Security Log Event ID 4624 Auditing - Few Questions

I am working on a PowerShell script that collects Event ID's 4624 with LogonType 10 (Logon) and Event ID's 4647 (Logoff). This is basically keeping an audit trail of logon's and logoff's of users on our terminal services environment.
This is working as expected, however, I am seeing two things that I have remaining questions on:
For the Logon Event ID 4624...for a few users, I am seeing two Logon Event's created. They are exactly the same, except one has a LogonGuid of all 0's : {00000000-0000-0000-0000-000000000000}.
Why would there be two Logon events created where one of them has a LogonGuid of all 0's? For the correlating Logoff event, it is tied to the Logon Event with the all 0's LogonGuid. I would expect the logoff event to
be ties to the LogonGuid that isn't all 0's.
If a user disconnects (not logoff), and when they logon again, another logon event is created. Is there anyway to decipher from a completely new logon event and from a logon event to resume a disconnected session?

Hi mabrito,
I assume you meeting the following scenario event.
When a user logon, two events get logged with event id 4624. the only difference between them is followings:-
Logon GUID:
{00000000-0000-0000-0000-000000000000}
Logon GUID:
{user GUID }
Logon GUID: {00000000-0000-0000-0000-000000000000} is for anything other than Kerberos, Logon GUID is a unique identifier that can be used to correlate this event with a KDC
event.
You can refer the following article:
Deciphering Account Logon Events
http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447934.aspx
I’m glad to be of help to you!
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Similar Messages

NULL SID Security Log Event ID 4625 when attempting logon to 2008 R2 Remote Desktop Session Host

This is a new deployment of Server 2008 R2 in a newly created 08 R2 active directory on a newlyt installed 08 R2 RDSH server.
A new generic user is created in AD. That user can log on to the terminal server on the console just fine. But that user cannot logon via RDP. Furthermore, the domain admin credentials also cannot logon via RDP.
When either set of credentials is used, the logon attempt registered in the Windows Security Even Log as a denied attempt with Event ID 4625 reporting a NULL SID.
Troubleshooting: The RDSH has already been disjoined and rejoined to the domain. Also, curious note, there are three ways to save the user account on the RDSH server as a valid user account which has permissions to logon. The one Microsoft recommends is to open computer management and edit the remote desktop users group. When I the accounts here and click apply, they immediately dissapear. Secondly, I can open the computer properties and go to the remote tab. There I find the user accounts added using the previous method are enumerated but not displaying correctly. They show up with the RDSH server name and a question mark. The last way, is to open the Remote Desktop Session Configuration tool and edit the properties of the rdp connection and go to the security tab. This was the only place I could get a user to ‘stick’ but the logon attempts still show a NULL SID and access is denied.
I have scoured every bit of RDS documenation I can find with no luck.
Thanks,
Chris

I am also experiencing this issue.
2008 servers, 2007 exchange on server 2008.
These are fresh servers, fresh AD. Users can log onto domain normally, RDP not working for admin accounts, generating same errors as posted above.
The bigger issue, is that we have a cisco messaging service account that is generating this error on the DC's and the Exchange server as well. The service basically emails users voicemails to their inbox. The user we've created for the cisco service is unable
to authenticate to the exchange server, in turn generating the same errors posted above as well. We can log on to the domain with this account just fine.
Any ideas on this? We have not tried re-adding the servers to the domain.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/5/2010 9:01:13 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: xx.corp
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
   Account Name: -
   Account Domain: -
   Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
   Security ID: NULL SID
   Account Name:
xxxx
   Account Domain:
xxxx
Failure Information:
   Failure Reason: Domain sid inconsistent.
   Status: 0xc000006d
   Sub Status: 0xc000019b
Process Information:
   Caller Process ID: 0x0
   Caller Process Name: -
Network Information:
   Workstation Name: laptop
   Source Network Address: -
   Source Port: -
Detailed Authentication Information:
   Logon Process: NtLmSsp
   Authentication Package: NTLM
   Transited Services: -
   Package Name (NTLM only): -
   Key Length: 0

AD get records of security log..

