Re: Security event log messages 576/540/538

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Nick,

I see your point. I just found this from an earlier post, looks like it
could do what you wish. Check it out:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
This is the SBS default auditing level, and it's probably based on a
security best practice. IMO it makes the security log useless because you
can't separate the valuable entries from the sea of entries that don't
require attention.

To change this setting, on the server open Group Policy Management. In the
left pane under Domain Controllers, r-click the SBS auditing policy and
click Edit. Under Computer Configuration -> Windows Settings -> Security ->
Local -> Audit, see what's logging Success and Failure. Open that entry and
clear the check box for Success. (I'm not at the server so I don't have the
exact entry, but I think it's Audit Logon Events). You should see the
success entries stop shortly after changing the setting.

BTW, I recommend writing down the details any time you change a setting in
group policy, so that you can put it back if you get unintended results.


"Brandon" <bsmith@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23lYrSFXVFHA.1452@xxxxxxxxxxxxxxxxxxxxxxx
> Our server security logs are FULL of successful logons (event 540) and
> logoffs (event 538) happening all throughout the day and night for all
> users. Is this normal Kerberos activity? (see below for log entries)

"NickC" <NoSpam@xxxxxxxxxxxxxx> wrote in message
news:uDci7RhVFHA.3024@xxxxxxxxxxxxxxxxxxxxxxx
> Has anyone found a way to stop the flood of event messages 576/540/538
> from
> filling the security event log? I know they are only informational but
> they
> get in the way preventing other more important events from being noticed.
> Also they must use up some cpu time especially if the SBS$Monitoring
> service
> has to sift through them all.
> Nick
>
>


.

Relevant Pages

  • Robert Hunter Journal update, 8/31 - 9/3/06
    ... Here are the latest entries in Robert Hunter's online journal, ... without Web access. ... I hate the way HTML won't give me a dash -- just two lousy ... Success, as popularly conceived, is nothing but frustration. ...
    (rec.music.gdead)
  • How do I read the Security Log
    ... Enable Auditing for Logon Events and Object Access ... This logs events in the security log informing you if IKE ... Using the Group Policy MMC snap-in, ... Enable success and failure auditing for "Audit logon ...
    (microsoft.public.win2000.security)
  • Re: exchange stops delivering mails to one recipient
    ... unfortunately no entries in the log, ... the get the error message for non-delivery. ... Tried the following (no comment means no success): ... reapplying sp2 -> no success. ...
    (microsoft.public.exchange.admin)
  • Re: Logons
    ... But when I check the Security log on the ... DC's there are no entries for user logins or logouts. ...
    (microsoft.public.win2000.active_directory)
  • Re: ipop3d logwatch entry suspicious
    ... I'm getting a lot of this entries in the LogWatch mail under ipop3d ... Success, while reading line user=appowner ... their mail over the Internet, then I would not worry too much. ...
    (Fedora)