2061 Security Log Events in less than 2 hours!

[Alan Hodge]

Hello all

I hope someone can help on this one.

On August 18 this year between 15:32 and 17:18, 2061
events were logged on my Security event viewer.

The IDs were: 512; 514; 515; 518; 528; 538(very many); 540
(very many); 565; 576(very many); 577; 578; 592; 593;
612; 617; 672; 673; 677; 680; 682; 683.

Does anyone know what happened? I cannot link this to
anything else for that day. We had no engineers around
doing anything to the server. It was just an ordinary
day.

It seems a bit spooky. Should I be worried?

Thanks in advance.

 

[Mike Rosado [MSFT]]

Hi Alan,

Please provide the detailed description of the Event ID 2061.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

 

[Alan Hodge]

Hi Mike

The event ID isn't 2061. That was the number of events
logged during the 1 1/2 hour period on August 18.

-----Original Message-----
Hi Alan,

Please provide the detailed description of the Event ID

2061.
The Event IDs were: 512; 514; 515; 518; 528; 538(very
many); 540 very many); 565; 576(very many); 577; 578;
592; 593;612; 617; 672; 673; 677; 680; 682; 683.

They were varying descriptions:

Events Event IDs

Account Logons: 672,673,677,680

Detailed Tracking: 592,593

Logon/Logoff: 538,540

Object Access: 565

Policy Change: 612,617

Privelege Use: 576,577

System Event: 514,515,518


Hope to hear from you soon

Alan

 

[Mike Rosado [MSFT]]

Alan,

I'm by no means an expert in this subject matter of Security, Log On and/or
GPO, but I'll try to assist you to the best of my ability.

You have a laundry list of events that you cannot troubleshoot all together,
because they may all be unrelated to each other and just one or more of
these events can send off on a wild goose chase.

If these events are posing a problem, explain with elaborated details the
problem you're experiencing so we can try to troubleshoot the main problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

 

[Dave Patrick]

Also when you view the logged events in Event Viewer in the upper right
corner, third button down is a copy to clipboard, then you can paste in the
body of a reply message.

Please do so for each of the different events so we can see all of the event
detail.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Hi Mike
|
| The event ID isn't 2061. That was the number of events
| logged during the 1 1/2 hour period on August 18.

 

[Alan Hodge]

Dear Dave

Is there any way I can zip the events into a file and
email that to you. Otherwise it will take a long time to
copy and paste each individual event.

Regards

Alan

 

[Alan Hodge]

Thanks for that Mike

The trouble I have is that I do know whether these events
are benign or not. I have recently cleared out a load of
email garbage because the server was being used as a
relay. You helped a lot on that and everything seems
fine now. I am wondering whether these events could be
related or not but I have nothing to indicate a problem
as such.

I think that the alarming bit is that the only events in
the security log are those I have identified and they all
appear on the same day.

I am not sure what else to do at this stage.

Regards

Alan

 

[Dave Patrick]

How many different events? 22? It would be best to post here so that all can
learn from this. Besides I may not know the answer. You might be able to
research this on your own through TechNet and or eventid.net

http://search.microsoft.com/search/search.aspx?View=en-us&s=1&st=a
http://www.eventid.net/search.asp

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Dear Dave
|
| Is there any way I can zip the events into a file and
| email that to you. Otherwise it will take a long time to
| copy and paste each individual event.
|
| Regards
|
| Alan

 

[Alan Hodge]

Dave

I followed your advice and ended up at:

http://www.gfi/eventlogscan/

I scanned the serve and one critical result came up which
I have copied below:

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 18/08/2004
Time: 15:32:40
User: NT AUTHORITY\SYSTEM
Computer: HODGESERV
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- + Object Access
+ + Privilege Use
+ + Account Management
+ + Policy Change
+ + System
+ + Detailed Tracking
- + Directory Service Access
+ + Account Logon

Changed By:
User Name: HODGESERV$
Domain Name: HODGE
Logon ID: (0x0,0x3E7)

It looks like there has been a policy change but I do not
know by whom or what the implications are. Are you able
to help with this?

Your help so far has been very much appreciated.

Thanks in advance.

Alan

-----Original Message-----
How many different events? 22? It would be best to post here so that all can
learn from this. Besides I may not know the answer. You might be able to
research this on your own through TechNet and or eventid.net

http://search.microsoft.com/search/search.aspx?View=en-

us&s=1&st=a
http://www.eventid.net/search.asp

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Dear Dave
|
| Is there any way I can zip the events into a file and
| email that to you. Otherwise it will take a long time to
| copy and paste each individual event.
|
| Regards
|
| Alan


.

 

[Mike Rosado [MSFT]]

Alan,

As mention before, I'm by no means an expert in this subject matter of
Security, Log On and/or GPO, but I'll try to assist you to the best of my
ability.

Have you tried using Security Configuration and Analysis to isolate what GPO
is causing the Event ID 612?

816580 HOW TO: Analyze System Security in Windows Server 2003
http://support.microsoft.com/?id=816580

You are correct, it is a policy change that occurred. You need to focus in
on an Audit Policy as mentioned in the article below:

840633 Event ID 612 appears in the security log every time that you restart
http://support.microsoft.com/?id=840633

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm>

-----Original Message-----

Dave

I followed your advice and ended up at:

http://www.gfi/eventlogscan/

I scanned the serve and one critical result came up which
I have copied below:

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 18/08/2004
Time: 15:32:40
User: NT AUTHORITY\SYSTEM
Computer: HODGESERV
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- + Object Access
+ + Privilege Use
+ + Account Management
+ + Policy Change
+ + System
+ + Detailed Tracking
- + Directory Service Access
+ + Account Logon

Changed By:
User Name: HODGESERV$
Domain Name: HODGE
Logon ID: (0x0,0x3E7)

It looks like there has been a policy change but I do not
know by whom or what the implications are. Are you able
to help with this?

Your help so far has been very much appreciated.

Thanks in advance.

Alan

-----Original Message-----
How many different events? 22? It would be best to post here so that all can
learn from this. Besides I may not know the answer. You might be able to
research this on your own through TechNet and or eventid.net

http://search.microsoft.com/search/search.aspx?View=en-

us&s=1&st=a
http://www.eventid.net/search.asp

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Dear Dave
|
| Is there any way I can zip the events into a file and
| email that to you. Otherwise it will take a long time to
| copy and paste each individual event.
|
| Regards
|
| Alan


.