageable size.
    > >
    > > Thanks
    > > Tim
    > >
    >
    >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Wilson.

    I understand your frustration. I wish I knew a specific solution but I
    don't. To say that Windows auditing is quirky would be an understatement.
    You might try posting in the forums at the link below for Windows auditing
    and security. --- Steve

    http://www.auditingwindows.com/cms/index.php

    "Wilson" <Wilson@discussions.microsoft.com> wrote in message
    news:622B7584-D1F2-4A47-B236-B97B356439DB@microsoft.com...
    > Steven, why don't you post a solution? we are not here to be educated on
    > microsoft's product we have problems and are looking into a solution.
    > This is a solution http://support.microsoft.com/?kbid=831905 but it is for
    > XP we need one for windows 2003.
    > Thanks
    >
    >
    > "Steven L Umbach" wrote:
    >
    >> Privilege use will generate a ton of events in the security log. Review
    >> your
    >> policy to see if you can possibly audit only failures instead of success
    >> and
    >> failure. If that is not possible you will need to increase the size of
    >> the
    >> security logs substantially. I know of no other workaround. -- Steve
    >>
    >>
    >> "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
    >> news:1114627448.748559.303680@g14g2000cwa.googlegroups.com...
    >> > We have quite a few windows 2000 SP4 systems running that are
    >> > continually logging event ID 577 and 578 to the Security Event log . I
    >> > understand that a workaround to this is to turn off the privilege use
    >> > auditing policy, but this is not possible due to security requirements.
    >> > Is anyone aware of a workaround/patch to resolve this issue? It is
    >> > causing the event logs to grow to an unmanageable size.
    >> >
    >> > Thanks
    >> > Tim
    >> >
    >>
    >>
    >>
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you Steven :-)

    "Steven L Umbach" wrote:

    > Hi Wilson.
    >
    > I understand your frustration. I wish I knew a specific solution but I
    > don't. To say that Windows auditing is quirky would be an understatement.
    > You might try posting in the forums at the link below for Windows auditing
    > and security. --- Steve
    >
    > http://www.auditingwindows.com/cms/index.php
    >
    > "Wilson" <Wilson@discussions.microsoft.com> wrote in message
    > news:622B7584-D1F2-4A47-B236-B97B356439DB@microsoft.com...
    > > Steven, why don't you post a solution? we are not here to be educated on
    > > microsoft's product we have problems and are looking into a solution.
    > > This is a solution http://support.microsoft.com/?kbid=831905 but it is for
    > > XP we need one for windows 2003.
    > > Thanks
    > >
    > >
    > > "Steven L Umbach" wrote:
    > >
    > >> Privilege use will generate a ton of events in the security log. Review
    > >> your
    > >> policy to see if you can possibly audit only failures instead of success
    > >> and
    > >> failure. If that is not possible you will need to increase the size of
    > >> the
    > >> security logs substantially. I know of no other workaround. -- Steve
    > >>
    > >>
    > >> "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
    > >> news:1114627448.748559.303680@g14g2000cwa.googlegroups.com...
    > >> > We have quite a few windows 2000 SP4 systems running that are
    > >> > continually logging event ID 577 and 578 to the Security Event log . I
    > >> > understand that a workaround to this is to turn off the privilege use
    > >> > auditing policy, but this is not possible due to security requirements.
    > >> > Is anyone aware of a workaround/patch to resolve this issue? It is
    > >> > causing the event logs to grow to an unmanageable size.
    > >> >
    > >> > Thanks
    > >> > Tim
    > >> >
    > >>
    > >>
    > >>
    >
    >
    >
Ask a new question

Read More

Security Windows 2000 Event Id Windows