Security Event Logs / Network access

[Jeff]

Hello everyone,

Had a minor issue this morning with a client machine on our network
regarding the security logs being full and not allowing a user-level login
that wasn't an admin. This isn't the problem I am asking about however, this
has been corrected.

It prompted me to take a look into that computers event logs and it seems
that there are a lot of logon events for a particular user in the security
log. This user however, prints to a shared printer on the target computer.

The machines are both Windows XP, sp2, running on a Windows 2003 ADS network.

The event logs in question are:
1st
Event ID: 576
Special privileges assigned to new logon

2nd
Event ID: 540
Successful Network Logon

3rd
Event ID: 538
User Logoff

I'm thinking that because the user prints to that printer on the target
machine, that the security log is simply tracking these 3 events every time
the user prints, is this correct?

It makes sense to me but I wanted to verify with someone else that these
events are perfectly normal and there shouldn't be a security breach.

We're often so busy here that we don't have time to review logs very often.

 

[jwgoerlich]

Hello Jeff,

Yes, I agree with your analysis. The network print job requires a
network login. This gets logged in the sequence you mentioned.

J Wolfgang Goerlich