Click here to get back home

Re: NON STOP Event log -event id 538,540,576
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Re: NON STOP Event log -event id 538,540,576 Meinolf Weber 10-02-2007
Posted by Meinolf Weber on October 2, 2007, 2:44 pm
Please log in for more thread options
 Hello jkeiser,

Like Roger Abell wrote, it is normal behavior. Check the Default domain
controller
policy for seetings of auditing from Success and failures for object access,
etc. If you will stop the logging you have to set it here.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> I am getting the same 2 (538 & 540) and the antivirus server will not
> let the clients update because the server is 'too busy'. Is this a
> possible DoS attack?
>
> "Roger Abell [MVP]" wrote:
>
>> It appears from the events given that a machine named
>> USGS0001 in the domain named SG is doing a network
>> logon (type 3) such as for access to a share, i.e. some
>> application/service on that machine that is running in the
>> System or the Network Service context is doing so.
>>
>>> One of the windows 2003 DC keep generating the 3 security event
>>> (EVENT id 538,540 & 576)
>>>
>>> The security event log full after 3-5 minuts.
>>>
>>> Not sure which application or services keep generating the security
>>> event, please help
>>>
>>> event id :538
>>>
>>> User Logoff:
>>> User Name: USGS0001$
>>> Domain: SG
>>> Logon ID: (0x0,0x75595CB)
>>> Logon Type: 3
>>> Event id 540
>>> Successful Network Logon:
>>> User Name: USGS0001$
>>> Domain: SG
>>> Logon ID: (0x0,0x75595CB)
>>> Logon Type: 3
>>> Logon Process: Kerberos
>>> Authentication Package: Kerberos
>>> Workstation Name:
>>> Logon GUID:
>>> Caller User Name: -
>>> Caller Domain: -
>>> Caller Logon ID: -
>>> Caller Process ID: -
>>> Transited Services: -
>>> Source Network Address: 10.192.100.2
>>> Source Port: 1818
>>> Event id 540
>>>
>>> Special privileges assigned to new logon:
>>> User Name: USGS0001$
>>> Domain: SG
>>> Logon ID: (0x0,0x75595CB)
>>> Privileges: SeSecurityPrivilege
>>> SeBackupPrivilege
>>> SeRestorePrivilege
>>> SeTakeOwnershipPrivilege
>>> SeDebugPrivilege
>>> SeSystemEnvironmentPrivilege
>>> SeLoadDriverPrivilege
>>> SeImpersonatePrivilege
>>> SeEnableDelegationPrivilege
>>> For more information, see Help and Support Center at
>>>



Similar ThreadsPosted
NON STOP Event log -event id 538,540,576 September 2, 2007, 11:44 pm
Event 560 November 4, 2005, 12:51 pm
Event ID 529 December 5, 2005, 10:29 am
event id 22 February 14, 2006, 8:02 am
event id 836 and 837? March 23, 2006, 12:18 pm
Event ID 74 June 12, 2006, 4:10 pm
Event 697 and Event 565 September 19, 2006, 7:49 am
Event 531 July 5, 2007, 2:09 pm
Event Log Access July 8, 2005, 1:35 pm
Empty Event 529 August 4, 2005, 1:01 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap