Re: Event viewer- security log
- From: "Wesley Vogel" <123WVogel955@xxxxxxxxxxx>
- Date: Sat, 9 Sep 2006 15:57:50 -0600
If you configure an audit policy to audit successful logon and logoff
events, you will get 538 events.
Event ID: 538
Source: Security
This event record indicates that a user has logged off.
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=WindowsOperatingSystem&ProdVer=5.2&EvtID=538&EvtSrc=Security&LCID=1033
Event ID: 540
Source: Security
Successful Network Logon
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=540&EvtSrc=Security&LCID=1033
See...
Logon/Logoff event 528 (logon success) and Logon/Logoff event 540 (network
logon success)
here for explanation...
HOW TO: Troubleshoot Kerberos-Related Issues in IIS
http://support.microsoft.com/kb/326985
Event ID: 576
Source: Security
Special privileges assigned to new logon
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=576&EvtSrc=Security&LCID=1033
Event ID 576 Fills the Security Event Log When Auditing
http://support.microsoft.com/kb/264769
System Performance Decreases, and Many Event ID 576 Entries Are Logged to
the Security Event Log
http://support.microsoft.com/kb/822774
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:EEBAFE58-B5E4-427E-8041-1B308376505F@xxxxxxxxxxxxx,
randy.duly@xxxxxxxxxxxxxxxxxxxx
<randydulynationaltubeformcom@xxxxxxxxxxxxxxxxxxxxxxxxx> hunted and pecked:
There is no group policies set for the PC or the server other than the
default entries. I still can't figure out why one PC on the network is
recording everybody logins/logoffs. I am getting the following event ids:
538, 540, 576. It started about a week and half ago.
"Wesley Vogel" wrote:
If Audit account logon events and/or Audit logon events for Success and
Failure are Enabled in Group Policy.
Audit account logon events
Audit logon events
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy
Audit account logon events
Determines whether to audit each instance of a user logging on to or
logging off from another computer in which this computer is used to
validate the account.
Audit logon events
Determines whether to audit each instance of a user logging on to,
logging off from, or making a network connection to this computer.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:756B8F0A-C6B2-4C20-AB2E-F07350D00172@xxxxxxxxxxxxx,
randy.duly@xxxxxxxxxxxxxxxxxxxx
<randydulynationaltubeformcom@xxxxxxxxxxxxxxxxxxxxxxxxx> hunted and
pecked:
I have one user her security log all of a sudden the last 2 weeks has
become full. I looked at it and it look like it is recording everybody
logon/logoff on the network. Also it show one particular user who
logon/logoff is recorded every few minutes.
So I did the usual, I checked the Local Security settings on each of the
two computers. They look fine. I ran virus scanning and spyware scanning
software and I did not find anything.
Anybody got any ideas?
Thanks Randy
.
- References:
- Re: Event viewer- security log
- From: Wesley Vogel
- Re: Event viewer- security log
- Prev by Date: Re: Removing read only attributes on folders
- Next by Date: Re: Event viewer- security log
- Previous by thread: Re: Event viewer- security log
- Next by thread: Re: Event viewer- security log
- Index(es):
Relevant Pages
|
