Re: Event ID 538/540/576 fills up Security Log!!
From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 06/17/04
- Next message: santorex: "Public keys encryption [ urgent ]"
- Previous message: James: "user with lockdown sec profile"
- In reply to: Steven T: "Re: Event ID 538/540/576 fills up Security Log!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Jun 2004 04:08:48 GMT
Hard to say. Maybe you don't have auditing for "privilige use" enabled on
the other dc's and I have no experience with an Exchange 2000 server, but
with all the activity they handle it does not surprise me there are a lot of
events in the security log. Reducing what you audit may make sense because
it will make it easier to track down pertinent events such as malicious
activity which often causes failure events. Kind of like finding a needle in
a haystack for you now. --- Steve
"Steven T" <guess_what@hkem.com> wrote in message
news:OMCR$lAVEHA.2840@TK2MSFTNGP11.phx.gbl...
> I wonder why would this happen and if it's really related to backup jobs.
> Since the backups were also carried out for other DCs but none of them
have
> been flooded with those events. Also the events keep showing up all day
> long,
> even when the backup job is not running. I am really frustrated with this.
> Could it be just issues of Exchange Server 2000??
>
> "Steven L Umbach" <n9rou@nscomcast.net> ¦b¶l¥ó
> news:POZzc.50169$0y.24071@attbi_s03 ¤¤¼¶¼g...
> > The KB below suggests that you disable the auditing of "privilige use"
to
> > reduce the number of events in the security log. That is not a category
> that
> > one would normally audit all the time. There is lot going on with that
> > server [your examples indicate backup activity] so it does not surprise
me
> > that you see a lot of logon events also. If you want to reduce them also
> > consider auditing just account logon events for success and failure and
> > logon events for just failure. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;264769
> >
> > "Steven T" <guess_what@hkem.com> wrote in message
> > news:u1GCHO0UEHA.2972@TK2MSFTNGP12.phx.gbl...
> > > These 3 events keeps filling up the event log!
> > > More than 10 occurence is recorded per second.
> > > This have been happening for over a month...
> > > Why the system logon to itself and logoff at the same
time(repeatively)?
> > > It happens most frequently from midnight to the morning(non office
> hour?).
> > >
> > > The system is a Domain Controller as well as an Exchange 2000 Server.
> > > It has Veritas Backup Exec Server, Veritas Backup Exec Exchange Agent,
> > > Symantec Mail Security for Exchange installed.
> > >
> > > The other DCs doesn't have this strange behaviour.
> > >
> > > These 3 event keeps filling up the event log!
> > > More than 10 occurence is recorded per second.
> > > This have been happening for over a month...
> > > Why the system logon to itself and logoff at the same
time(repeatively)?
> > > It happens most frequently from midnight to the morning(non office
> hour?).
> > >
> > > The security log doesn't hold enough events for just 1 day because of
> > this,
> > > even it's size is 60MB already.
> > > Please if someone could help. Thanks in advance.
> > >
> > >
> > > The system is a Domain Controller as well as an Exchange 2000 Server.
> > > It has Veritas Backup Exec Server, Veritas Backup Exec Exchange Agent,
> > > Symantec Mail Security for Exchange installed.
> > > The other DCs doesn't have this strange behaviour.
> > >
> > > 6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x4036FD60) 3 Kerberos Kerberos
> > > 6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x4036FD60) 3
> > > 6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
> > > (0x0,0x4036FE29) SeBackupPrivilege SeRestorePrivilege
> > > SeDebugPrivilege SeChangeNotifyPrivilege
> > > 6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x4036FE29) 3 Kerberos Kerberos
> > > 6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x4036FE29) 3
> > > 6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
> > > (0x0,0x4036FEF2) SeBackupPrivilege SeRestorePrivilege
> > > SeDebugPrivilege SeChangeNotifyPrivilege
> > > 6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x4036FEF2) 3 Kerberos Kerberos
> > > 6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x4036FEF2) 3
> > > 6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
> > > (0x0,0x4036FFBB) SeBackupPrivilege SeRestorePrivilege
> > > SeDebugPrivilege SeChangeNotifyPrivilege
> > > 6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x4036FFBB) 3 Kerberos Kerberos
> > > 6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x4036FFBB) 3
> > > 6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
> > > (0x0,0x40370084) SeBackupPrivilege SeRestorePrivilege
> > > SeDebugPrivilege SeChangeNotifyPrivilege
> > > 6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x40370084) 3 Kerberos Kerberos
> > > 6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x40370084) 3
> > > 6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
> > > (0x0,0x40370151) SeBackupPrivilege SeRestorePrivilege
> > > SeDebugPrivilege SeChangeNotifyPrivilege
> > > 6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x40370151) 3 Kerberos Kerberos
> > > 6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x40370151) 3
> > > 6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
> > > (0x0,0x4037021B) SeBackupPrivilege SeRestorePrivilege
> > > SeDebugPrivilege SeChangeNotifyPrivilege
> > > 6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x4037021B) 3 Kerberos Kerberos
> > > 6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x4037021B) 3
> > > 6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
> > > (0x0,0x403702E4) SeBackupPrivilege SeRestorePrivilege
> > > SeDebugPrivilege SeChangeNotifyPrivilege
> > > 6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x403702E4) 3 Kerberos Kerberos
> > > 6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
> > > mailserver$ MYDOMAIN (0x0,0x403702E4) 3
> > > 6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
> > > (0x0,0x403703E0) SeBackupPrivilege SeRestorePrivilege
> > > SeDebugPrivilege SeChangeNotifyPrivilege
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
>
>
- Next message: santorex: "Public keys encryption [ urgent ]"
- Previous message: James: "user with lockdown sec profile"
- In reply to: Steven T: "Re: Event ID 538/540/576 fills up Security Log!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
