locked
security log filling with events 538/540/576 RRS feed

  • Question

  • Hope this is the right forum for this question...

    We just set up a new SBS 2003 premium server and we're getting a lot of events 538/540/576 in the security log, I just counted 140 entries in 4 minutes.  We have Symantec Endpoint small business 11.0 installed on the server and MozyPro (an online backup utility).  Exchange, IIS, and SQL 2005 are also running and there are 6 client PCs.

    I've tried shutting down the services for SQL server, Symantec, and MozyPro to see if that stopped/slowed the events and that didnt seem to have an effect.  Is turning off the auditing for those events the only solution?  here are some sample entries:

    ******************************************
    Event Category:    Logon/Logoff
    Event ID:    540
    Date:        3/18/2008
    Time:        9:40:21 AM
    User:        NT AUTHORITY\SYSTEM
    Computer:    **servername
    Description:
    Successful Network Logon:
         User Name:    **servername$
         Domain:        **domain
         Logon ID:        (0x0,0x7B32DD9)
         Logon Type:    3
         Logon Process:    Kerberos
         Authentication Package:    Kerberos
         Workstation Name:   
         Logon GUID:    {63fe393a-b528-d3c6-a82b-89e8f443800f}
         Caller User Name:    -
         Caller Domain:    -
         Caller Logon ID:    -
         Caller Process ID: -
         Transited Services: -
         Source Network Address:    127.0.0.1
         Source Port:    0


    ********************************************************
    Event Category:    Logon/Logoff
    Event ID:    576
    Date:        3/18/2008
    Time:        9:57:01 AM
    User:        NT AUTHORITY\SYSTEM
    Computer:   **servername
    Description:
    Special privileges assigned to new logon:
         User Name:   **servername$
         Domain:       **domain
         Logon ID:        (0x0,0x7B718C9)
         Privileges:    SeSecurityPrivilege
                SeBackupPrivilege
                SeRestorePrivilege
                SeTakeOwnershipPrivilege
                SeDebugPrivilege
                SeSystemEnvironmentPrivilege
                SeLoadDriverPrivilege
                SeImpersonatePrivilege
                SeEnableDelegationPrivilege

    Tuesday, March 18, 2008 3:13 PM

Answers