After the account security audit is enabled, some abnormal Audit Failure logs are displayed in the system log security. How can I determine whether these logs are normal?
For example:
The number of security logs that fail to be reviewed. Event Description:
Windows has detected an application.ProgramListening for incoming traffic.
Name :-
Path: c: \ windows \ system32 \ svchost.exe
Process ID: 740
User Account: NETWORK SERVICE
User Domain: nt authority
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port: 55453
Allowed: No
Notified User: No
For more information, see Help and Support Center in http://go.microsoft.com/fwlink/events.asp.
Solution:
1. on the server where the log information appears, click Start> Run and Enter cmd to enter the command prompt.
2. Enter "tasklist/svcfailed", and check whether the service corresponding to "cmdsvchost.exe (740)" is a normal system service, such as DHCP and Dnscache.
3. If it is a normal network service, you can safely ignore this information.
Also: Recommended account Security Audit
Enter gpedit. MSC press enter, open the Group Policy Editor, select computer configuration-Windows Settings-Security Settings-Audit Policy when creating audit projects, note that if there are too many audit projects, the more events are generated, the more difficult it is to find serious events. Of course, if too few events are reviewed, the more serious events you find will be affected, you need to select between the two based on your situation.
The recommended items to be reviewed are:
Logon Event successful failed
Account Logon event failed
System Event success/failure
Policy Change failed
Object Access failed
Directory Service Access failed
Failed to use privilege