RE: Auditing logins via w3svc

From: Jeff Qiu (jefffqiu@online.microsoft.com)
Date: 12/20/02

• Next message: BB: "Re: User Not Authenticated."
• Previous message: neo [mvp outlook]: "Re: help me stop pop ups please!!"
• In reply to: Sandy Wood: "RE: Auditing logins via w3svc"
• Next in thread: Sandy Wood: "RE: Auditing logins via w3svc"
• Reply: Sandy Wood: "RE: Auditing logins via w3svc"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: jefffqiu@online.microsoft.com (Jeff Qiu)
Date: Fri, 20 Dec 2002 01:50:21 GMT

Hi Sandy,

After my research, I found that the following two articles are related to
the situation you meet now:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;170863

http://support.microsoft.com/default.aspx?scid=KB;EN-US;298190

The failed log on recorded in the system event log that has the source of
the W3svc are logons to the WWW Service, not the Windows logon. This is
why it is recorded in the system event log, not the security log.

I hope this explain the situation.

Regards,

Jeff Qiu
jefffqiu@online.microsoft.com
Online Support Professional
Microsoft Corporation

This posting is provided Ħ°AS ISĦħ with no warranties, and confers no
rights.

--------------------
>Content-Class: urn:content-classes:message
>From: "Sandy Wood" <sandy.wood@da.ocgov.com>
>Sender: "Sandy Wood" <sandy.wood@da.ocgov.com>
>microsoft.public.win2000.security
>
>here's my system.evt
>thanks for the help!
>>-----Original Message-----
>>Hi Sandy,
>>
>>I am glad to do some further research for you.
>>
>>Please post a complete error log that has the W3SVC
>source from the system
>>log for our further research.
>>
>>Regards,
>>
>>Jeff Qiu
>>jefffqiu@online.microsoft.com
>>Online Support Professional
>>Microsoft Corporation
>>
>>This posting is provided Ħ°AS ISĦħ with no warranties,
>and confers no
>>rights.
>>
>>--------------------
>>>Content-Class: urn:content-classes:message
>>>From: "Sandy Wood" <sandy.wood@da.ocgov.com>
>>>Sender: "Sandy Wood" <sandy.wood@da.ocgov.com>
>>>References: <04eb01c2a5f2$91d99660
>$89f82ecf@TK2MSFTNGXA01>
>><xNz7IYmpCHA.2580@cpmsftngxa09>
>>>Subject: RE: Auditing logins via w3svc
>>>Date: Wed, 18 Dec 2002 08:35:57 -0800
>>>microsoft.public.win2000.security
>>>
>>>My question isn't so much about iis, as about auditing
>>>login attempts and where should we look and why. I'll
>>>head over to iis, but wouldn't this newsgroup be able
>to
>>>answer at least part of my issue?
>>>>-----Original Message-----
>>>>Hi Sandy,
>>>>
>>>>Based on my research, this error source W3SVC is
>related
>>>to the IIS. To
>>>>better audit that kind of failure, you may need to go
>>>deeper into the IIS
>>>>console and Snap-Ins.
>>>>
>>>>Please post this question in the
>>>microsoft.public.inetserver.iis newsgroup.
>>>>That newsgroup is primarily for issues involving all
>IIS
>>>related issues.
>>>>We recommend posting appropriately so you will get the
>>>most qualified pool
>>>>of respondents, and so other partners who regularly
>read
>>>the newsgroups can
>>>>either share their knowledge or learn from your
>>>interaction with us.
>>>>
>>>>Regards,
>>>>
>>>>Jeff Qiu
>>>>jefffqiu@online.microsoft.com
>>>>Online Support Professional
>>>>Microsoft Corporation
>>>>
>>>>This posting is provided Ħ°AS ISĦħ with no warranties,
>>>and confers no
>>>>rights.
>>>>
>>>>--------------------
>>>>>Content-Class: urn:content-classes:message
>>>>>From: "Sandy Wood" <sandy.wood@da.ocgov.com>
>>>>>Sender: "Sandy Wood" <sandy.wood@da.ocgov.com>
>>>>>Subject: Auditing logins via w3svc
>>>>>Date: Tue, 17 Dec 2002 09:34:36 -0800
>>>>>microsoft.public.win2000.security
>>>>>
>>>>>I've been trying to get a handle on auditing failed
>and
>>>>>successful logins to our web site that has Int. NT
>>>>>security. I've enabled auditing in secpol.msc and
>looks
>>>>>like the Security log is filling up nicely. My
>question
>>>>>is that I also see failed attempts at login in the
>>>System
>>>>>log under the W3SVC source. What's the best way to
>make
>>>>>sure I catch and audit all the attempts and why
>aren't
>>>>>they all covered just under the Security Log?
>>>>>
>>>>
>>>>.
>>>>
>>>
>>
>>.
>>
>

• Next message: BB: "Re: User Not Authenticated."
• Previous message: neo [mvp outlook]: "Re: help me stop pop ups please!!"
• In reply to: Sandy Wood: "RE: Auditing logins via w3svc"
• Next in thread: Sandy Wood: "RE: Auditing logins via w3svc"
• Reply: Sandy Wood: "RE: Auditing logins via w3svc"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Problem with connect computer wizard ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Please double-check the default application pool in IIS. ... (microsoft.public.windows.server.sbs) Re: Problem with connect computer wizard ... Please restart the server box and then reboot the workstation to try the ... This newsgroup only focuses on SBS technical issues. ... have you restarted the IIS service ... Please collect the IIS metabase and the latest IIS log files ... (microsoft.public.windows.server.sbs) RE: SharePoint and Company Web not working ... Cause: Incorrect IIS settings. ... Right click Companyweb and select Properties. ... Using Microsoft Exchange Server 2003 Recovery Storage Groups ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) Re: SBS 2003, lost companyweb ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Click Start, click Server Management. ... Collect IIS Log: ... (microsoft.public.windows.server.sbs) RE: OWA 2003 ... this issue be related to IIS setting. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... <logon OWA and get error message "'You could not be logged on to Outlook ... (microsoft.public.windows.server.sbs)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint