Re: Excessive Security Success audits
- From: "kj" <kj@xxxxxxxxxxx>
- Date: Thu, 31 May 2007 15:10:47 -0700
steve s wrote:
Thanks for putting my mind at ease. I saw a post from lanwench that
said sometimes to the effect that the event logs can drive you crazy.
I am starting to see what she means.
Set a filter and unselect 'information', 'success' and things you aren't so
concerned with. It makes a quick read of an event log ( You can reenable
later if you need to see all the events). Also saving and clearing the log
every month or so makes life much easier.
"Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
And you will get that SBSmonacct every day at 4:30 a.m.... if you
don't.. you have bigger problems.
steve s wrote:
So a normal security log will have 150,000 entries over a five day
period? We have seven users and about ten devices.
"Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
If a machine is on, yes there are normal "pings" to the server.
steve s wrote:
I have read past threads about the event ID #538,540, and 576
being normal log in and log out processes, but I am seeing these
postings every minute of every hour. It would seem that at 2am
at night we shouldn't have this activity because no one is here
and no one is logging in remotely. My log has over 150,000
entries over a five day period. This can't be normal can it? I
am also seeing event ID #624 with the following:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 624
Date: 5/31/2007
Time: 4:30:03 AM
User: ROSEHILLCAPITAL\administrator
Computer: 2007SERVER
Description:
User Account Created:
New Account Name: sbsmonacct
New Domain: ROSEHILLCAPITAL
New Account ID: S-1-5-21-3139612681-1260921997-520203349-1195
Caller User Name: administrator
Caller Domain: ROSEHILLCAPITAL
Caller Logon ID: (0x0,0xA1E7C)
Privileges -
Attributes:
Sam Account Name: sbsmonacct
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: <value changed, but not displayed>
Sid History: -
Logon Hours: <value not set>
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
______________________________________________________________________
And event ID 552 with the following:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 552
Date: 5/31/2007
Time: 4:30:00 AM
User: NT AUTHORITY\SYSTEM
Computer: 2007SERVER
Description:
Logon attempt using explicit credentials:
Logged on user:
User Name: 2007SERVER$
Domain: ROSEHILLCAPITAL
Logon ID: (0x0,0x3E7)
Logon GUID: {0fffdf39-11ef-7331-378d-e54365cced1b}
User whose credentials were used:
Target User Name: administrator
Target Domain: ROSEHILLCAPITAL
Target Logon GUID: {4af82be1-608a-c06c-e5f4-dc39c94eabe8}
Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 1348
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
--
/kj
.
- Follow-Ups:
- Re: Excessive Security Success audits
- From: steve s
- Re: Excessive Security Success audits
- References:
- Re: Excessive Security Success audits
- From: steve s
- Re: Excessive Security Success audits
- Prev by Date: Win2003 Server domain rights for file/shares from SBS
- Next by Date: Re: Win2003 Server domain rights for file/shares from SBS
- Previous by thread: Re: Excessive Security Success audits
- Next by thread: Re: Excessive Security Success audits
- Index(es):
Relevant Pages
|
