Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Success Audit|
Audit Policy Change:
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
- -Detailed Tracking
- - Directory Service Access
++ Account Logon
User Name: <user name>
Domain Name: <domain name>
Logon ID: <logon id>
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is a directory service?
As per Microsoft: "Event ID 612 indicates that a change in audit policy has been made on the local computer. The logging of Event ID 612 is the expected behavior when you restart Windows XP SP2". See ME840633 and MSW2KDB for information on this event.
This event occurs (even if the policy doesn't actually change) if you have a policy applied to the server (or the containing OU/AD) via the Active Directory. When the server boots, it sets its audit policy according to the local settings, then the AD forces its settings on the server and this creates the 612 in the event log, even if the local policy is identical to the applied policy.
So, in my case, nothing to worry about, behaviour by design.
Indicates that a change was made to the audit policy. The description shows the current policy. A "+" sign indicates that the policy is enable, a "-" that is disabled. For example, the following:
- + Directory Service Access
Indicates that the the successful attempts to use the directory services will not be audited (the "-") but the failures will be (the "+").
See the link to the "Auditing policies - their meaning and recommended settings" article for a description of the auditing policies.
This event is also logged each time that the server refreshes its local security policy. This is the case when the user recorded in the event description is the name of the computer itself (i.e. SERVER1$).
|Private comment: Subscribers only. See example of private comment|
|Links: ME174074, ME840633, Auditing policies - their meaning and recommended settings, Online Analysis of Security Event Log, MSW2KDB|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated