Event 578 upgraded to 8.1
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Event 578 upgraded to 8.1 - 23.Sep.2008 12:06:54 PM
|
|
|
shane1130
Posts: 24
Score: 0
Joined: 29.Dec.2006
Status: offline
|
I just upgraded to Events Manager 8.1 and now I am getting the following error, about 20 times a minute.
It seems that the GFI service account is trying to take ownership.
Did I miss a step in doing the upgrade?
---------------
Users using the take ownership privilege based on the privilege use events - Critical - SERVER - 578
Privileged object operation:
Object Server: Security
Object Handle: 188
Process ID: 2572
Primary User Name: LOCAL SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E5)
Client User Name: GFIAdmin
Client Domain: DOMAIN
Client Logon ID: (0x0,0x5C5E82E)
Privileges: SeTakeOwnershipPrivilege
----------------------
Shane
|
|
|
|
|
RE: Event 578 upgraded to 8.1 - 23.Sep.2008 12:36:16 PM
|
|
|
DrewE
Posts: 476
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
This is something our development team is now looking into. To quiet these messages try this:
- Open the GFI EventsManager Management Console
- Choose Configuration -> Event Processing Rules
- Select Security -> Object Access Monitoring
- Locate the 'Take Ownership privledge' rule which is normally priority 2
- Edit the properties and choose Criteria
- Add an advanced criteria for "Client User Name" (note the spaces, there is also an entry for "ClientUserName" that is incorrect) add this criteria for "Does Not Equal" GFIAdmin
_____________________________
Drew Easley - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Event 578 upgraded to 8.1 - 23.Sep.2008 1:15:10 PM
|
|
|
shane1130
Posts: 24
Score: 0
Joined: 29.Dec.2006
Status: offline
|
Hi Drew,
Once I found the 578 rule, which was located under "Monitoring and attack detection", it would not allow me to add an advanced condition. Gave me an error saying the rule was already created
Odd thing I noticed is that I have 2 sets of rules for "Monitoring and attack detection" and for "Object access Monitoring". One rule set is capitalized and one is lowercase.
Shane
|
|
|
|
|
RE: Event 578 upgraded to 8.1 - 23.Sep.2008 1:18:28 PM
|
|
|
DrewE
Posts: 476
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline
|
I'm sorry for the confusion in regards to the location. Can you add the criteria to either rule?
_____________________________
Drew Easley - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Event 578 upgraded to 8.1 - 23.Sep.2008 4:22:18 PM
|
|
|
shane1130
Posts: 24
Score: 0
Joined: 29.Dec.2006
Status: offline
|
It worked after I deleted the extra set of rules.
Somehow two sets of rules got installed.
Shane
|
|
|
|
|
RE: Event 578 upgraded to 8.1 - 25.Sep.2008 9:18:48 AM
|
|
|
shane1130
Posts: 24
Score: 0
Joined: 29.Dec.2006
Status: offline
|
I now seem to have a new problem.
After making the change indicated above, I am no longer getting e-mail alerts.
I was getting them before 20 a minute, about the 578 rule, and I get test e-mails, but when I deliberatly lock a user account I do not get an e-mail alert as I did in version 7.
Shane
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
