Excessive security events 4624 and 4634
I have a Farm with WFE and SQL. The Farm is setup with least priv accounts. I am faced with a problem that the service account and farm account is showing in the Event viewer Security logs as Audit Success. However there are 7000+ for each per hour.
Is there any explanation for this or anyway to abate it? I have another Farm that the events do not get recorded at all.
Jeff Tucker Engineer
They log into the server they're running services on. It isn't an interactive login, but either a batch or service login (usually service). This is normal behavior, and configurable via Audit Policy.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Similar Messages
-
Hi,
We are receiving several eventids '26007' from the OpsMgr log on our Domain Controllers, also eventids '26008' with similar description are logged
The EventLog service reported that the Security event log on computer '<Domain Controller Computer>' is corrupt. The Windows Event Log Provider will attempt to recover by re-opening log.
I'll appreciate any suggestion in order to solve this issue.
Regards.I guess this issue is caused by event ID 4661 is corrupted in security event log.
Please check if you have many 4661 events in security event log and XML view cannot be viewed.
Running the below command on DC will disable the auditing of the SAM Object access. This should stop the Event ID 4661 from being logged which should stop the Alert regarding corrupt Event log:
auditpol /set /subcategory:"SAM" /success:disable /failure:disable
Regards, -
How can I turn off Event ID 5156 AND 5145 in the Security Event Log?
Hi,
I have a high volume web service. Everytime there is a connection from the outside, it logs this in my security event log.
I want to turn this off.
How can I stop the logging of event id 5156 on the web server and 5145 on the file server?
Thanks!
Dane!Hi,
Thanks for posting in Microsoft TechNet forums.
The problem can be related to Audit settings. Please check the following threads to see if the information can be useful during the troubleshooting:
auditing file share on windows 2008 R2
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/9e633bad-cda6-4ec4-8f04-c01de57ce767
Event ID 5156 filling up event logs. Probably due to anti-virus software (SEP 11)
http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/8044fb62-f5ea-45b5-b717-3f6592af77e0
Regards
Kevin
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback
on our support quality, please send your feedback here. -
I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
Default Domain Controllers Policy
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation SuccessHi Lawrence,
After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
setting was applied successfully.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Get notification and Alerts for security events
Hi
I have LMS3.1 and I need to be notified and alerted by any security issues may logged at the router and switches such as port security and DHCP SNOOPING DENY events.
Many thanks.
CheersThere are several methods of doing this.
1. Have you heard of Cisco Notification Service?
2. Have you tried RSS?
If you want to receive RSS feeds from Cisco Security Advisories, Responses, and Notices then the RSS address HERE.
If you want to receive RSS feeds from Cisco Security Notices then the RSS address HERE. -
Exchange security evtx files and connection events
Does anyone know if the security .evtx files on the exchange mb database servers (2010) would store information about connections from client software (i.e. Outlook). trying to determine a way to see when a connection was made by a specific user (windows
7 PC accessing exchange via outlook 2010), and subsequently closed (i.e when they shut outlook on their PC). Have some logs from the server on the day but they are a bit overwhelming, any ideas on specific event ID's to filter the masses of data down to connections.
There are several hundred mailboxes on this DB server so its going to be a nightmare to analyze.Hello,
Clients' connectivity logging is not maintained by Security Event Log files. To configure client connectivity you should configure:
1. For RPC connectivity: http://theucguy.net/rpc-client-access-logging-in-exchange/.
2. For OWA connections: check %SystemDrive%\inetpub\logs\LogFiles directory.
Hope it helps,
Adam
CodeTwo: Software solutions for Exchange and Office 365
If this post helps resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster. -
Windows Active Session logon state security event viewer
Hi Team,
i have question.
i already enable audit logging policy from GPO, especially logon logoff audit.
at server event viewer show (security/audit success) display log off and log on event id. 4634 for logoff and 4624 for logon
my question are :
1. Why event viewer always show computer name at account name information? event viewer 4624 logon
can i get the user name info from this event id 4624 logon
2. At event id 4634 logoff, security id and account name info always show computer name account
can i get user name too?
3. what if the active user log on user never log off ( I mean user only disconnect from RDP session ).
can i get info from security event viewer whose user that being active remote to server?
Thanks
Regards :)There should be both a computer and a user authentication since both so log onto the domain.
Even though a user may never log off of a machine they still need to establisj a session with other machines for services. After the intial logon the Kerberos TGT session ticket may be good for the next week (7 days by default) the logs should
still show all newly established sessions. You may need to review all DC's within the site of the user not just one DC, since any DC within the site could be providing the service.
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights. -
Security Events Shows A New User Account Setup By Accessing my Network with a Profile
Can you tell me, please, if this is the result of a hack?
Mine is the 1st ID and Name.
Subject:
Security ID: GATEWAY\Angela
Account Name: Angela
Account Domain: GATEWAY
Logon ID: 0x2CBED
Additional Information:
Caller Workstation: GATEWAY
Target Account Name: Administrator
Target Account Domain: GATEWAY"
Audit Success 2/5/2014 12:49:45 AM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Audit Success 2/5/2014 12:49:45 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: GATEWAY$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Type: 5
Impersonation Level: Impersonation
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x250
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
I also suddenly have a 'switch user' on my windows logon screen, have files appearing and disappearing, see someone logging in with a temp profile, then a manual
profile, then an automatic profile (created from the profile examples given), logons between midnight and 2am, User Profiles Service 3, 4, 1, 5, 67, 5 and 2 over a 5 minute period at 1:10am on 2/3, etc.
I need to load my husbands PC (I reloaded mine and the problem continued, and need to know how to protect him from this, if necessary.
How do I proceed?Hi,
Gnerally speaking, the events you list above just sytem service or application need to use system resource, then Event Viewer would record their activity. You can use Filter(filter event ID, such as 4624) to check, you will find plenty of events like new
account logon.
About your another question, you can access to User Managment to check your sytem current user, if there is any other new user has been created.
Win+X, choose Computer Managment, Local Users and Groups
Roger Lu
TechNet Community Support -
Need Help to extract information from Windows Security Event log
Hi Everyone,
My challenge is to create a script that queries the Security event log for event id 4624 , logon type 2 and 10, then export the result to file, hopefully tab limited.
I need the time - date - User Account - Workstation - IP address - Logon Type.
I have had a go, checking out other advice from other questions, but i'm just not getting what I want.
Kind regards,
AndrewA good point to start is get-eventlog with where clauses.
For example:
get-eventlog -log security | where {$_.eventID -eq 4624}
So you want to get the entire security log, and then filter it client side? (Some of these logs can be massive).
I would recommend Get-WinEvent with -FilterHashTable (Filter on the left) which will filter against the log directly.
http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/24/use-powershell-cmdlet-to-filter-event-log-for-easy-parsing.aspx
You might have admin rights issues accessing the security logs.
You're right - my answer was only a first step to try "get-command *event" and eventually get-help..... -
Windows Server 2008 R2 Security Event Log Maximum Size
I have a customer with logging requirements on domain controllers that are exceeding the maximum log size they have configured for the security log. When they attempted to increase the maximum size of the security event log via Group Policy, the settings
did not take effect. When an attempt was made to increase the security event log manually on the domain controller via the properties of the log, an error is generated whenever the value was changed.
The Maximum Log Size specified is not valid. It is too large or too small. The Maximum Log Size will be set to the following: 196608 KB
The 196608 KB value is the value that it is currently set at. Testing on other logs, application, system, has lead to the same result.
wevtutil.exe sl security /ms:<n> produces similar results. There is no error message given but the value doesn't change when you run wevtutil.exe gl security
When viewing the registry value MaxSize under HKLM\Current Control Set\Services\EventLog\Security the change is reflected, but the log does not seem to get any larger.
What one would expect to be a two minute change in a group policy object has turned into something much more difficult. Any idea what could be causing this?
Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise AdministratorI verified that it was not another policy - the domain is pretty simple without many policies, only policies applied are:
Default Domain Policy (no event log settings)
Company Domain Policy (no event log settings)
Default Domain Controller Policy (no event logs settings)
Company Domain Controller Policy (...\Event Log\Maximum security log size 4194240 kilobytes)
The value was 196608 before, the plan was to change the group policy setting to 4194240 and I expected it to be that easy. However, the values didn't change.
4194240 is divisible by 64
Used multiple tools to try and change
Group Policy
Event Viewer
wevtutil.exe
registry editor
While some of the methods display a larger event log, the actual size of the event log still seems to be limited to 196608 kb.
Thanks,
Joe
Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator -
Allow Non-Administrator accounts to create event sources and write to event logs
We are setting up BizTalk 2013 in Windows Server 2012 and one of the requirements is to allow the service account to create sources and write in event logs (Application) of the BizTalk servers. We have found what it seems to be a simple solution for this
without giving service accounts local admin rights.
Give Full control for the following registry keys to the service accounts or groups to allow creating of event sources and write to event logs:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
Note: when changing permissions for EventLog key, the child keys will inherit the permissions by default except Security key which must be done manually.
Initial tests using a .net test app seems to work as expected. New event sources are being created in the event logs and writing to the event logs after that works perfectly.
The above method has been deployed in production and this is the most suitable solution for us.Hi Keong6806,
Thanks a lot for posting and sharing here.
Do you have any other questions regarding this topic? If not I would change the type as 'Discussion' then.
Best Regards,
Elaine
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Many security events have been identified by the proxy stack.
On our Lync Edge servers I can see lots of warning events are getting generated every second. Any idea how to stop this events.
Log Name: Lync Server
Source: LS Protocol Stack
Date: 3/26/2014 5:40:43 AM
Event ID: 14425
Task Category: (1001)
Level: Warning
Keywords: Classic
User: N/A
Computer: servername
Description:
Many security events have been identified by the proxy stack.
In the past 55 seconds, 30 security events have been identified by the proxy stack. A large number of security events could indicate that the server is under attack. The last event was:
$$begin_record
LogType: security
Text: The connection from a remote user client is refused because remote user access is disabled
Result-Code: 0xc3e93d6d SIPPROXY_E_CONNECTION_EXTERNAL_INTERNET_ACCESS_DISABLED
Peer-IP: 192.168.10.1:50224
Peer: 192.168.10.1:50224
$$end_record
Cause: The server may be under attack, or there might be a configuration problem that is causing errors.
Resolution:
Launch the Lync Server 2010 Logging Tool. Select the "SIPStack" component, the "Errors" level and the TF_SECURITY flag. Review the events reported to the trace log using the "Analyze Log Files" feature of the logging tool.Hi,
What's your Edge NIC and certificate configuration? And the DNS SRV records?
It may happen because the Lync server does not pass the correct certification authority information back to the Lync client during the negotiation of the TLS connection.
You can refer to the part “Workaround” in the link below:
http://support.microsoft.com/kb/2464556
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Using the Audit Provider to log ejb security events
I would like use the audit provider to log security events for ejbs that use container managed security. Specifically I want to record the name of the ejb being accessed, the method the user is accessing, the time of the event and the user name of the user who is accessing the ejb.So far I have created an ejb that has method-permissions defined in the ejb-xml file. I have a number of users with different levels of permissions and the security is working.I have also installed the example Audit class that is shipped with weblogic.I am getting Audit indo in the log file, but I do not get any ejb info being logged.Is it possible to use the Audit provider that weblogic provides to audit ejb security events? Do I need to do something special to make this work?Please help, I can not find any documentation about what the audit provider logs.
Actually I never tried to login into the provider, but I understand you just need the keys.
Try this code, it works for me (some pieces are missing, but this is the core)
Provider provider=null;
provider=new SunPKCS11(providerFile); // providerFile is a String
Security.addProvider(provider);
KeyStore store=KeyStore.getInstance("PKCS11");
char[] pin=pinAsString.toCharArray();
store.load(null, pin);
PrivateKey key=(PrivateKey)store.getKey(alias, null);
Certificate[] chain=store.getCertificateChain(alias);
.....Using this approach I managed to read all the information from the provider (aliases, certificates, ...). I'm not sure that's what you needed, but I hope it helped. -
What caused the Windows 2008R2 Security event discarded
Dear Support team,
I have a windows 2008 R2 server, The security events didn't recorded from last year.
1. The maximum log size set to 100 MB, But the log file is 300 MB. The retention was set to "archive the log when full,do not overwrite events".
2. Below last entry security log show the registry key that i modified at that time. After i modify the registry value all of the security event were discarded
A registry value was modified.
