LinkBack URL
About LinkBacks
Hi guys, need a little help here if possible. I have an issue that is driving me mad and I am unsure how to fix it, despite me spending many hours trying to research it. TLR at the bottom.
A quick run down of what is happening.
We have a device on the network which integrates with AD to lookup user information whenever they do something on the network. Every time the device connects to AD an audit success for logon (4624), special logon (4672), credential validation (4776) and logoff (4634) are registered in the security event log. Even with a reasonably low amount of network usage this is currently flooding the event log with about 20 entries every second, meaning that at it's current maximum log size of 128MB, it is filled in about 2.5 hours. This makes tracking down real security issues an impossibility.
Now, I am aware that I can either increase the maximum log size (not really the answer) or stop logging these event IDs completely (not an option in my mind as they are otherwise useful), but what I have failed to find out is if I can stop a particular device from being logged in the security event log.
I have contacted the device manufacturer and they advise that this issue is not in their domain (pun not intended I assume) and my Google-Fu has let me down in trying to find the answer I need.
So, the actual question and the TL
Can I limit logging in Event Viewer for a particular device on the network, rather than limiting logging for an entire Event ID which would otherwise be useful?
A serious amount of kudos and cookies (virtual ones) to anyone who can help me!
Reply With Quote
