K
Kevin
This is a lengthy post... Sorry but need to describe....
We have a server that we setup to capture every event in
the event log. We are noticing a strange group of entries
that we are not sure what it is. I assume it is some
standard OS / Network level entry because it happens often
and is a consistent set of entries but we do not know what
the entries mean and would like to know if anyone out
there does.
Log Entries....
Success audit
Category: Privilege use
Event ID: 576
Username: domain\computername$
In the Description:
Special Privileges assigned to new user
User Name and Domain Blank
Assigned: SeChangeNotifyPrivilege
Success audit
Category: Logon/Logoff
Event ID: 540
Username: domain\computername$
In the Description:
Successful Network logon
User Name: computername$
Domain: domain
Logon Type: 3
Success audit
Category: Logon/Logoff
Event ID: 538
Username: domain\computername$
In the Description:
User Logoff
User Name: computername$
Domain: domain
Logon Type: 3
These 3 entries always accompany each other. The
interesting issue is that this happened to one of our
servers over the weekend but that the entries were taking
place every second and filled up our 25mb log file in
about 5 hours. We disconnected the computer from the
network that was mentioned in the username field and these
entries stopped. We plugged the computer back in this
morning and it isn't happening?
We have done the normal virus / hack research but this
does not appear to be that at all. In fact we see in the
logs where other entries of this type are in the system
but for different computers....
We did notice that the Computer Browser service was on for
this server and it shouldn't have been so we turned it off.
Does anyone know what this is?
Kevin
We have a server that we setup to capture every event in
the event log. We are noticing a strange group of entries
that we are not sure what it is. I assume it is some
standard OS / Network level entry because it happens often
and is a consistent set of entries but we do not know what
the entries mean and would like to know if anyone out
there does.
Log Entries....
Success audit
Category: Privilege use
Event ID: 576
Username: domain\computername$
In the Description:
Special Privileges assigned to new user
User Name and Domain Blank
Assigned: SeChangeNotifyPrivilege
Success audit
Category: Logon/Logoff
Event ID: 540
Username: domain\computername$
In the Description:
Successful Network logon
User Name: computername$
Domain: domain
Logon Type: 3
Success audit
Category: Logon/Logoff
Event ID: 538
Username: domain\computername$
In the Description:
User Logoff
User Name: computername$
Domain: domain
Logon Type: 3
These 3 entries always accompany each other. The
interesting issue is that this happened to one of our
servers over the weekend but that the entries were taking
place every second and filled up our 25mb log file in
about 5 hours. We disconnected the computer from the
network that was mentioned in the username field and these
entries stopped. We plugged the computer back in this
morning and it isn't happening?
We have done the normal virus / hack research but this
does not appear to be that at all. In fact we see in the
logs where other entries of this type are in the system
but for different computers....
We did notice that the Computer Browser service was on for
this server and it shouldn't have been so we turned it off.
Does anyone know what this is?
Kevin