none
Service audit log RRS feed

  • Pergunta

  • Hi All,

    i was up doing something in event viewer. Was checking particularly for window services. May i know did you guys ever come across on the audit log where we can determine which user account has do start or stop services,

    best regard

    quinta-feira, 25 de junho de 2020 03:56

Respostas

  • Thanks Daisy,

    I've done the given instruction but I'm still unable to track which user has done changes for the services. even when i simulate the issue myself still unable to find the log. Perhaps i'm not sure on where the log store.

    Please guide me on this

    • Marcado como Resposta EnfraMS sexta-feira, 10 de julho de 2020 10:01
    terça-feira, 30 de junho de 2020 06:25
  • Hi,

    I am sorry for the late reply.

    After my research and test, we also need to configure the following policy settings:

    Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access → Audit Handle Manipulation and Audit Other Object Access Events

    And we can see the event ID 4656 on the machine who start or stop the specific service (im my case, it is DNS Client).





    Hope the information is helpful, if anything is unclear, please feel free to let us know.

    References:
    How to configure Windows to log / audit Qlik Services for the user that performed a start, stop and restart command 
    https://support.qlik.com/articles/000058520

    4656(S, F): A handle to an object was requested.
    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marcado como Resposta EnfraMS sexta-feira, 10 de julho de 2020 10:01
    quarta-feira, 8 de julho de 2020 10:55
    Moderador

Todas as Respostas

  • Hello,
    Thank you for posting in our TechNet forum.

    We can do as below: edit the Default Domain policy, navigate to

    Computer Configuration->Policies->Windows Settings->Security Settings->System Services, locate the service you want to audit, and define its policy settings by clicking on Edit Security button, which will display Security dialog box. Click on Advanced and define Auditing settings from there.

    For example,

    Enable audit NetLogon service as below:



    Hope the information above is helpful. If anything is unclear, please feel free to let us know.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    sexta-feira, 26 de junho de 2020 06:42
    Moderador
  • Thanks Daisy,

    I've done the given instruction but I'm still unable to track which user has done changes for the services. even when i simulate the issue myself still unable to find the log. Perhaps i'm not sure on where the log store.

    Please guide me on this

    • Marcado como Resposta EnfraMS sexta-feira, 10 de julho de 2020 10:01
    terça-feira, 30 de junho de 2020 06:25
  • Hi,

    I am sorry for the late reply.

    After my research and test, we also need to configure the following policy settings:

    Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access → Audit Handle Manipulation and Audit Other Object Access Events

    And we can see the event ID 4656 on the machine who start or stop the specific service (im my case, it is DNS Client).





    Hope the information is helpful, if anything is unclear, please feel free to let us know.

    References:
    How to configure Windows to log / audit Qlik Services for the user that performed a start, stop and restart command 
    https://support.qlik.com/articles/000058520

    4656(S, F): A handle to an object was requested.
    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marcado como Resposta EnfraMS sexta-feira, 10 de julho de 2020 10:01
    quarta-feira, 8 de julho de 2020 10:55
    Moderador
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 
    Again thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    sexta-feira, 10 de julho de 2020 02:29
    Moderador
  • Hi Daisy,

    Thanks for the help, i am able to capture and track the services log

    sexta-feira, 10 de julho de 2020 10:04
  • Hi,
    Thank you for your update and marking my reply as answer. I’m very glad that the information is helpful.

    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    sexta-feira, 10 de julho de 2020 10:41
    Moderador