Re: Excessive Security Success audits
- From: steve s <steves@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 31 May 2007 14:59:00 -0700
Thanks for putting my mind at ease. I saw a post from lanwench that said
sometimes to the effect that the event logs can drive you crazy. I am
starting to see what she means.
"Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
And you will get that SBSmonacct every day at 4:30 a.m.... if you.
don't.. you have bigger problems.
steve s wrote:
So a normal security log will have 150,000 entries over a five day period?
We have seven users and about ten devices.
"Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
If a machine is on, yes there are normal "pings" to the server.
steve s wrote:
I have read past threads about the event ID #538,540, and 576 being normal
log in and log out processes, but I am seeing these postings every minute of
every hour. It would seem that at 2am at night we shouldn't have this
activity because no one is here and no one is logging in remotely. My log
has over 150,000 entries over a five day period. This can't be normal can
it? I am also seeing event ID #624 with the following:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 624
Date: 5/31/2007
Time: 4:30:03 AM
User: ROSEHILLCAPITAL\administrator
Computer: 2007SERVER
Description:
User Account Created:
New Account Name: sbsmonacct
New Domain: ROSEHILLCAPITAL
New Account ID: S-1-5-21-3139612681-1260921997-520203349-1195
Caller User Name: administrator
Caller Domain: ROSEHILLCAPITAL
Caller Logon ID: (0x0,0xA1E7C)
Privileges -
Attributes:
Sam Account Name: sbsmonacct
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: <value changed, but not displayed>
Sid History: -
Logon Hours: <value not set>
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
______________________________________________________________________
And event ID 552 with the following:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 552
Date: 5/31/2007
Time: 4:30:00 AM
User: NT AUTHORITY\SYSTEM
Computer: 2007SERVER
Description:
Logon attempt using explicit credentials:
Logged on user:
User Name: 2007SERVER$
Domain: ROSEHILLCAPITAL
Logon ID: (0x0,0x3E7)
Logon GUID: {0fffdf39-11ef-7331-378d-e54365cced1b}
User whose credentials were used:
Target User Name: administrator
Target Domain: ROSEHILLCAPITAL
Target Logon GUID: {4af82be1-608a-c06c-e5f4-dc39c94eabe8}
Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 1348
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
- Follow-Ups:
- Prev by Date: Re: Setting up wireless in a passthru/bridge mode
- Next by Date: Re: Whats the I/O connection on the back of my server?
- Previous by thread: Re: Setting up wireless in a passthru/bridge mode
- Next by thread: Re: Excessive Security Success audits
- Index(es):
Relevant Pages
|
