Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 612 Source: Security

Source
Description
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
-  - Object Access
-  - Privilege Use
+  + Account Management
+  + Policy Change
-  -System
  -  -Detailed Tracking
  - - Directory Service Access
++ Account Logon
Changed By:
User Name: <user name>
Domain Name: <domain name>
Logon ID: <logon id>
Comments
 
As per Microsoft: "Event ID 612 indicates that a change in audit policy has been made on the local computer. The logging of Event ID 612 is the expected behavior when you restart Windows XP SP2". See ME840633 and MSW2KDB for information on this event.
Indicates that a change was made to the audit policy. The description shows the current policy. A "+" sign indicates that the policy is enable, a "-" that is disabled. For example, the following:
-     + Directory Service Access
Indicates that the the successful attempts to use the directory services will not be audited (the "-") but the failures will be (the "+").

See the link to the "Auditing policies - their meaning and recommended settings" article for a description of the auditing policies.

This event is also logged each time that the server refreshes its local security policy. This is the case when the user recorded in the event description is the name of the computer itself (i.e. SERVER1$).
This event occurs (even if the policy doesn't actually change) if you have a policy applied to the server (or the containing OU/AD) via the Active Directory. When the server boots, it sets its audit policy according to the local settings, then the AD forces its settings on the server and this creates the 612 in the event log, even if the local policy is identical to the applied policy.
So, in my case, nothing to worry about, behaviour by design.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...