Technote (troubleshooting)
Problem(Abstract)
After upgrading to 2.2.166.x on PSW, the Windows security logs began filling up with successful audits.
Resolving the problem
Starting with PSW version 2.2.166 and greater, the agent will turn on success and failure object access in the Audit group policy section automatically anytime RIM is enabled. These settings will overwrite any GPO settings. The reason for this is that if you do not have audit settings set, then RIM will seem as though it is not functioning. Keep in mind that in order for auditing to work, you must have the audit policy set and you must go to each object you want to audit and turn on the audit settings there as well. Just enabling RIM does not necessarily mean you will see new successful audits.
If you have too many objects to go through to shut off successful audits, a patch (version 2.2.166.2843) was created that will disable RIM from enabling the success object access in your audit policy. If you are past version 2843 on your agent, please contact IBM support and ask them to port the patch over to the version you are currently on.
If the above information does not resolve your issue, please contact IBM Security Systems Customer Support.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.