Announcement

Collapse
No announcement yet.

Constant stream of event log IDs of 576, 538, 540 in the Security log

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Constant stream of event log IDs of 576, 538, 540 in the Security log

    I have a w2k3 Standard edition single-domain network with 2 DCs. The main DC holding all FSMO roles has a continuous stream of the below. The other DC has some of the events in the Security logs but only at certain period of the day and time doesn't seem to be related.

    My first concern is with regards to security. Is anyone able to shed light why there would be so many and had anybody encountered this before? It has been happening for a number of weeks and nothing has changed (heard that one before I'm sure)

    I believe I could reduce them by changing the security auditing but would defeat the object of auditing in the first place.

    Thanks for the time in reading and hopefully advising.

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 576
    Date: (every day)
    Time: (1 a second)
    User: NT AUTHORITY\SYSTEM
    Computer: (MY DC SERVER NAME WITH ALL FSMO ROLES,DNS,DHCP, GC)
    Description:
    Special privileges assigned to new logon:
    User Name: MY DC SERVERNAME$
    Domain: domain
    Logon ID: (0x0,0x52037FD2)
    Privileges: SeTcbPrivilege
    SeSecurityPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeTakeOwnershipPrivilege
    SeDebugPrivilege
    SeSystemEnvironmentPrivilege
    SeLoadDriverPrivilege
    SeImpersonatePrivilege
    SeEnableDelegationPrivilege
    For more information, see Help and Support
    Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: EVERY DAY
    Time: 1 a second
    User: NT AUTHORITY\SYSTEM
    Computer: DC SERVER NAME
    Description:
    Successful Network Logon:
    User Name: MY DC SERVER NAME$
    Domain: DOMAIN
    Logon ID: (0x0,0x52031E3E)
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name:
    Logon GUID: {8b64e4ef-3a8f-ed26-d90d-3b7ddf076275}
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: IP of Server
    Source Port: 1816

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 538
    Date: everyday
    Time: 1 a second
    User: NT AUTHORITY\SYSTEM
    Computer: dc server name
    Description:
    User Logoff:
    User Name: MY DC sERVERNAME$
    Domain: domain
    Logon ID: (0x0,0x52031E3E)
    Logon Type: 3

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

  • #2
    Re: Constant stream of event log IDs of 576, 538, 540 in the Security log

    Presuming you are not under some form of attack, have you deployed any auditing policies in there recently?
    If so, make sure you don't audit Privilege use as it'll generate loads of events.

    http://support.microsoft.com/default...b;EN-US;264769

    as for the other two they are generated by the audit account logon policy:

    538 - User Logoff
    540 - Successful Network Logon

    Cheers
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Constant stream of event log IDs of 576, 538, 540 in the Security log

      Thanks L4ndy. I have analysed the traffic and there doesn't seem to be. I've also virus scanned etc.

      It seems to point at kerberos generating them using the ntauthoritysystem account and event ID 576 mostly concerns me. Is this typical log that can be encountered on a DC with regards to the comments of priveleges it refers to?

      Comment


      • #4
        Re: Constant stream of event log IDs of 576, 538, 540 in the Security log

        Yeah, that event in particular is generated when Audit privilege use is enabled on the Audit policy.
        I would turn that off to be honest, together with Object access (If not needed)and process tracking as they generate quite a large volume of events.

        Ta
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Constant stream of event log IDs of 576, 538, 540 in the Security log

          Thanks L4ndy.

          Comment

          Working...
          X