SBS Security event log

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: john schmitz (johnschmitz_at_discussions.microsoft.com)
Date: 02/04/05 

Date: Fri, 4 Feb 2005 06:41:04 -0800

I have received quite a few of these entries in my Event Log under security,
not sure what is generating them, they are coming from 5 internal IP
addresses at very strange times of the day. I looked on Microsofts site and
couldn't find anything on such. Any help is appreciated. In addition there is
a second entry also listed that is showing up regarding exchange. I am
running SBS 2003 with Win XP machines all on Service Pack 2.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 2/4/2005
Time: 7:19:46 AM
User: NT AUTHORITY\SYSTEM
Computer: KELLYSERVER
Description:
Logon Failure:
         Reason: An error occurred during logon
         User Name:
         Domain:
         Logon Type: 3
         Logon Process: Kerberos
         Authentication Package: Kerberos
         Workstation Name: -
         Status code: 0xC000006D
         Substatus code: 0xC0000133
         Caller User Name: -
         Caller Domain: -
         Caller Logon ID: -
         Caller Process ID: -
         Transited Services: -
         Source Network Address: 10.0.0.26
         Source Port: 2898

Second Entry

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2/3/2005
Time: 5:32:01 PM
User: NT AUTHORITY\SYSTEM
Computer: KELLYSERVER
Description:
Logon Failure:
         Reason: Unknown user name or bad password
         User Name: EXCHANGE$
         Domain: MENIL
         Logon Type: 3
         Logon Process: NtLmSsp
         Authentication Package: NTLM
         Workstation Name: EXCHANGE
         Caller User Name: -
         Caller Domain: -
         Caller Logon ID: -
         Caller Process ID: -
         Transited Services: -
         Source Network Address: -
         Source Port: -

Relevant Pages

  • Security Event Log
    ... I am tring to subscribe to the "Security" event log but I get access denied ... When I run my code as administrator it works fine but when I impersonate ... What I am trying to accomplish is to get logon, logoff, logon failure ...
    (microsoft.public.platformsdk.security)
  • Re: Cant install ADAM master on XP SP2
    ... policy of the WinXP should give you more info in the security event log. ... Installing with local admin creds ... I set forceguest to 0 and I turned logon failure ... incompatible with ADAM? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cant install ADAM master on XP SP2
    ... policy of the WinXP should give you more info in the security event log. ... I set forceguest to 0 and I turned logon failure ... incompatible with ADAM? ... Substatus code: 0xA4FC50 ...
    (microsoft.public.windows.server.active_directory)
  • RE: Microsoft IIS - Possible authentication flaw?
    ... This file contains the messages written to the event log in case of errors. ... the EventID 0x80000064 (event viewer only shows the ... %2 = Logon failure: unknown user name or bad password. ... ReportEvent function incorrectly sending to the event log an event with the ...
    (Vuln-Dev)
  • Re: EMail/Security problem...
    ... I have took a look on your security log,I just see the failure one time as ... Please send me the latest security log again,and tell me the name of the ... does the security log have just logon failure one time? ... from your newsreader: microsoft.private.directaccess.partnerfeedback. ...
    (microsoft.public.windows.server.sbs)