locked
Security Event Logs Filling With Removable Storage (4658 & 4663) and Filtering Platform Connection (5156) RRS feed

  • Question

  • Servers in our environment have their sec logs filled very quickly with a few event id's.  At first I thought it was a GPO but I cannot find a GPO pushing Audit Filtering Platform or anything in the Sec Settings / Advanced Audit policy.  When I look at the local policy on our boxes they all show "Not Configured" for these policies.  I am scratching my head as to how these audits are being enabled, i need to either disable or reduce the verbosity because my logs are filling up in seconds.
    jeudi 23 juillet 2020 21:23

Toutes les réponses

  • Hello
    Thank you for posting here.

    1.On the machines that we can see these event ID (4663, 4658 and 5156), we can check the status of the related audit policy settings with the following command.
    auditpol /get /category:*

    For example:


    2.We can also check if we configured the related audit policy settings through gpresult file.

    Logon the machine that we can see these event ID (4663, 4658 and 5156) with Administrator.
    Open CMD (run as Administrator) and type gpresult /h C:\audit.html and click Enter.
    And open the audit.html and check the audit settings (including domain policy settings and local policy settings) under “Computer Details”, check if there are settings “Audit Removable Storage” and “Audit Filtering Platform Connection”.

    For example:



    This "Group Policy" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    Best Regards,
    Daisy Zhou
     

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Group Policy" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Group Policy"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    vendredi 24 juillet 2020 10:00
  • Filtering Platform Connection and Removable Storage both have "Success and Failure" when i run the auditpol command,  but the local policy does not have them defined.  There is nothing defined for Advanced Audit Configuration on the html output.

    There is also not a domain policy that has these settings specified either

    vendredi 24 juillet 2020 20:34
  • Hi,
    I am sorry for the late reply.

    On one problematic server, we can try to check if we can see the related audit policy settings ( “Audit Removable Storage” and “Audit Filtering Platform Connection”) in the following path:

    \\a.local\SYSVOL\a.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit.csv
    C:\Windows\security\audit.csv

    {31B2F340-016D-11D2-945F-00C04FB984F9} is the GUID of the default domain policy.

    The audit.csv look just like this:



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Group Policy" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Group Policy"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.

    mardi 28 juillet 2020 03:50
  • Hi
    How are things going on your end? Please keep me posted on this issue. 
    If you have any further questions or concerns about this question, please let us know.
    I appreciate your time and efforts.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Group Policy" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Group Policy"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    jeudi 30 juillet 2020 06:19
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Group Policy" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Group Policy"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    lundi 3 août 2020 07:32
  • Hello,

    Greetings!

    Because this technet forum will become read-only since 8/10, in order to provide support for you conveniently, we have posted the same post as this case on the Q&A forum for you. 

    If you need further help about this case, you are welcome to go to the Q&A forum to continue consulting. 

    I am sorry for the inconvenience, thank you so much for your understanding and support.

    New case link:
    https://docs.microsoft.com/en-us/answers/questions/61635/security-event-logs-filling-with-removable-storage.html


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Group Policy" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Group Policy"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.

    vendredi 7 août 2020 07:39