We have some alerts setup to fire when event 4776 shows up. The problem is that we have noticed that when some patches or service packs get applied, that this alert will show up multiple times from the domain controller. What gives with this?
Here are examples:
Jul 21 21:25:56 10.1.113.225 MSWinEventLog 1 Security 4380641 Tue Jul 21 21:25:53 2009 4776 Microsoft-Windows-Security-Auditing N/A N/A Information domaincontroller.contoso.com None The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: MEMBER-SERVER Error Code: 0xc0000064 4379795
When I hop onto "MEMBER-SERVER", I will see events like this:
Event Type: InformationEvent Source: NtServicePackEvent Category: NoneEvent ID: 4371Date: 7/21/2009Time: 9:09:15 PMUser: MEMBER-SERVER\AdministratorComputer: MEMBER-SERVERDescription:Windows Server 2003 Service Pack 2 was installed (Service Pack 1 was previously installed).
(Ignore the differing timestamps; I just grabbed two separate examples).