Click here to get back home

Multiple 538 and 540 ID's in 2003 server Security Events Log?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Multiple 538 and 540 ID's in 2003 server Security Events Log? Reluctant Sys-A 08-23-2006
Posted by Reluctant Sys-A on August 23, 2006, 12:58 am
Please log in for more thread options
 I have a 2003 Server domain controller and XP workstations. I am trying to
audit when domain users log on and off the domain for the day.

There seem to be multiple 538(successful logoff) and 540(successful logon)
event ID's in the Security Events Log for each user when they log on. Both
ID's appear again several times when the user logs off. Sometimes the ID's
appear a few minutes apart for the same actual log on/off event, which makes
it hard to tell when the event actually occurred. Is there a better way to
tell conclusively exactly when a user logs on/off the domain?

Thanks!


Posted by Steven L Umbach on August 24, 2006, 11:19 pm
Please log in for more thread options
 It is normal to see many logon/logoff events in the security log of domain
controllers when auditing of logon events is enabled and a lot of that
activity is for authentication traffic and accessing sysvol for Group
Policy. You may not even want to use auditing of logon events on domain
controllers [or audit failure only]because of all the noise and instead use
auditing of account logon events though that will NOT show when a user logs
off "their domain" computer nor will "logon" events from the domain
controller. To get more accurate information for logoff you need to enable
auditing of "logon" events on the domain computers and then get the logon
and logoff event from the local security log of the domain computer.

Steve


>I have a 2003 Server domain controller and XP workstations. I am trying to
> audit when domain users log on and off the domain for the day.
>
> There seem to be multiple 538(successful logoff) and 540(successful logon)
> event ID's in the Security Events Log for each user when they log on.
> Both
> ID's appear again several times when the user logs off. Sometimes the
> ID's
> appear a few minutes apart for the same actual log on/off event, which
> makes
> it hard to tell when the event actually occurred. Is there a better way
> to
> tell conclusively exactly when a user logs on/off the domain?
>
> Thanks!
>



Posted by Eric Fitzgerald [MSFT] on August 31, 2006, 10:04 pm
Please log in for more thread options
During every domain logon from a workstation, the domain controller has to
be contacted several times for several reasons:

LDAP
Shares (Netlogon for logon scripts, sysvol for policies)
etc.

Each connection will cause a 540/538 pair.

In Vista we've added share access auditing and RPC auditing so that you can
see precisely what's being accessed. We've also allowed high-volume events
to be turned off individually or in very small groups, so that for instance
you can generate logon events but suppress logoff events, etc.

Best regards,
Eric

--
This information is provided "AS-IS" with no warranty, and confers no
rights.



>I have a 2003 Server domain controller and XP workstations. I am trying to
> audit when domain users log on and off the domain for the day.
>
> There seem to be multiple 538(successful logoff) and 540(successful logon)
> event ID's in the Security Events Log for each user when they log on.
> Both
> ID's appear again several times when the user logs off. Sometimes the
> ID's
> appear a few minutes apart for the same actual log on/off event, which
> makes
> it hard to tell when the event actually occurred. Is there a better way
> to
> tell conclusively exactly when a user logs on/off the domain?
>
> Thanks!
>



Posted by Steven L Umbach on August 31, 2006, 11:54 pm
Please log in for more thread options
AWESOME.

Steve


>
> In Vista we've added share access auditing and RPC auditing so that you
> can see precisely what's being accessed. We've also allowed high-volume
> events to be turned off individually or in very small groups, so that for
> instance you can generate logon events but suppress logoff events, etc.
>
> Best regards,
> Eric
>
> --
> This information is provided "AS-IS" with no warranty, and confers no
> rights.
>
>



Similar ThreadsPosted
where to find a list of Windows 2003 security event id's ? October 26, 2006, 8:44 am
Logon/Logoff Events in Local Security Log of Terminal Server July 20, 2007, 2:39 pm
Multiple Event ID 529 Errors in Server 2003 April 10, 2006, 1:34 pm
Auditing Security Events May 10, 2007, 1:54 am
Follow-up to Empty 529 Events in Security Log July 27, 2006, 12:02 pm
Security Log - Events 680, 529 and 675 for NT AUTHORITY\SYSTEM every two minutes February 5, 2006, 11:50 am
How to store windows events log in remote server July 31, 2005, 6:44 pm
audit logon/logoff events on terminal server July 18, 2007, 10:29 am
Firewall setting for multiple FTP sites using multiple ports September 12, 2006, 12:35 pm
Role-based security from Windows Server 2003 Security Guide gives problems November 6, 2006, 8:00 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap