Re: Thousands of Event Log Entries

These articles may help.

http://support.microsoft.com/default.aspx?scid=kb;en-us;287537
http://support.microsoft.com/default.aspx?scid=kb;en-us;326985

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

<matlemmings@xxxxxxxxx> wrote:
| Hi Folks
|
| Any thoughts on this? I've got a Windows 2003 Server, Standard Edition,
| that's constantly filling up the Security Event Log with Event ID's
| 538, 540 and 576. The entries always appear together, usually, though
| not always, as 5 pairs of 576 & 540 followed by three 538 entries.
| These 13 entries (or a combination thereof) then keep appearing 24/7,
| at intervals of anything between 10 seconds and 3 minutes.
|
| These entries are generated even when the server is doing nothing in an
| empty office with no users on the system at all (other than me on the
| server, of course).
|
| It's having a very detremental effect on server performance, especially
| on disk mirroring. It took 12 hours the other day to mirror a 40gb
| volume!
|
| I've come across article 822774 in the knowledgebase, but I'm not sure
| if that's totally appropriate as it only mentions ID 576 entries and
| the hotfix suggested (installing Lsasrv.dll version 5.2.3790.54 dated
| 11th June 2003) may already be present in my installed version, which
| is 5.2.3790.1830, dated 24th March 2005).
|
| Sample entries of all three event ID's (they are always the same):
|
| EventID 538 entry:
|
| User Logoff:
| User Name: 2003SERVER$
| Domain: DENISWRIGHTLTD
| Logon ID: (0x0,0x92063C)
| Logon Type: 3
|
|
| EventID 576 entry:
|
| Special privileges assigned to new logon:
| User Name:
| Domain:
| Logon ID: (0x0,0x9206AC)
| Privileges: SeSecurityPrivilege
| SeBackupPrivilege
| SeRestorePrivilege
| SeTakeOwnershipPrivilege
| SeDebugPrivilege
| SeSystemEnvironmentPrivilege
| SeLoadDriverPrivilege
| SeImpersonatePrivilege
| SeEnableDelegationPrivilege
|
| EventID 540 entry:
|
| Successful Network Logon:
| User Name: 2003SERVER$
| Domain: DENISWRIGHTLTD
| Logon ID: (0x0,0x9206AC)
| Logon Type: 3
| Logon Process: Kerberos
| Authentication Package: Kerberos
| Workstation Name:
| Logon GUID: {332dbd11-824c-fc57-9d9d-d9e731fccec5}
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: 192.168.0.253 [the IP address of the server]
| Source Port: 2403
|
| Any help greatly appreciated!
|
| Regards
|
| Mat Lemmings
|


.

Relevant Pages

  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 529
    ... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ... Caller User Name: $ ...
    (microsoft.public.windows.server.sbs)
  • Re: Another security question/issue.
    ... Time to audit your server and workstations with AV, Malware, and installed ... Logon Process: Advapi ... Caller User Name: servername$ ... Source Port: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon 529 Errors
    ... Default SMTP Virtual Server properties-Access tab-Relay ... Connection filtering is different from what inna is attempting, ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon 529 Errors
    ... connection has been found on the black list, my DNS server ... Connection filtering is different from what inna is attempting, ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...
    (microsoft.public.windows.server.sbs)
Loading