Missing lsass.exe entries in seaudit

book

Article ID: 5949

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

Not getting lsass.exe entries in seaudit when a user logs in on windows. e.g. the following kind of message is missing (where <server> is the endpoint and <user> is the user): 

30 Jan 2017 08:48:04 P LOGIN <user> 59 2 <server> C:\Windows\System32\lsass.exe 

 

 

Environment

Release: ACP1M005900-12.9-Privileged Identity Manager
Component:

Resolution

This is likely to be because %SystemRoot%\system32\eACSubAuth.dll was renamed to eACSubAuth.dll.old and this causes lsass.exe to no longer be called during login. Rename it back to eACSubAuth.dll and the entry should now be in seaudit.