I enabled Directory Service Access auditing and configured auditing categories in accordance with Netwrix instructions, but this configuration generates a lot of events and Security event log keeps being overwritten (even after increasing its size to 4GB). How can I decrease the number of events being generated for Directory Service Access auditing?
Despite the fact that Netwrix Guides recommend enabling almost all categories while configuring object-level auditing, not all of them are being used by Netwrix Auditor.
So, to decrease the event generation you can uncheck the unnecessary categories in default domain container auditing settings. The following steps outline how to modify domain container auditing settings and prevent the generation of unnecessary events (decrease the Security event log usage):
- Log on to any Domain Controller in the monitored domain.
- Open Active Directory Users and Computers.
- Right-click on domain node and select Properties.
- Navigate to Security tab –> Advanced –> Audit tab.
- Select Everyone and click Edit.
- And uncheck following check boxes (you need to have only SUCCESSFUL checkboxes checked):
- Full Control
- List Contents
- Read all properties
- Read permissions
- All extended rights
- Add GUID
- And all after “Add GUID” except “Reanimate tombstones“