When searching for info I came across this comment at the bottom of a serverfault post:
Currently, under Server 2012 R2 events 4656 will generate even if Handle Manipulation category is disabled. In our case, we have enabled Audit File System category which was only generating 4660-4663 events on previous Server versions (2008-2008R2-2012) but on Server 2012 R2 this initiates overwhelming flow of 4656 events. The issue has been reported to Microsoft however there is no resolution yet.I've yet to come across any official discussion of this, but this certainly corresponds with my experience. This thread was from June 2016, with a followup comment in January 2017. Is this an undocumented feature? A bug?
Luckily for me I'm using Splunk to ingest these logs so I was simply able to add:
blacklist1=EventCode="4656"in the [WinEventLog://Security] stanza of C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf in order to filter it out. YMMV!
No comments:
Post a Comment