Event viewer- security log

G

Guest

I have one user her security log all of a sudden the last 2 weeks has become
full. I looked at it and it look like it is recording everybody logon/logoff
on the network. Also it show one particular user who logon/logoff is recorded
every few minutes.

So I did the usual, I checked the Local Security settings on each of the two
computers. They look fine. I ran virus scanning and spyware scanning software
and I did not find anything.

Anybody got any ideas?

Thanks Randy
 
W

Wesley Vogel

If Audit account logon events and/or Audit logon events for Success and
Failure are Enabled in Group Policy.

Audit account logon events
Audit logon events
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Audit account logon events
Determines whether to audit each instance of a user logging on to or logging
off from another computer in which this computer is used to validate the
account.

Audit logon events
Determines whether to audit each instance of a user logging on to, logging
off from, or making a network connection to this computer.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In (e-mail address removed)
 
S

Steven L Umbach

I would be curious about why a particular user is constantly trying to
access the computer especially if that user is not supposed to have access.
By default security logs don't have a lot of room. You may also want to bump
that up to at lease 2MB in properties and select overwrite events as needed
unless you have a compelling business reason not to do so in which case you
may want to make it larger yet.

Steve


"(e-mail address removed)"
 
G

Guest

There is no group policies set for the PC or the server other than the
default entries. I still can't figure out why one PC on the network is
recording everybody logins/logoffs. I am getting the following event ids:
538, 540, 576. It started about a week and half ago.
 
G

Guest

I already did that.

Steven L Umbach said:
I would be curious about why a particular user is constantly trying to
access the computer especially if that user is not supposed to have access.
By default security logs don't have a lot of room. You may also want to bump
that up to at lease 2MB in properties and select overwrite events as needed
unless you have a compelling business reason not to do so in which case you
may want to make it larger yet.

Steve


"(e-mail address removed)"
Click to expand...
 
G

Guest

I also just noticed something. Her security log is not recording everybody's
logons/logoffs. It is only recording about a 6 or 8 people. Most of them are
Windows XP users. We are mostly a Windows 2000 Professional shop. We are
swtiching to XP Professional as we get new PC's. Still strange though! Why
only a few people.
 
W

Wesley Vogel

If you configure an audit policy to audit successful logon and logoff
events, you will get 538 events.

Event ID: 538
Source: Security
This event record indicates that a user has logged off.
http://www.microsoft.com/technet/su...odVer=5.2&EvtID=538&EvtSrc=Security&LCID=1033

Event ID: 540
Source: Security
Successful Network Logon
http://www.microsoft.com/technet/su...odVer=5.2&EvtID=540&EvtSrc=Security&LCID=1033

See...
Logon/Logoff event 528 (logon success) and Logon/Logoff event 540 (network
logon success)
here for explanation...
HOW TO: Troubleshoot Kerberos-Related Issues in IIS
http://support.microsoft.com/kb/326985

Event ID: 576
Source: Security
Special privileges assigned to new logon
http://www.microsoft.com/technet/su...odVer=5.0&EvtID=576&EvtSrc=Security&LCID=1033

Event ID 576 Fills the Security Event Log When Auditing
http://support.microsoft.com/kb/264769

System Performance Decreases, and Many Event ID 576 Entries Are Logged to
the Security Event Log
http://support.microsoft.com/kb/822774

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In (e-mail address removed)
 
S

Steven L Umbach

I believe that by default XP has auditing of logon events recorded while
Windows 2000 does not. You can check via Local Security Policy under local
policies/audit policy. Once that is enabled an event will be recorded every
time a user logs onto the computer either interactively [type 2], via Remote
Desktop [type 10], or via the network [type 3] such as when a user attempts
to access a share on the computer. Maybe that will shed some light onto why
you are seeing those events. Obviously computers that have shares that
others access will show a lot more logon events than those that don't or
have less used shares.


http://www.windowsecurity.com/articles/Logon-Types.html.

"(e-mail address removed)"
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

getting security records from event viewer 3
constant security event log entries 1
Security Event Logs / Network access 1
Security Event Logging 3
Log File Fill Automatically 4
Failure to access local machine uisng IP Security Monitor 1
Windows Vista Event Viewer 5
Windows Vista Event Viewer Problem 3

Top