Event ID 538/540/576 fills up Security Log!!

From: Steven T (guess_what_at_hkem.com)
Date: 06/16/04


Date: Wed, 16 Jun 2004 09:43:14 +0800

These 3 events keeps filling up the event log!
More than 10 occurence is recorded per second.
This have been happening for over a month...
Why the system logon to itself and logoff at the same time(repeatively)?
It happens most frequently from midnight to the morning(non office hour?).

The system is a Domain Controller as well as an Exchange 2000 Server.
It has Veritas Backup Exec Server, Veritas Backup Exec Exchange Agent,
Symantec Mail Security for Exchange installed.

The other DCs doesn't have this strange behaviour.

These 3 event keeps filling up the event log!
More than 10 occurence is recorded per second.
This have been happening for over a month...
Why the system logon to itself and logoff at the same time(repeatively)?
It happens most frequently from midnight to the morning(non office hour?).

The security log doesn't hold enough events for just 1 day because of this,
even it's size is 60MB already.
Please if someone could help. Thanks in advance.

The system is a Domain Controller as well as an Exchange 2000 Server.
It has Veritas Backup Exec Server, Veritas Backup Exec Exchange Agent,
Symantec Mail Security for Exchange installed.
The other DCs doesn't have this strange behaviour.

6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FD60) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FD60) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FE29) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FE29) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FE29) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FEF2) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FEF2) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FEF2) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FFBB) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FFBB) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FFBB) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x40370084) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370084) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370084) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x40370151) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370151) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370151) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4037021B) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4037021B) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4037021B) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x403702E4) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x403702E4) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x403702E4) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x403703E0) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege