After upgrading to versions 2.2.166.x on Host Protection for Windows Server (HPW), the Windows security logs may begin filling up with successful audits.
Starting with HPW version 2.2.166 and greater, the agent will automatically enable success and failure object access in the Audit group policy section anytime RIM is enabled. These settings will overwrite any GPO settings. This behavior was introduced due to the fact that if you have no audit settings configured, RIM will seem as though it is not functioning. Keep in mind that in order for auditing to work, you must have the Audit policy set and you must go to each object you want to audit and turn on the audit settings there as well. Enabling RIM only does not necessarily mean you will see new successful audits.
Resolving the problem
If you have too many objects to manually shut off successful audits, a patch (version 184.108.40.20643) was created that will stop RIM from enabling the success object access in your audit policy. If you are past version 2843 on your agent, please contact IBM Support and ask them to port the patch over to the version that you are currently on.