Hello everyone:)
i must get some records (by event id, time, etc..) of security log.
adler_steven answer me for previous my post(http://forum.java.sun.com/thread.jspa?threadID=5292943&messageID=10238354#10238354)
he sad look at http://forum.java.sun.com/thread.jspa?threadID=5116320&tstart=15
I must use WMI HTTP Mapper and some WBEM library...
Ok, i install and configure WMI HTTP Mapper and use next source for try get :) security log, by this dont work...
connect success, but retrieving information failed
adler_steven :) help me :)
*EXHIBIT A - Sun Industry Standards Source License
*"The contents of this file are subject to the Sun Industry
*Standards Source License Version 1.2 (the "License");
*You may not use this file except in compliance with the
*License. You may obtain a copy of the
*License at http://wbemservices.sourceforge.net/license.html
*Software distributed under the License is distributed on
*an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either
*express or implied. See the License for the specific
*language governing rights and limitations under the License.
*The Original Code is WBEM Services.
*The Initial Developer of the Original Code is:
*Sun Microsystems, Inc.
*Portions created by: Sun Microsystems, Inc.
*are Copyright � 2001 Sun Microsystems, Inc.
*All Rights Reserved.
*Contributor(s): _______________________________________
import java.io.IOException;
import java.util.Enumeration;
import javax.wbem.cim.*;
import javax.wbem.client.*;
import javax.wbem.client.UserPrincipal;
import javax.wbem.client.PasswordCredential;
* This class will perform an CIMClient.execQuery using a WQL query string that
* is passed on the command line. If a query isn't passed on the command line,
* the user will be prompted for the query
public class TestQuery {
    public TestQuery(String args[]) {
        String serverName = "win2003";
        String user = "administrator";
        String pass = "welcome1";
        CIMClient cimClient = null;
        CIMObjectPath cimPath = null;
        String wbemNameSpace = "root/CIMV2";
        int wbemPortNumber = 5988;
        String wbemProtocol = CIMClient.CIM_XML;
        try {
                System.out.println("connecting..\n");
                String hostURL = "http://" + serverName + ":" + wbemPortNumber;
                CIMNameSpace cimNameSpace = new CIMNameSpace(hostURL,wbemNameSpace);
                UserPrincipal userName = new UserPrincipal(user);
                PasswordCredential userPass = new PasswordCredential(pass);
                cimClient = new CIMClient(cimNameSpace,userName,userPass,wbemProtocol);
        catch (CIMException e) {
                System.err.println("Failed to access CIMOM: " + e);
        try {
                System.out.println("get win32_ntlogevent");
                cimPath = new CIMObjectPath("Win32_NTLogEvent");
                System.out.println("cimPath");
                Enumeration e = cimClient.enumerateInstances(cimPath); // this line hang
                System.out.println("Enumeration");
                if (e.hasMoreElements()) {
                        CIMInstance ci = (CIMInstance)e.nextElement();
                        // i think, there must be properties of Win32_NTLogEvent Class, such as message, eventid, eventcode...
                        CIMProperty cp = ci.getProperty("Message");
                        System.out.println("   Message: " + cp.getValue());
                System.out.println("stop get win32..");
                cimClient.close();
        catch (NullPointerException e) {
                System.err.println("Null Pointer Exception: " + e);
        catch (CIMException e) {
                System.err.println("Failed to enumerate WBEM Info: " + e);
    public static void main(String args[]) {
     new TestQuery(args);
{code}
Edited by: Jeqpbl4 on Jun 9, 2008 4:24 AM

