Re: Many Logon/Logoff Entries

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "Mike Stem" <PSCCmdt@xxxxxxxx>
Date: Tue, 10 May 2005 11:55:09 -0400

Brandon,

I too have noticed this, and eagerly await the SBS guru's answer. I spent
last week-end troubleshooting a Logon/LogOff issue and discovered just how
many entries there were! In the previous five (5) day period, there were
over 170,000 of these entries in the Security Log. When I filtered on only
the Failures, it took it down to about fifty (50) entries. All of the rest
were of the type you describe...

--
Mike Stem
Cinti, OH
SBS2003 Newbie

"Brandon" <bsmith@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23lYrSFXVFHA.1452@xxxxxxxxxxxxxxxxxxxxxxx
> Our server security logs are FULL of successful logons (event 540) and
> logoffs (event 538) happening all throughout the day and night for all
> users. Is this normal Kerberos activity? (see below for log entries)
>
> ***********************
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 5/6/2005
> Time: 10:25:12 AM
> User: Domain\lsmith
> Computer: SERVER
> Description:
> User Logoff:
> User Name: lsmith
> Domain: Domain
> Logon ID: (0x0,0x24E093D)
> Logon Type: 3
>
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 5/6/2005
> Time: 11:47:55 AM
> User: Domain\lsmith
> Computer: SERVER
> Description:
> Successful Network Logon:
> User Name: lsmith
> Domain: Domain
> Logon ID: (0x0,0x28C925E)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: {cce2d6cf-d315-c221-8431-6d670e012994}
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: [User's Workstation IP Address]
> Source Port: 2653
>
>
> --
> Brandon Smith
> IT Director
> Presentations Direct - Specialized Office Equipment & Supplies
> http://www.presentationsdirect.com
>
>

.

References:
- Many Logon/Logoff Entries
  - From: Brandon

Prev by Date: Re: Mac cannot browse the Internet
Next by Date: VPN Connection Issue - Browsing Folders (Windows 2000)
Previous by thread: Many Logon/Logoff Entries
Next by thread: Re: Many Logon/Logoff Entries
Index(es):
- Date
- Thread

Relevant Pages

Re: please help to extract security event log
... I want to select security events of " logon/logoff" category between say ... Successful Network Logon: ... Caller User Name: - ...
(microsoft.public.scripting.vbscript)
Re: Since W2003 SP1, many event 537 (failed logon)
... > Event Category: Logon/Logoff ... You will be taken to the proper newsgroup that will be able to help ... > Logon Failure: ... > Caller User Name: ...
(microsoft.public.windowsupdate)
Security event crazyness... help!
... 540/538 as teh even type here is even log entries, ... Event Category: Logon/Logoff ... Successful Network Logon: ... Caller User Name: - ...
(microsoft.public.windows.server.general)
too many logon/logoff events in security log
... I turn on the audit policy to monitor the logon/logoff envents in security ... However, there is too many logon/logoff events, average 3 times per ... Logon ID: ... Caller User Name: - ...
(microsoft.public.windows.server.security)
Re: Thousands of Event Log Entries
... Sadly, IIS is gone but the Event Log entries remain, so I'm still in ... I've got a Windows 2003 Server, Standard Edition, ... | Successful Network Logon: ... | Caller User Name: - ...
(microsoft.public.windows.server.general)