Security Event Log exploding with 560/562 auditing entries

I'm seeing these 2 events in my Security Event log on a member server
(non-DC) several times each second:

===== 1 =====

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/4/2008
Time: 12:26:53 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Object Open:
Object Server: Security
Object Type: Key
Object
Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security Account Manager
Handle ID: 492
Operation ID: {0,808503072}
Process ID: 1656
Image File Name: C:\Program Files\BMC Software\CONTROL-M
Links\NTAgent\WinNTAgService.exe
Primary User Name: SERVER01$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link

Privileges: -
Restricted Sid Count: 0
Access Mask: 0xF003F

===== 2 =====

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 8/4/2008
Time: 12:26:53 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER01
Description:
Handle Closed:
Object Server: Security
Handle ID: 492
Process ID: 1656
Image File Name: C:\Program Files\BMC Software\CONTROL-M
Links\NTAgent\WinNTAgService.exe

===============================


Here's what I've done:
1. Checked the local "Audit: Audit the access of global system objects"
policy - it is confirmed as disabled. GPOs are not changing this auditing
policy either.

2. There is no special auditing set on "C:\Program Files\BMC
Software\CONTROL-M Links\NTAgent\WinNTAgService.exe" or any parent folders.

3. The only auditing set on
"REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security
Account Manager" is Success/Failure on [Set Value/Create Subkey/Delete/Write
DAC/Write Owner] which appears to be a Server 2003 default and is not causing
an issue on another server with a similar config.

The server is rebooted every morning on schedule - this issue has been
ongoing for weeks.
.

Relevant Pages

  • RE: Security Event Log exploding with 560/562 auditing entries
    ... the agent was receiving a config from the server which was ... "audit privilege use" policy being enabled for our domain. ... There is no special auditing set on "C:\Program Files\BMC ... DAC/Write Owner] which appears to be a Server 2003 default and is not causing ...
    (microsoft.public.windows.server.general)
  • Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON
    ... security event log. ... occasion to browse to this particular resource server. ... I will play around with stopping the Browser service, ... I am running a WINS server on a separate box from this one. ...
    (microsoft.public.win2000.security)
  • Re: Monitoring VPN access to SBS2003
    ... > If it is assigned by DHCP service of SBS server, ... > Eric Sun, ... > | I forgot about the security event log. ...
    (microsoft.public.windows.server.sbs)
  • Re: exchange 2003 two virtual servers authentication problem
    ... Looking at the Security event log, ... failure messages like this that corresponded with the times of the email ... server to the BackConnectionHostNames value. ... and the second virtual server was authenticating just fine! ...
    (microsoft.public.exchange.admin)
  • Re: You do not have access to this session.
    ... This probably is not a licensing issue. ... It is more likely that your security event log is full and your ... >> the local admin account, ... >> server and under the RDP connection under Terminal Server Configuration ...
    (microsoft.public.win2000.security)