When monitoring the EventSentry service on remote computers, a 560 Audit Failure event in the security log is logged during every heartbeat interval.

Article ID: 72
Category: Heartbeat Monitoring
Created: 2005-12-19

The OS will usually log an Audit Failure similar to the one shown below when a process (e.g. the heartbeat monitoring agent) tries to read the service status:

Object Server: SC Manager
Object Name: EventSentry
Handle ID: -
Operation ID: {0,26249353}
Process ID: 123
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: LOCALCOMPUTER$
Primary Domain: LOCALDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client Domain: OTHERDOMAIN
Client Logon ID: (0x0,0x190887A)
Query service configuration information
Query status of service
Enumerate dependencies of service
Query information from service

You are seeing this error because you are monitoring the EventSentry service with the heartbeat agent and the computer being monitored does not allow the heartbeat agent to query its service status.

This usually happens when the heartbeat agent is running under the LocalSystem account and the target computer (the computer being monitored) is either running Windows NT4, is in a different domain or is running Windows 2003 or Windows Vista.

To work-around this problem you can do one of the following:

  • Change the user account the EventSentry Heartbeat Agent is running under. It is recommended that you select a user account that has permissions (usually an administrative user account) to query the service status. See KB article 41 for more information.

  • Change the ACLs of the EventSentry service on the monitored machines. See KB article 41 for more information.

  • Do not monitor the EventSentry agent on the remote computer. You can customize the heartbeat settings on that computer by right-clicking the computers container, selecting "Customize Computers" and double-clicking the computer in question in the right pane.

Please see the EventSentry manual for more information on heartbeat monitoring.