UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 540 - Successful Network Logon

540's on local workstation & DC

nuallain — Fri, 24 Jun 2011 09:09:07 GMT

Can you provide any reason why I would see 540's on the local workstation and on the DC?

On the workstations I would expect to see \wkstn_name\userid and on the DC \domain\userid. I would also expect to see identical times on both if ntp is working properly; however there doesn't seem to be a 1 to 1 correlation.

In addition, why would you see 540's on the DC instead of the 672, 673, 674 if kerberos is being used for network authentication?

Multiple 540/538 pairings from non-authorized systems

Vern — Wed, 20 Apr 2011 09:37:39 GMT

Over the last few months I have noticed multiple successful 540/538 pairs from users and systems that I know for 100% certainty, do NOT have access/accounts for this system. I have not yet been able to identify how or why they are logging successful events.

Can you provide any additional insight?

Type Date Time Source Category Event User Computer

Success Audit 1/3/2011 10:17:33 AM Security Logon/Logoff 540 Person Account1
Success Audit 1/3/2011 10:17:42 AM Security Logon/Logoff 538 Person Account1
Success Audit 1/4/2011 2:58:02 PM Security Logon/Logoff 540 Person Account2
Success Audit 1/4/2011 2:58:06 PM Security Logon/Logoff 538 Person Account2
Success Audit 1/4/2011 6:17:09 PM Security Logon/Logoff 538 Person Account2
Success Audit 1/4/2011 6:17:06 PM Security Logon/Logoff 540 Person Account2
Success Audit 1/19/2011 2:25:16 PM Security Logon/Logoff 540 Person Account3
Success Audit 1/19/2011 2:25:17 PM Security Logon/Logoff 538 Person Account3
Success Audit 1/19/2011 2:25:16 PM Security Logon/Logoff 540 MachineAccount1$
Success Audit 1/19/2011 2:25:27 PM Security Logon/Logoff 538 MachineAccount1$
Success Audit 3/24/2011 7:01:46 AM Security Logon/Logoff 540 MachineAccount2$
Success Audit 3/24/2011 7:01:56 AM Security Logon/Logoff 538 MachineAccount2$
Success Audit 3/25/2011 4:43:35 PM Security Logon/Logoff 540 MachineAccount2$
Success Audit 3/25/2011 4:43:45 PM Security Logon/Logoff 538 MachineAccount2$
Success Audit 3/25/2011 1:20:17 PM Security Logon/Logoff 540 MachineAccount3$
Success Audit 3/25/2011 1:20:26 PM Security Logon/Logoff 538 MachineAccount3$
Success Audit 4/2/2011 1:29:35 PM Security Logon/Logoff 540 MachineAccount4$
Success Audit 4/2/2011 1:29:45 PM Security Logon/Logoff 538 MachineAccount4$
Success Audit 4/2/2011 11:28:53 PM Security Logon/Logoff 540 S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX
Success Audit 4/2/2011 11:29:07 PM Security Logon/Logoff 538 S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX
Success Audit 4/4/2011 1:25:39 AM Security Logon/Logoff 540 S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX
Success Audit 4/4/2011 1:25:51 AM Security Logon/Logoff 538 S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX
Success Audit 4/5/2011 10:16:05 AM Security Logon/Logoff 540 MachineAccount5$
Success Audit 4/5/2011 10:16:16 AM Security Logon/Logoff 538 MachineAccount5$
Success Audit 4/7/2011 4:23:22 PM Security Logon/Logoff 540 MachineAccount3$
Success Audit 4/7/2011 4:23:31 PM Security Logon/Logoff 538 MachineAccount3$
Success Audit 4/13/2011 10:12:19 PM Security Logon/Logoff 540 MachineAccount6$
Success Audit 4/13/2011 10:12:26 PM Security Logon/Logoff 538 MachineAccount6$
Success Audit 4/13/2011 5:05:14 PM Security Logon/Logoff 540 MachineAccount6$
Success Audit 4/13/2011 5:05:18 PM Security Logon/Logoff 538 MachineAccount6$
Success Audit 4/14/2011 11:43:03 AM Security Logon/Logoff 540 MachineAccount6$
Success Audit 4/14/2011 11:43:07 AM Security Logon/Logoff 538 MachineAccount6$

Trying to create alerts based on Event ID 540

rlanier — Wed, 11 May 2011 09:18:15 GMT

I am trying to set up an alert using a central logging solution to inform me when ever a certain service account authenticates from any source IP other than the server hosting the log collection tool.

I was going to key on Event ID 540, the username, and configure the alert to hit if the authentication came from any IP other than the server hosting the log collection tool.

I have found that there are many log events (540) that have the Source Network Address blank. Can someone explain why this is??

Thanks!!!!!!

ROB

The computer name PCxxxx$ in 540 User field

hunnypot — Thu, 20 May 2010 04:57:26 GMT

Hi all,

I was checking log from my domain controllers and I saw 540 messages with a strange value in the user field.

user = PC1122$
computer = DC2
workstation name = PC3344

Why did I see the computer name in the user field instead of the log on user's name? And what does it mean?

I have W2003 domain controllers and XP clients (name starting with PCxxxx).

Thank you for your answer/explanation.

540 Events on Domain controllers

tyoism — Wed, 12 Jan 2011 11:36:11 GMT

I'm seeing activity on domain controllers that show the machine name SYSNAMEHERE$ as the User Name and the Computer Name is the domain controller. They are 540 type 8 logins that are successful, however, I'm trying to understand what is generating the event because I know that these users do not have proper credentials to log into a domain controller. Is this some Windows background foo? Perhaps Windows logon scripts, etc.?

