View account security audit failure log events

After the account security audit is enabled, some abnormal Audit Failure logs are displayed in the system log security. How can I determine whether these logs are normal?

For example:

 

The number of security logs that fail to be reviewed. Event Description:

 

Windows has detected an application.ProgramListening for incoming traffic.

Name :-

Path: c: \ windows \ system32 \ svchost.exe

Process ID: 740

User Account: NETWORK SERVICE

User Domain: nt authority

Service: Yes

RPC server: No

IP version: IPv4

IP protocol: UDP

Port: 55453

Allowed: No

Notified User: No

For more information, see Help and Support Center in http://go.microsoft.com/fwlink/events.asp.

 

 

Solution:

 

1. on the server where the log information appears, click Start> Run and Enter cmd to enter the command prompt.

2. Enter "tasklist/svcfailed", and check whether the service corresponding to "cmdsvchost.exe (740)" is a normal system service, such as DHCP and Dnscache.

3. If it is a normal network service, you can safely ignore this information.

 

 

Also: Recommended account Security Audit

Enter gpedit. MSC press enter, open the Group Policy Editor, select computer configuration-Windows Settings-Security Settings-Audit Policy when creating audit projects, note that if there are too many audit projects, the more events are generated, the more difficult it is to find serious events. Of course, if too few events are reviewed, the more serious events you find will be affected, you need to select between the two based on your situation.

The recommended items to be reviewed are:

Logon Event successful failed

Account Logon event failed

System Event success/failure

Policy Change failed

Object Access failed

Directory Service Access failed

Failed to use privilege