Jump to content

log questions

Guest r. wales

By Guest r. wales
in Windows 2003 Server

 Share

Recommended Posts

Guest r. wales

Guest r. wales

Posted
Posted

Every morning I review the logs on my DC's. On my PDC this morning I saw

Security events logged through the night for our users and workstations. We

shut down the workstations at the end of the day so no machines were actually

on. The events I saw were event 674, Service Ticket Renewed. Samples

provided below:

 

-- entry for workstation/server

 

Event Type: Success Audit

Event Source: Security

Event Category: Account Logon

Event ID: 674

Date: 5/28/2008

Time: 5:05:54 AM

User: NT AUTHORITY\SYSTEM

Computer: <servername>

Description:

Service Ticket Renewed:

User Name: <workstationname>$@<domainname>

User Domain: <domainname>

Service Name: krbtgt

Service ID: <domain>\krbtgt

Ticket Options: 0x2

Ticket Encryption Type: 0x17

Client Address: 127.0.0.1

 

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

-- entry for user

 

Event Type: Success Audit

Event Source: Security

Event Category: Account Logon

Event ID: 674

Date: 5/28/2008

Time: 4:59:56 AM

User: NT AUTHORITY\SYSTEM

Computer: <servername>

Description:

Service Ticket Renewed:

User Name: <username>@<domainname>

User Domain: <domainname>

Service Name: krbtgt

Service ID: <domain>\krbtgt

Ticket Options: 0x2

Ticket Encryption Type: 0x17

Client Address: 127.0.0.1

 

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

I occasionally see one or two of these entries through the night. However,

last night it appears that every one of my users and machines turns up at

least once. The client address for all of the log entries is the local

127.0.0.1.

 

Any suggestions as to why these are showing up now? Does this look like

anything to be concerned about? The only changes made were the installation

of CA Antivirus on Monday and log changes for an hour or so on Tuesday

afternoon. Logon auditing was changed from -Failure- to -Success and

Failure- for testing and then back to -Failure- only. Could this have

triggered it?

 

Server info: win2k3 standard sp2; fully patched

 

Thanks in advance!

  • Replies 1
  • Created
  • Last Reply

Popular Days

Popular Days

Guest r. wales

Guest r. wales

Posted
Posted

RE: log questions

 

 

UPDATE:

 

All machine and *some* user account entries are repeating approximately

every 9 hours and 50 minutes.

 

These entries only seem to be occurring on one of three DC's.

 

Why the local ip address? If a service is causing this, how can I find out

which one?

 

Used Process Explorer - nothing unusual; Used TCP View - a lot of LDAP

traffic, but ohter than that all looks normal.

 Share
Go to topic listing
×
×
  • Create New...