I figure I've abused enough people today on the forum, that it's time to redeem myself.
Firstly, as I've always admitted, I'm not a Java developer, so there may be better ways of doing this. Secondly, I'm not an expert on WBEM/WMI, so I'm not sure of the different classes, methods or properties that WBEM exposes. I think I recommended some references in the links mentioned in this post, so if you want to dig deeper, go read those.
This is just a quick and dirty WBEM query that retrieves the security events. One thing I discovered is that if you have lots of events, you'll get a heap overflow exception. I guess there may be a way to retrieve pages of results, otherwise use a more refined query to return a smaller number of records.
* WBEMQueryLog, retrieve the entries from the security log from a server
* demonstrating the use of a WBEM Query
import java.io.*;
import java.util.*;
import javax.wbem.cim.*;
import javax.wbem.client.CIMClient;
import javax.wbem.client.UserPrincipal;
import javax.wbem.client.PasswordCredential;
public class wbemquerylog {
    public static void main(String args[]) throws CIMException {
     CIMClient cc = null;
     CIMObjectPath cop = null;
     CIMInstance ci = null;
     String hostname = "myServer";
     String nameSpace = "root/CIMV2";
     int portNumber = 5988;
     String hostURL = "http://" + hostname + ":" + portNumber;
     String protocol = CIMClient.CIM_XML;
     try {
         CIMNameSpace cns = new CIMNameSpace(hostURL,nameSpace);
         UserPrincipal username = new UserPrincipal("myServer/Administrator");
         PasswordCredential password = new PasswordCredential("XXXXXX");
         cc = new CIMClient(cns,username,password,protocol);
     catch (CIMException e) {
          System.err.println("Failed to access CIMOM: " + e);
          System.exit(1);
     cop = new CIMObjectPath();
     //lets try to get the Security Log entries, using a query
     try {
          cop = new CIMObjectPath();//"Win32_NTLogEvent");
          String query = "Select * from Win32_NTLogEvent where Logfile='Security'";
          Enumeration e = cc.execQuery(cop,query,CIMClient.WQL);
          for (int i = 1;e.hasMoreElements();i++) {
               System.out.println("Event: " + i);
               System.out.println(e.nextElement());
     catch (CIMException e) {
          System.err.println("Failed to query security log: " + e);
          System.exit(1);
     System.exit(0);
}If you want to retrieve specific Security Log Events, you could construct a more complex query, such as below, which will find Account Logon Failures
String query = "Select * from Win32_NTLogEvent where Logfile='Security' And EventCode = '681'";You could also use an enumeration as you have done, the only thing I haven't bothered to work out is how to enumerate the Security log itself, rather than every event in all the logs. I guess it's just a matter of working out what the CIM Path is, if it as at all possible.
* WBEMEnumLog, enumerate the NTEventLogs from a server
* Should find out the full CIM Path for the security logs
import java.io.*;
import java.util.*;
import javax.wbem.cim.*;
import javax.wbem.client.CIMClient;
import javax.wbem.client.UserPrincipal;
import javax.wbem.client.PasswordCredential;
public class wbemenumlog {
    public static void main(String args[]) throws CIMException {
     CIMClient cc = null;
     CIMObjectPath cop = null;
     CIMInstance ci = null;
     String hostname = "myServer";
     String nameSpace = "root/CIMV2";
     int portNumber = 5988;
     String hostURL = "http://" + hostname + ":" + portNumber;
     String protocol = CIMClient.CIM_XML;
     try {
         CIMNameSpace cns = new CIMNameSpace(hostURL,nameSpace);
         UserPrincipal username = new UserPrincipal("myServer/Administrator");
         PasswordCredential password = new PasswordCredential("XXXXXX");
         cc = new CIMClient(cns,username,password,protocol);
     catch (CIMException e) {
          System.err.println("Failed to access CIMOM: " + e);
          System.exit(1);
     cop = new CIMObjectPath();
     try {
          Enumeration en = cc.enumNameSpace(cop,true);
          if (en != null) {
               while (en.hasMoreElements()) {
                    CIMObjectPath obj = (CIMObjectPath)(en.nextElement());
                    System.out.println("Namespace: " + obj.toString());
     catch (CIMException e) {
          System.err.println("Failed to enumerate namespace: " + e);
          System.exit(1);
     //lets try to get the event logs
     try {
          cop = new CIMObjectPath("Win32_NTLogEvent");
          System.out.println("Host: " + cop.getHost());
          System.out.println("Object Name: " + cop.getObjectName());
          String attrs[] = {"Logfile","Sourcename","EventIdentifier","EventType","TimeGenerated","Type","CategoryString","User"};
          Enumeration e = cc.enumerateInstances(cop,false,false,false,false,attrs);
          for (int i = 1;e.hasMoreElements();i++) {
               System.out.println("Disk: " + i);
               System.out.println(e.nextElement());
     catch (CIMException e) {
          System.err.println("Failed to enumerate Event Log: " + e);
          System.exit(1);
     System.exit(0);
}Good luck....

