Event ID 538/540/576 fills up Security Log!!

[Steven T]

These 3 events keeps filling up the event log!
More than 10 occurence is recorded per second.
This have been happening for over a month...
Why the system logon to itself and logoff at the same time(repeatively)?
It happens most frequently from midnight to the morning(non office hour?).

The system is a Domain Controller as well as an Exchange 2000 Server.
It has Veritas Backup Exec Server, Veritas Backup Exec Exchange Agent,
Symantec Mail Security for Exchange installed.

The other DCs doesn't have this strange behaviour.

These 3 event keeps filling up the event log!
More than 10 occurence is recorded per second.
This have been happening for over a month...
Why the system logon to itself and logoff at the same time(repeatively)?
It happens most frequently from midnight to the morning(non office hour?).

The security log doesn't hold enough events for just 1 day because of this,
even it's size is 60MB already.
Please if someone could help. Thanks in advance.


The system is a Domain Controller as well as an Exchange 2000 Server.
It has Veritas Backup Exec Server, Veritas Backup Exec Exchange Agent,
Symantec Mail Security for Exchange installed.
The other DCs doesn't have this strange behaviour.

6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FD60) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FD60) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FE29) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FE29) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FE29) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FEF2) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FEF2) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FEF2) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FFBB) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FFBB) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FFBB) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x40370084) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370084) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370084) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x40370151) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370151) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370151) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4037021B) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4037021B) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4037021B) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x403702E4) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x403702E4) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x403702E4) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x403703E0) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege

 

[Steven L Umbach]

The KB below suggests that you disable the auditing of "privilige use" to
reduce the number of events in the security log. That is not a category that
one would normally audit all the time. There is lot going on with that
server [your examples indicate backup activity] so it does not surprise me
that you see a lot of logon events also. If you want to reduce them also
consider auditing just account logon events for success and failure and
logon events for just failure. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;264769

 

[Steven T]

I wonder why would this happen and if it's really related to backup jobs.
Since the backups were also carried out for other DCs but none of them have
been flooded with those events. Also the events keep showing up all day
long,
even when the backup job is not running. I am really frustrated with this.
Could it be just issues of Exchange Server 2000??

The KB below suggests that you disable the auditing of "privilige use" to
reduce the number of events in the security log. That is not a category that
one would normally audit all the time. There is lot going on with that
server [your examples indicate backup activity] so it does not surprise me
that you see a lot of logon events also. If you want to reduce them also
consider auditing just account logon events for success and failure and
logon events for just failure. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;264769

These 3 events keeps filling up the event log!
More than 10 occurence is recorded per second.
This have been happening for over a month...
Why the system logon to itself and logoff at the same time(repeatively)?
It happens most frequently from midnight to the morning(non office hour?).

The system is a Domain Controller as well as an Exchange 2000 Server.
It has Veritas Backup Exec Server, Veritas Backup Exec Exchange Agent,
Symantec Mail Security for Exchange installed.

The other DCs doesn't have this strange behaviour.

These 3 event keeps filling up the event log!
More than 10 occurence is recorded per second.
This have been happening for over a month...
Why the system logon to itself and logoff at the same time(repeatively)?
It happens most frequently from midnight to the morning(non office hour?).

The security log doesn't hold enough events for just 1 day because of this,
even it's size is 60MB already.
Please if someone could help. Thanks in advance.


The system is a Domain Controller as well as an Exchange 2000 Server.
It has Veritas Backup Exec Server, Veritas Backup Exec Exchange Agent,
Symantec Mail Security for Exchange installed.
The other DCs doesn't have this strange behaviour.

6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FD60) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FD60) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FE29) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FE29) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FE29) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FEF2) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FEF2) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FEF2) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FFBB) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FFBB) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FFBB) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x40370084) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370084) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370084) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x40370151) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370151) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370151) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4037021B) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4037021B) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4037021B) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x403702E4) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x403702E4) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x403702E4) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x403703E0) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege

 

[Steven L Umbach]

Hard to say. Maybe you don't have auditing for "privilige use" enabled on
the other dc's and I have no experience with an Exchange 2000 server, but
with all the activity they handle it does not surprise me there are a lot of
events in the security log. Reducing what you audit may make sense because
it will make it easier to track down pertinent events such as malicious
activity which often causes failure events. Kind of like finding a needle in
a haystack for you now. --- Steve

I wonder why would this happen and if it's really related to backup jobs.
Since the backups were also carried out for other DCs but none of them have
been flooded with those events. Also the events keep showing up all day
long,
even when the backup job is not running. I am really frustrated with this.
Could it be just issues of Exchange Server 2000??

The KB below suggests that you disable the auditing of "privilige use" to
reduce the number of events in the security log. That is not a category that
one would normally audit all the time. There is lot going on with that
server [your examples indicate backup activity] so it does not surprise me
that you see a lot of logon events also. If you want to reduce them also
consider auditing just account logon events for success and failure and
logon events for just failure. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;264769

These 3 events keeps filling up the event log!
More than 10 occurence is recorded per second.
This have been happening for over a month...
Why the system logon to itself and logoff at the same time(repeatively)?
It happens most frequently from midnight to the morning(non office hour?).

The system is a Domain Controller as well as an Exchange 2000 Server.
It has Veritas Backup Exec Server, Veritas Backup Exec Exchange Agent,
Symantec Mail Security for Exchange installed.

The other DCs doesn't have this strange behaviour.

These 3 event keeps filling up the event log!
More than 10 occurence is recorded per second.
This have been happening for over a month...
Why the system logon to itself and logoff at the same time(repeatively)?
It happens most frequently from midnight to the morning(non office hour?).

The security log doesn't hold enough events for just 1 day because of this,
even it's size is 60MB already.
Please if someone could help. Thanks in advance.


The system is a Domain Controller as well as an Exchange 2000 Server.
It has Veritas Backup Exec Server, Veritas Backup Exec Exchange Agent,
Symantec Mail Security for Exchange installed.
The other DCs doesn't have this strange behaviour.

6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FD60) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FD60) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FE29) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FE29) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FE29) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FEF2) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FEF2) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FEF2) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4036FFBB) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FFBB) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4036FFBB) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x40370084) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370084) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370084) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x40370151) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370151) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x40370151) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x4037021B) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4037021B) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x4037021B) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x403702E4) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
6/15/2004 4:09:23 AM 8 2 540 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x403702E4) 3 Kerberos Kerberos
6/15/2004 4:09:23 AM 8 2 538 Security NT AUTHORITY\SYSTEM mailserver
mailserver$ MYDOMAIN (0x0,0x403702E4) 3
6/15/2004 4:09:23 AM 8 4 576 Security NT AUTHORITY\SYSTEM mailserver
(0x0,0x403703E0) SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege