Auditing events 4656 and 4658 on Windows folder on Server 2008

Question

During an overnight system state backup we are seeing thousands of success audit events (4656, 4658) on the folder c:\windows\servicing, system32 and others in the windows folder.

We use file success auditing on some files so I can't disable it but this deluge is filling up the logs and making reporting tricky.

What is the harm of changing the auditing settings on the windows folder?

What are the recommended settings to put on the files for those people doing system state backups?

Thanks,

score 1 · Accepted Answer · answered Jan 04 '10 at 17:50

As far as I know, windows 2008 does not directly rely on the auditing tool for any out of the box system functionality. In other words, changing the settings should not have any side effects.

If you've enabled the auditing settings, then you must have a list of requirements for it - you must be relying on the audits for some purpose, and have a set of requirements in terms of what is logged and what is not logged. Use that information to decide what to log, and when.

Auditing events 4656 and 4658 on Windows folder on Server 2008

1 Answers1