Unable to receive an email by task scheduler on audit failure in windows server 2008 r2 security log

Deal All,
I am sorry in advance if i would be on wrong forum, i have created a task on Server 2008 r2 Domain controller that when an audit failure event triggered in windows security log then an email should reach on my email ID, but unfortunately, nothing happen
on audit failure.i receive no email from task scheduler.
kindly suggest me to resolve the issue. I have created Email task on event ID 4771.
Thanks.
Zeeshan Ibrahim Network Administrator

Hi Zeeshan,
I have found a hotfix against the same error messages, though it applies to Windows Vista and Windows Server 2008, I am not sure if it will work on your machine.
Please refer to this KB article below:
Duplicate triggers are generated incorrectly in scheduled tasks in Windows Vista or in Windows Server 2008
http://support.microsoft.com/kb/2617046
Please feel free to let us know if this hotfix couldn’t help you fix this issue.
Best Regards,
Amy Wang

Windows 2008 member server, repeating event 4625 in the security log

Hello,
   I'm having an issue with a member server on our 2008 domain, security log is filling up with event 4625, here are the details:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/23/2014 2:04:42 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      my.member.server
Description:
An account failed to log on.
Subject:
Security ID:  NULL SID
Account Name:  -
Account Domain:  -
Logon ID:  0x0
Logon Type:   3
Account For Which Logon Failed:
Security ID:  NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason:  Unknown user name or bad password.
Status:   0xc000006d
Sub Status:  0xc000006a
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.0.115
Source Port:  51366
Detailed Authentication Information:
Logon Process:  Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length:  0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-04-23T18:04:42.197Z" />
    <EventRecordID>99893119</EventRecordID>
    <Correlation />
    <Execution ProcessID="744" ThreadID="844" />
    <Channel>Security</Channel>
    <Computer>KLINEWEB.kline.local</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">
    </Data>
    <Data Name="TargetDomainName">
    </Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Kerberos</Data>
    <Data Name="AuthenticationPackageName">Kerberos</Data>
    <Data Name="WorkstationName">-</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">10.0.0.115</Data>
    <Data Name="IpPort">51366</Data>
</EventData>
</Event>
The IP address that appears in source network address all belong to VPN clients. And it looks like its only happening with 4-5 IPs, all of which are VPN clients. These clients shouldn't be connecting to anything on this server, which is why its puzzling.
Our DC is Windows 2008 and the VPN server is another member server on the domain. I suspect the issue is at the client PCs since there are many other VPN clients connected that don't generate the event ID.
Can anyone tell what the issue might be?
Thanks.

Hi Rayminette,
There are multiple login sources that could possibly be generating the errors:
FTP logins - check your FTP log to see if login failures are showing up at the same time.
Logins via Basic Authentication over http or https (simple, but possibly dangerous, way to password-protect a web site).
ASP scripts.
This logon type 8 indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation
I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous
if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source
code and thereby gain the password.
Reference from:
What is the source of thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext)?
I hope this helps.

Only one Server Audit can write to Security Log

Hi,
I have a problem when i want to enable a
second audit server to security log...
Permissions are right, the first Audit Server works fine but when i enable the second i have the 33204 error.
(SQL Server Audit could not write to the security log.) its strange...
I used Process Monitor tool from Sysinternals to debug the ACCESS on the Registry Key HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security but there is not difference when i enable the first Audit Server or the second...
I am not the only person who has this issue, i see that in other places...
Can you help me?
Thanks!
Regads.

Have you granted access to the new service account via secpol? This may be the root cause for this problem. For the detailed instructions please visit:
http://msdn.microsoft.com/en-us/library/cc645889.aspx.
BTW. I would strongly recommend using secpol.msc to manage the local security policy instead of modifying the registry keys directly.
Please let us know if this information helped
-Raul Garcia.
SQL Server Security
This posting is provided "AS IS" with no warranties, and confers no rights.

REST API for audit log events

How can I execute audit log report using REST API. If it is not possible is there any other ways to retrieve all audit log events(Upload/download/delete/share/login/logout) using REST API.

