While trying to test SACL creation on a filesystem object, I noticed that it was not logging to the event log. After some digging, I found that I had to flip the "master switch" in Local Security Policy in order for the entries to be logged. So, I enabled Success and Failure logging for "Audit Object Access."
When I checked the event log, however, it was being spammed by audit events for things I hadn't even enabled! Firewall failures, \Windows32 file accesses, a host of other random audit entries began spilling into the Security log where they hadn't prior.
So, my question is, does Windows ship with a predefined set of SACLs that activate when you activate this "Master Switch?" Can I get a list of them and/or choose to add/remove them?
Why don’t you try with the Advanced Audit Policy Configuration node?
For more information about Advanced Audit Policy Configuration, see http://go.microsoft.com/fwlink/?LinkId=140969
You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. Click on Advanced button, and go to Auditing tab. You can edit auditing entries there.
Also, you can always filter current log in Event viewer.