Security event log entries missing values when generated from network access

  • Thread starter Thread starter Werner van Deventer
  • Start date Start date
W

Werner van Deventer

Guest
With object auditing and directory audit settings correctly applied, all necessary file system access events are logged to the Security event log. When making changes locally (to C:\Share for example), the event logs are generated perfectly. However, when making changes through a share from a remote machine (C:\Share exposed via \\Server\Share for example), a log entry is created, but it's missing all the of values:





Entries with missing values like this are only created when making changes from another machine on the network. Tested with multiple users coming from multiple machines all with the same result, nothing else is creating entries like this. Other machines with the same audit settings work correctly, it happens on just one rogue Windows 2012 server.

Has anyone ever seen this before?
What could cause the replacements fields not be be set?


It seems quite critical since a failure to create a security audit entry is a big deal, especially for remote file system access.

Continue reading...
 
Back
Top