Workstation blank when Auth. package is Kerberos?

Braino — Fri, 19 Nov 2010 14:31:25 GMT

Hi Randy,

On Eventid 540; I'm noticing the workstation name is blank (but the Source IP is still there) when the authentication package is Kerberos... Is this consistent in your experience? My guess is since the authenticaton package doesn't deal with workstation names, this field will be blank.

Just wanted a confirmation on your side...if you could :cool:

Layout of fields in 540 event ?

michaelluch — Wed, 21 Apr 2010 06:45:19 GMT

I use a script to parse 540 events in the Security Log.
In some cases I see and event like this
"eventtype" => "Audit Normal ",
"eventnumber" => "540",
"category" => "2",
"source" => "Security",
"creationtime" => "Thu, 15 Apr 2010 10:44:41 UTC",
"writetime" => "Thu, 15 Apr 2010 10:44:41 UTC",
"computer" => "TTESTDC4",
"SID" =>"S-1-5-21-0-0-4-0",
"Strings" => {
"0" => 'TestUser1',
"1" => 'TEST_DOM',
"2" => '(0x0,0x7D709A)',
"3" => '3',
"4" => 'Kerberos',
"5" => 'Kerberos',
"6" => '',
"7" => '{7a49e72b-ae5b-9137-633e-a392ed0569f2}',
"8" => '-',
"9" => '-',
"10" => '-',
"11" => '-',
"12" => '-',
"13" => '10.125.58.195',
"14" => '0',
}

other events appear like this (see the values in the String part, ip addres in field 13 or 14 for example)
"eventtype" => "Audit Normal ",
"eventnumber" => "540",
"category" => "2",
"source" => "Security",
"creationtime" => "Thu, 15 Apr 2010 10:43:51 UTC",
"writetime" => "Thu, 15 Apr 2010 10:43:51 UTC",
"computer" => "TESTDC4",
"SID" =>"S-1-5-21-0-0-4-0",
"Strings" => {
"0" => '',
"1" => 'TestUser2',
"2" => 'TEST_DOM',
"3" => '(0x0,0x7DAC7A)',
"4" => '3',
"5" => 'Kerberos',
"6" => 'Kerberos',
"7" => '',
"8" => '{87e77d0a-64ae-432a-89f4-d62ba36b4966}',
"9" => '-',
"10" => '-',
"11" => '-',
"12" => '-',
"13" => '-',
"14" => '10.125.58.131',
}

Any suggestions why the event would be stored differently ?

thanks

Many 540/538 events during short period of time.

Pablo — Mon, 25 Jan 2010 04:19:12 GMT

Hello

I wonder why are there so many 540/538 entries (each 540/538 pair with the same logon id) during so short period of time? It is even twice per second and is related to many users and workstations accounts.

Besides from time to time some users (WinXP/Vista) can't login to AD. There is no strict rule - each time that problem is related to different users accounts.

Thanks for your precious explanations/help
Pablo

P.S.
Does anyone knows how to paste attachments here?

Unexplained 540 events on W2K workstation in a domain

kr_lly — Mon, 12 Oct 2009 13:23:35 GMT

Does anyone have an explanation for this sequence of three Events on a W2K workstation that's in a domain? The workstation name is WK3577. The user in this case (AM\User1) is a valid domain user but there is no logical connection between them and this workstation. The are multiple user accounts generating these Events.

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/11/2009
Time: 11:47:09 PM
User: AM\User1
Computer: WK3577
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x564620)
Assigned: SeChangeNotifyPrivilege

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/11/2009
Time: 11:47:09 PM
User: AM\User1
Computer: WK3577
Description:
Successful Network Logon:
User Name: User1
Domain: AM
Logon ID: (0x0,0x564620)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/11/2009
Time: 11:47:21 PM
User: AM\User1
Computer: WK3577
Description:
User Logoff:
User Name: User1
Domain: AM
Logon ID: (0x0,0x564620)
Logon Type: 3

Multiple event 540 and 538 entries

netwit — Mon, 28 Sep 2009 09:52:16 GMT

What would cause one user to fill the event log on my domain server with event 540 and 538 entries? I am talking over 1 million in 24 hours. I can't detect any virus or spyware on the system and the system seems to run normally but only shutting off the user PC stops the stream of event losgs.

machine accounts in code 540, 538 events

Clay — Mon, 27 Apr 2009 10:45:59 GMT

Our WS2003 Event Viewer Security log contains many more machine log-ins than user account logins. Is this a normal, useful configuration, or have we bollixed something?

EID - 540

kitchu25 — Fri, 14 Aug 2009 03:18:41 GMT

Hi,

I am doing audit review for my company. In a server I can see in the log for EID - 540 from which workstation the access is made.

Here I is the see log details:

"Successful Network Logon: User Name: $nrddu Domain: sdap Logon ID: (0x0,0x5F637364) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: Htf1

Here I can not see the same in the server :

"Successful Network Logon: User Name: $nrddu Domain: sdap Logon ID: (0x0,0x5F669D39) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name:

Is there any differnace in this NtLmSsp Authentication Package and Kerberos Authentication Package in capturing the logs...

Kishore

Logon Types for 540?

Braino — Mon, 11 May 2009 19:24:41 GMT

Hey -

I noticed the description says this eventid (540) only happens for logon type 3. This isn't true as it also happens for Logon type 8 (NetworkClearText - most likely a Basic Authentication to IIS).

Is this right? Does EventID 528 ever show Logon type 8? Do any other logon types show on EventID 540?

Thanks,

Braino! ;)