Best practice is to enable Object Access Auditing on the LogRhythm Inactive Archives.
The Microsoft Web site posts information about a known issue with Object Access Auditing, causing audit messages to be generated when a user refreshes the Security Event Log in Event Viewer. Therefore, to prevent this, you must alter the Registry on the server where LogRhythm Inactive Archive files are to be monitored. See the Microsoft web site for details on Object Access Auditing.
To enable Object Access Auditing
- Go to C:\LogRhythmArchives\Inactive).
- Right-click the Inactive folder, and then click Sharing And Security.
- Click the Security tab.
- Click Advanced.
- Click the Auditing Tab.
- Click Add.
- Add the Everyone account with the following auditing settings:
- Create Files/Write Data. Successful, Failed
- Create Folders/Append Data. Successful, Failed
- Write Attributes. Successful, Failed
- Write Extended Attributes. Successful, Failed
- Click OK until you return to the initial window.
- Create a Log Processing Policy for the Security Event Log.
- Configure the following rule to forward as an event in the Custom Policy: MS-SecLog EVID 4656 Successful Object Open
- Assign the new Custom Log Processing Policy to the Security Event Log Sources of the server on which the archives reside.
- To create a notification to notify of Object Access: Object Opened events, Create an Alarm Rule that is event based and has the following configurations:
- Threshold. 1
- Grouping. Origin Host
- Common Event. Audit: Access Success: Object Opened
- Log Source(s). Include the Selected Log Sources
- Security Event Log. On the server on which the archives reside
- Field Filters. Origin Login: Filter Out - System
- Notification. As appropriate
- Name. As appropriate