machine accounts in code 540, 538 events Expand / Collapse
Author
Message
Posted 4/27/2009 10:45:59 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/27/2009 10:39:49 AM
Posts: 1, Visits: 0
Our WS2003 Event Viewer Security log contains many more machine log-ins than user account logins. Is this a normal, useful configuration, or have we bollixed something?
Post #80
Posted 4/28/2009 9:10:17 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
I assume you are describing the log on a domain controller?  If so, yes that's normal.  Each computer in the domain checks in with a domain controller every 90 minutes or so to refresh group policy which causes a network logon (540) and logoff (538).  It would be nice if that auditing could just be turned off since it's noise but Windows lacks that kind of granularity.
Post #81
Posted 8/27/2009 7:06:51 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/28/2009 7:31:22 AM
Posts: 1, Visits: 2
So it is true then that there is no way to effectively "stop" the vast numbers of these from being logged if you have auditing enabled? That is unfortunate.

For example we have several hundred systems logging to several different AD's and on average in an hour we generate 270K logs, of which 89k are Event ID 540, breaking out the Type3 and Type8 we find that about 88.5k of them are Type3 with the remaining ~500 being Type8.

Looking closer at the Type3 we find that 50.5k of them are "ANONYMOUS LOGON"

Such as below:

NT AUTHORITY,ANONYMOUS LOGON,vb2k0056,Aug 27 17:59:03 2009,security,Security,"Successful Network Logon:
User Name: Domain: Logon ID0x0,0x4F6DE22B) Logon Type:3 Logon Process:NtLmSsp Authentication Package:NTLM Workstation Name:VB0409237 Logon GUID:- Caller
User Name:- Caller Domain:- Caller Logon ID:- Caller Process ID: - Transited Services: - Source Network Address:10.153.152.154 Source Port:0

So no one has devised a way to no log this sort of behavior?
Post #192
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 5:51pm