Guest Brad Posted March 20, 2008 Posted March 20, 2008 We just set up a new SBS 2003 premium server and we're getting a lot of events 538/540/576 in the security log, I just counted 140 entries in 4 minutes. We have Symantec Endpoint small business 11.0 installed on the server and MozyPro (an online backup utility). Exchange, IIS, and SQL 2005 are also running and there are 6 client PCs. I've tried shutting down the services for SQL server, Symantec, and MozyPro to see if that stopped/slowed the events and that didnt seem to have an effect. Is turning off the auditing for those events the only solution? here are some sample entries: ****************************************** Event Category: Logon/Logoff Event ID: 540 Date: 3/18/2008 Time: 9:40:21 AM User: NT AUTHORITY\SYSTEM Computer: **servername Description: Successful Network Logon: User Name: **servername$ Domain: **domain Logon ID: (0x0,0x7B32DD9) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {63fe393a-b528-d3c6-a82b-89e8f443800f} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 ******************************************************** Event Category: Logon/Logoff Event ID: 576 Date: 3/18/2008 Time: 9:57:01 AM User: NT AUTHORITY\SYSTEM Computer: **servername Description: Special privileges assigned to new logon: User Name: **servername$ Domain: **domain Logon ID: (0x0,0x7B718C9) Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeEnableDelegationPrivilege
Guest Havre Posted April 10, 2008 Posted April 10, 2008 RE: security log filling with events 538/540/576 I am having the same issues, did you ever find a solution to this issue. When we moved the PDC Emulator to another server that server began to have the same issue along with 100% CPU Utilization. -- -Havre "Brad" wrote: > We just set up a new SBS 2003 premium server and we're getting a lot of > events 538/540/576 in the security log, I just counted 140 entries in 4 > minutes. We have Symantec Endpoint small business 11.0 installed on the > server and MozyPro (an online backup utility). Exchange, IIS, and SQL 2005 > are also running and there are 6 client PCs. > > I've tried shutting down the services for SQL server, Symantec, and MozyPro > to see if that stopped/slowed the events and that didnt seem to have an > effect. Is turning off the auditing for those events the only solution? > here are some sample entries: > > ****************************************** > Event Category: Logon/Logoff > Event ID: 540 > Date: 3/18/2008 > Time: 9:40:21 AM > User: NT AUTHORITY\SYSTEM > Computer: **servername > Description: > Successful Network Logon: > User Name: **servername$ > Domain: **domain > Logon ID: (0x0,0x7B32DD9) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > Logon GUID: {63fe393a-b528-d3c6-a82b-89e8f443800f} > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: 127.0.0.1 > Source Port: 0 > > > ******************************************************** > Event Category: Logon/Logoff > Event ID: 576 > Date: 3/18/2008 > Time: 9:57:01 AM > User: NT AUTHORITY\SYSTEM > Computer: **servername > Description: > Special privileges assigned to new logon: > User Name: **servername$ > Domain: **domain > Logon ID: (0x0,0x7B718C9) > Privileges: SeSecurityPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeTakeOwnershipPrivilege > SeDebugPrivilege > SeSystemEnvironmentPrivilege > SeLoadDriverPrivilege > SeImpersonatePrivilege > SeEnableDelegationPrivilege
Recommended Posts