View account security audit failure log events

Source: Internet
Author: User
Tags account security

After the account security audit is enabled, some abnormal Audit Failure logs are displayed in the system log security. How can I determine whether these logs are normal?

For example:

 

The number of security logs that fail to be reviewed. Event Description:

 

Windows has detected an application.ProgramListening for incoming traffic.

Name :-

Path: c: \ windows \ system32 \ svchost.exe

Process ID: 740

User Account: NETWORK SERVICE

User Domain: nt authority

Service: Yes

RPC server: No

IP version: IPv4

IP protocol: UDP

Port: 55453

Allowed: No

Notified User: No

For more information, see Help and Support Center in http://go.microsoft.com/fwlink/events.asp.

 

 

Solution:

 

1. on the server where the log information appears, click Start> Run and Enter cmd to enter the command prompt.

2. Enter "tasklist/svcfailed", and check whether the service corresponding to "cmdsvchost.exe (740)" is a normal system service, such as DHCP and Dnscache.

3. If it is a normal network service, you can safely ignore this information.

 

 

Also: Recommended account Security Audit

Enter gpedit. MSC press enter, open the Group Policy Editor, select computer configuration-Windows Settings-Security Settings-Audit Policy when creating audit projects, note that if there are too many audit projects, the more events are generated, the more difficult it is to find serious events. Of course, if too few events are reviewed, the more serious events you find will be affected, you need to select between the two based on your situation.

The recommended items to be reviewed are:

Logon Event successful failed

Account Logon event failed

System Event success/failure

Policy Change failed

Object Access failed

Directory Service Access failed

Failed to use privilege

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.