Re: Event Log ID 538 and 540 continous
From: Merv Porter [SBS-MVP] (mwport_at_hotmail.com_no_spam)
Date: 04/06/04
- Next message: Robert Elizondo: "Re: Stuck outgoing E-mail Exchange"
- Previous message: RP: "auto dial dsl?"
- In reply to: Robert Kellogg: "Re: Event Log ID 538 and 540 continous"
- Next in thread: Robert Kellogg: "Re: Event Log ID 538 and 540 continous"
- Reply: Robert Kellogg: "Re: Event Log ID 538 and 540 continous"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 6 Apr 2004 17:56:21 -0500
I believe the Default Domain Controller Security Settings for SBS 2003 are
set to 'Success' for "Audit Logon Events" and "Audit Account Logon" events.
Turning on "Audit Logon Events" may generate a large log (on my test server,
the log currently stands at 19 MB and 538/540 events appear to be logged
every few seconds). The default (maximum) size for the Security log is 65
MB. For the Application and System logs, the default is 16 MB. Seems like
this indicates that you need to be prepared for a lot of events in the
Security log.
You may be able to switch to only activating "Audit Account Logon Events"
(not sure of the security implications here). From what I gather, "Audit
Logon Events" will log ALL activity both at the workstation(s) and domain
controller level and create an entry in the log for either of these. The
number of logged events may get pretty high given 'system' account activity
in the domain.
"Audit Account Logon Events" will only look for audit events when
authenticating an account involves the domain controller (not the
workstation).
This thread may explain the difference a little better...
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=upm1q%2349BHA.2596%40tkmsftngp05&rnum=1&prev=/groups%3Fq%3Daudit%2520account%2520logon%2520vs%2520audit%2520logon%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26sa%3DN%26tab%3Dwg
-- Merv Porter [SBS MVP] =================================== "Robert Kellogg" <DuPont24_03@msn.com> wrote in message news:ehuamvBHEHA.3700@TK2MSFTNGP09.phx.gbl... > Hello Merv > > Thanks for the response.. > > I checked the Security settings "Local Policies / Audit Policy" and the only > thing I am audting is "Audit logon events - Success, Failures".. Which I > need to for illegel logons or attempted attacks on a accounts... > > So i could turn this off in the mean time just to see if these entries stop, > but that still is not going to tell me why there are repeated entries > showing up in the Event Viewer from this Audit Policy.... Its like the user > or client is logging on and off every sec... Oh and there is SYSTEM entries > in their too, so the server is doing it on its own audit policy.. > > regards, > > Robert > > > > "Merv Porter [SBS-MVP]" <mwport@hotmail.com_no_spam> wrote in message > news:%23DO0fhAHEHA.2236@TK2MSFTNGP11.phx.gbl... > > In your group policies, are you auditing all events (Audit Logon Events) > or > > just success/fail logons? I think Audit Logon Events might list > everything > > that happens on your server. > > > > -- > > Merv Porter [SBS MVP] > > =================================== > > "Robert Kellogg" <DuPont24_03@msn.com> wrote in message > > news:#CRrwIAHEHA.2012@TK2MSFTNGP09.phx.gbl... > > > I have been exp numerous 538 and 540 enteries in my Security Event > Viewer > > > ever since I did and SBS2003 in-place upgrade from SBS2000. > > > > > > The entries seem to be random for any user or client also. The rate of > > > growth has been up to 10,000 entries in an 8hr work day. > > > > > > Now I have also noticed that these entires exsist even if the users are > > > logged off the network but there will be repeated logon/logoff (538 and > > 540) > > > entries in the event viewer but they will be of the client machine (i.e. > > > computername$). > > > > > > Also they are all Logon type 3 and processes is Kerberos.. > > > > > > What would be causing this.. I can't seem to find anything expect an > > > article about Event ID 576 fills log... Not very helpful.. > > > > > > Thanks > > > > > > Robert > > > > > > > > > > > >
- Next message: Robert Elizondo: "Re: Stuck outgoing E-mail Exchange"
- Previous message: RP: "auto dial dsl?"
- In reply to: Robert Kellogg: "Re: Event Log ID 538 and 540 continous"
- Next in thread: Robert Kellogg: "Re: Event Log ID 538 and 540 continous"
- Reply: Robert Kellogg: "Re: Event Log ID 538 and 540 continous"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
