Flooded with Event Id's 4663

Thanks for replying.

I would like to exclude “SYSTEM” from reporting not filtering. These events are way too frequent - it deletes older events, so I’m not able to track down the other deletion events.

Anyway to exclude “SYSTEM” reporting to the event logs?

@rupesh-lepide

First off, you do not need to purchase a 3rd-party product in order to filter out audit events from the SYSTEM user account. In fact, auditing itself, the creation of events, is solely controlled by Windows and its auditing subsystem. 3rd party apps can potentially change auditing or collect, normalize etc. events, but only Windows controls what is logged.

Lucky for you, auditing in Windows is pretty granular, and you can control from which users you will and will not get audit events. You can most certainly exclude the SYSTEM user account from generating audit events. Where did you configure auditing on this system? Did you do that via group policy or did you just right-click the root of the C drive and enable auditing there (like below)?

495eb6ee-535d-4c2d-9601-108c7a8e5279-auditing.png800×324 47.5 KB

Normally people just audit the “Everyone” built-in group since that ensures that all access to a folder is being audited, and that would of course include the SYSTEM account. An easy way to change this would be to specify which users you want to audit. If you have a group for all of your users (not “Domain Users” since that would include SYSTEM) then you could use that. Setting this up is a little tricky since you can’t just add an entry for SYSTEM that doesn’t audit anything, since the auditing should be accumulative and then still audit that.

Another approach would be to create a group in your domain or on the server (e.g. call it “Built-In Users”) and add the SYSTEM account to it. Then you can use conditions on the audit entry to NOT audit users that are part of that group.

48cbaebd-f277-425c-9b2c-98e356652083-condition.png800×103 24.5 KB

Hope that helps.