Re: too many logon/logoff events in security log

• Previous message: microsoft newsgroup: "too many logon/logoff events in security log"
• In reply to: microsoft newsgroup: "too many logon/logoff events in security log"
• Next in thread: Anthony Yates: "Re: too many logon/logoff events in security log"
• Reply: Anthony Yates: "Re: too many logon/logoff events in security log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Nov 2004 12:08:14 +0800

I am using windows 2003 server, IIS 6 and sql 2000 server. fyi!

"microsoft newsgroup" <news_register@yahoo.com.hk> ¼¶¼g©ó¶l¥ó·s»D:eN8sbIq0EHA.3808@tk2msftngp13.phx.gbl...
> Hi, all,
>
> I turn on the audit policy to monitor the logon/logoff envents in security
> log. However, there is too many logon/logoff events, average 3 times per
> minute. sometimes the logon/logoff by systems user, sometimes by
> administrators. I have not idea to troubleshoot this event. I capture the
> logs detail as below:
>
>
> User Logoff:
> User Name: ITRA$
> Domain: ITRANET0
> Logon ID: (0x0,0x105A389)
> Logon Type: 3
>
>
> Successful Network Logon:
> User Name: ITRA$
> Domain: ITRANET0
> Logon ID: (0x0,0xD3FD88)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: {d4e327c2-d024-f080-3e0b-1d7c89e9e484}
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 127.0.0.1
> Source Port: 4644
>
> Any idea or am I be hacked? why the source network address is the server
> itself but the logon type is 3.
>
> Thanks you very much advance!
>
> Regards,
> Trevor
>

• Previous message: microsoft newsgroup: "too many logon/logoff events in security log"
• In reply to: microsoft newsgroup: "too many logon/logoff events in security log"
• Next in thread: Anthony Yates: "Re: too many logon/logoff events in security log"
• Reply: Anthony Yates: "Re: too many logon/logoff events in security log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Bad login alerts ... RWW doesn't give source network address from external... ... Logon Failure: ... Caller User Name: - ... Workstation Name: SERVER ... (microsoft.public.windows.server.sbs) Re: Logon Failures ... Additional, if you have ISA server 2004 on your SBS, you can look at all ... the event 529, if you find the "Source Network Address" are the same IP, ... This newsgroup only focuses on SBS technical issues. ... | Subject: Re: Logon Failures ... (microsoft.public.windows.server.sbs) Am I seeing an attempted security breach? ... Logon Failure: ... Caller User Name: <server name$> ... Source Network Address: - ... (microsoft.public.windows.server.sbs) Re: Thousands of Failed logon audits ... thousands of failed logon records. ... something within the server rather than an attack from the outside. ... Caller Domain: SAMANDDARRAN ... Source Network Address: - ... (microsoft.public.backoffice.smallbiz2000) Re: Logon Server Unavailable ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ... (microsoft.public.windows.server.general)