| Author |
Message |
DBendall
Guest
|
 Posted:
Thu Jan 06, 2005 3:39 am Post subject:
Security alerts filling DB |
|
|
From my MOM admin console I see in Monitor -> All Windows NT Events a huge
number of Success Audits for logons. I don't really care about these and
they are overwhelming my database. I've gone into the rules for WinNT4.0 and
Win2k and shut down the rules that cover Event ID's 528,538 & 540. They
cover successful logon's and logoff's, I would have thought that would cover
it, but it did not. Anyone have any idea where or how these are still
getting in? I just need to shut them down. Thanks for any help or ideas. |
|
| Back to top |
|
 |
James Morey
Guest
|
| Posted:
Thu Jan 06, 2005 4:55 am Post subject:
Re: Security alerts filling DB |
|
|
Assuming this is for MOM 2000, there is a rule that, by default, collects
all Windows events. It is called the "Default Event Collection" rule, or by
some "the much loathed and despised Default Event Collection Rule" or by
some much worse. This rule has been removed for MOM 2005, thank goodness.
You need to disable this rule (or even delete it).
Background Info - In MOM, event collection is what I call summed fashion,
meaning that if any rule asks for it it is collected even if nothing else
asks for it. So if any rule collects an event it gets collected. Events are
collected only once, even if every single rule asks for it.
Let me know if this doesn't do it.
--
=====================
NOTE - This posting is provided "AS IS" with no warranties, and confers no
rights.
James Morey | Microsoft | Windows & Enterprise Management Division
=====================
"DBendall" <DBendall@discussions.microsoft.com> wrote in message
news:26CD86FF-EC3E-41A3-A2EA-73F5C66F5503@microsoft.com...
| Quote: | From my MOM admin console I see in Monitor -> All Windows NT Events a huge
number of Success Audits for logons. I don't really care about these and
they are overwhelming my database. I've gone into the rules for WinNT4.0
and
Win2k and shut down the rules that cover Event ID's 528,538 & 540. They
cover successful logon's and logoff's, I would have thought that would
cover
it, but it did not. Anyone have any idea where or how these are still
getting in? I just need to shut them down. Thanks for any help or ideas. |
|
|
| Back to top |
|
|
DBendall
Guest
|
| Posted:
Thu Jan 06, 2005 6:49 pm Post subject:
Re: Security alerts filling DB |
|
|
Sorry to report that it did not help. I disabled it yesterday afternoon and
this morning my DB is down to 0 space left and MOM has stopped functioning.
Any other ideas?
"James Morey" wrote:
| Quote: | Assuming this is for MOM 2000, there is a rule that, by default, collects
all Windows events. It is called the "Default Event Collection" rule, or by
some "the much loathed and despised Default Event Collection Rule" or by
some much worse. This rule has been removed for MOM 2005, thank goodness.
You need to disable this rule (or even delete it).
Background Info - In MOM, event collection is what I call summed fashion,
meaning that if any rule asks for it it is collected even if nothing else
asks for it. So if any rule collects an event it gets collected. Events are
collected only once, even if every single rule asks for it.
Let me know if this doesn't do it.
--
=====================
NOTE - This posting is provided "AS IS" with no warranties, and confers no
rights.
James Morey | Microsoft | Windows & Enterprise Management Division
=====================
"DBendall" <DBendall@discussions.microsoft.com> wrote in message
news:26CD86FF-EC3E-41A3-A2EA-73F5C66F5503@microsoft.com...
From my MOM admin console I see in Monitor -> All Windows NT Events a huge
number of Success Audits for logons. I don't really care about these and
they are overwhelming my database. I've gone into the rules for WinNT4.0
and
Win2k and shut down the rules that cover Event ID's 528,538 & 540. They
cover successful logon's and logoff's, I would have thought that would
cover
it, but it did not. Anyone have any idea where or how these are still
getting in? I just need to shut them down. Thanks for any help or ideas.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in