Subject:
Security ID: domain\userid
Account Name: userid
Account Domain: domain
Logon ID: 0x2c202074
Object:
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eventlog\Security
Object Value Name: Retention
Handle ID: 0x100
Operation Type: Existing registry value modified
Process Information:
Process ID: 0x129c
Process Name: C:\Windows\regedit.exe
Change Information:
Old Value Type: REG_DWORD
Old Value: 0
New Value Type: REG_DWORD
New Value: 4294967295
3. As i know,The Windows Event Log supersedes the Event Logging API beginning with the Windows Vista operating system. Here is the KB link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385780(v=vs.85).aspx?ppud=4
And the registry key which i modified at the before ( \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\retention ) Seems only apply to Event logging for Windows 2003 and prior system.
Here is the KB link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa363648(v=vs.85).aspx
May i know what is the reason cause security event discarded ?
Does the retention setting at Registry still working at windows 2008?
Thanks very mush.
RandyThe new methods are via GPO described here.
http://technet.microsoft.com/en-us/library/cc722385(v=WS.10).aspx
http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Many security events have been identified - federation disabled error
We are getting lots of warnings in our event log for Event ID 14425:
Many security events have been identified by the proxy stack.
In the past 20 seconds, 30 security events have been identified by the proxy stack. A large number of security events could indicate that the server is under attack. The last event was:
$$begin_record
LogType: security
Text: All federation is disabled
Result-Code: 0xc3e93d74 SIPPROXY_E_EPROUTING_MSG_FEDERATION_DISABLED
SIP-Start-Line: SUBSCRIBE sip:[email protected] SIP/2.0
SIP-Call-ID: 819af7ce193e4deb8db8fd2f14a9df41
SIP-CSeq: 1 SUBSCRIBE
$$end_record
Cause: The server may be under attack, or there might be a configuration problem that is causing errors.
Resolution:
Launch the Lync Server 2010 Logging Tool. Select the "SIPStack" component, the "Errors" level and the TF_SECURITY flag. Review the events reported to the trace log using the "Analyze Log Files" feature of the logging tool.
So we did as the resolution states, and logged the traffic, and we are getting thousands of these types of messages:
TL_ERROR(TF_SECURITY) [0]05E8.00CC::01/05/2011-15:12:11.015.00000013 (SIPStack,SIPAdminLog::WriteSecurityEvent:SIPAdminLog.cpp(424))$$begin_record
LogType: security
Text: All federation is disabled
Result-Code: 0xc3e93d74 SIPPROXY_E_EPROUTING_MSG_FEDERATION_DISABLED
SIP-Start-Line: SUBSCRIBE sip:[email protected] SIP/2.0
SIP-Call-ID: 2249db6d65ac4a11ba9aea022e8fe17c
SIP-CSeq: 1 SUBSCRIBE
$$end_record
If we have Federation disabled, how do I keep all this traffic from hammering my edge server? What I am assuming it is trying to do is get the presence for every person in every email being sent or received (or read?)
Thanks,
BobIf you're not going to leverage Lync federation and enable it for your environment, it's probably worth considering the removal of your public SRV record for federation for the sake of tidiness. They won't do you any harm providing that they are indeed genuine
subscription requests from foreign users.
Kind regards
Ben
Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
Lync | Skype | Blog: Gecko-Studio
Maybe you are looking for
-
Should i use a vpn program overseas on a macbook
I use a MacBook Pro when working overseas. There are many internet issues in certain locations and I'm considering installing a VPN program on my computer so that I can safely conduct online banking, etc. First, is this something that I should to con
-
Had iWork 08, Pages stopped recognizing it, Installed iWork 09, seemed to go alright but when finished only Keynote09 and Numbers09 would work, Pages 09 unresponsive. Need advise to clear out 08 completely cause there seems to be a conflict between
-
Unable to revert back to simple passcode
i tried to turn off the simple passcode just to see how the non-simple passcode works. i dont like it much so i want to revert back to the simple passcode but the on/off button is disabled as well as the button to turn off the passcode.. please help
-
Any tips for editing an HDV time lapse?
I have done some extensive Googling on time lapse and understand the limitations of video as compared to film, and how most professional time lapsers use still cameras. Be that as it may, I am just having some fun with my new HDV camera and its built
-
Help required with multiple buttons
Hi all, i'm working on a charity project that entails the clicking of buttons in order to purchase a "virtual plot" on a grid system. There are hundreds of buttons involved. What I need to know are the following : a) Is there a way for me to set the