Hi Folks,
We have two distinct installations of DCS 6.7.
Both installations are on Windows Server 2012 R2 and both installed on a D:\
We found a significant amount of successful security audit events any time an object is created or accessed on the filesystem where DCS is installed.
It peaks every hour - for about 5 minutes every hour, about 200,000 audit events are created (Per instance)
86% of events are Event ID: 4663
13% of events are Event ID: 4660
After a full day, we could have 3 millions 4663,4660 events and this is causing a real problem for visibility.
The only two filesystems in the entire environment doing this belong to the DCS Server.
Does anyone have thoughts on how to reduce/eliminate all these events?
Example:
Message=An attempt was made to access an Object
Object
Object Server: Security
Object Name: D:\Program Files (x86)\Symantec\Data Center Security\Server\config.db
Process Information
Process Name=D:\Program Files (x86)\Symantec\Data Center Security\Server\tomcat\bin\tomcat7.exe
Access Request Information
Accesses: WriteData (or Addfile)
Thanks
James