From: TimG on
The security event log has thousands of 560 failure audit events for users
(normal and administrative) and NETWORK SERVICE:
Source: Security
Category: Object Access
Type: Failure Audit
Event ID: 560
Object Name: \Device\NetBT_Tcpip_{GUID}
Image File Name: C:\WINDOWS\explorer.exe (48k in last 30 days)
Image File Name: C:\WINDOWS\system32\svchost.exe (11k in last 30 days)
Accesses: SYNCHRONIZE, ReadData (or ListDirectory), WriteData (or AddFile)

We are required to have the audit access of global system objects turned on
and have a baseline of the SSLF templates installed. Is there a way to
eliminate either of these failure audits from being logged without turning
off auditing of global system objects?