I thought it not possible
Ravin Singh D

System and security logs

1. Login, Clear Logs and log off events in Windows 2003 when does this happen and what are the IDs for
these events ? what is the system login?
2. In an event when administrator account and password are shared by more than one person, is it is possible
to prove who cleared the security logs?
3. If there is no keyboard monitoring is there a way to prove from which PC the delete came from?
4. Can a schedule a task be run in advance to delete the security logs at a later point of time in Window
2003 using utilities like WMI, powershell etc?
5. In Windows 2003 servers, Microsoft allows 2 remote connections and 1 console session also called session
0. What is session 0 ans when is this launched?
6. Can security and the system logs on the server be deleted remotely from any other server in
windows 2003 if the account has admin rights? Please comment if firewall setting needs to be enabled in window 2003.
dhomya

1.) If you enable auditing here are the events
https://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
2.) Probably not unless you know who was at what console at what time.
3/4.)
http://blogs.msdn.com/b/ericfitz/archive/2007/08/10/help-someone-has-deleted-events-from-my-windows-event-log.aspx
5.) http://support.microsoft.com/kb/278845
6.) See 3/4
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

WRT600N Security Log

Is anyone else having this prob?
When I view my logs , my security log keeps saying incorect username-password=admin and gives my laptop pc address.
Starnge even though i can lod in with no probs with my password. I am hoping this is just a bug that will be fixed in the next patch.

It's a domain enviroment. Printers are all through a Print Server.
Below is the log of 1 such event.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2014-04-04 03:04:24 PM
Event ID: 4634
Task Category: Logoff
Level: Information
Keywords: Audit Success
User: N/A
Computer: (computer name.domain)
Description:
An account was logged off.
Subject:
Security ID:
S-1-5-21-213254720-224688177-246369
Account Name:
(username)
Account Domain:
(domain)
Logon ID:
0x197EC67
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2014-04-04T13:04:24.783747600Z" />
<EventRecordID>108300</EventRecordID>
<Correlation />
<Execution ProcessID="724" ThreadID="756" />
<Channel>Security</Channel>
<Computer>(computer name.domain)</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserSid">S-1-5-21-213254720-224688177-246369</Data>
<Data Name="TargetUserName">(username)</Data>
<Data Name="TargetDomainName">(domain)</Data>
<Data Name="TargetLogonId">0x197ec67</Data>
<Data Name="LogonType">3</Data>
</EventData>
</Event>

A few questions on BDB replication

I have a few questions on replication and will appreciate any help that I can get:
1. In standby mode are there any issues if the existing DB files are explicitly not opened. In this scenario the standby DB host went down and the BDB application was brought up , the environment was opened with the recovery option but the DB files were not opened.
2. What happens if a standby appliciation goes down while the synchronization is in progress i.e. the STARTUPDONE event has not been received - will the subsequent Database recovery complete (after the application has been reinitiated) ? Are there ay APIs to check if the DB is in a consistent usable state?
3. How are the user created log entries (created by log_put) handled at the standby DB. If we use the base replication API(s) is there ay way to trap and extract the log entry before/after the rep_process_message call.
Thanks for your help.

Hello,
Here are some answers to your questions.
1. BDB does not care whether or not the application has any database files opened.
When the standby applies transactions to a database it opens up anything it
needs internally.
2. There are two types of synchronization. The first is when a replica was down, and it
is now simply a bit behind the master when it comes back up. In that situation, it is simply
catching up to the master. If it were to crash during that time, it would again catch up to
the master when it rebooted. The second is internal initialization where we need to copy
over the databases, logs and run a recovery on them (internally of course). If the replica
were to crash during this operation, the partial databases/logs that exist on reboot will
be cleaned up automatically and the initialization would restart when communication was
re-established.
3. When a replica receive a log record (any log record, user-created or BDB created),
it simply writes it into the log. Only when the replica receives a txn_commit does the
replica call the recovery functions to apply the log records on the replica. That would be
the time when the function for an app-specific log record would be called.
There is no support for apps to crack open the replication messages.
If you're using the Base API you are in control of the communication already though. If
the master needs to send something to the clients, the application could have a different
type of message that is app-specific and doesn't involve BDB, rep_process_message at
all. Is that what you're trying to accomplish?
Sue LoVerso
Oracle

Excessive Logging in Windows Security Logs

Hi,
We are running a Windows Server 2012 server as a file server. We have 'Audit object access' turned-on in the Local Security Policy. We have a file share that is enabled for auditing. We are receiving numerous Event ID 5145, 5156, and 5456
in the Security event log. Often as many as 20 entries a second, and as a result our Security log is getting too large.

Hi,
You can unselect some useless auditing entry, such as “Traverse folder / execute file”, or limited the maximum size of the log.
The related article:
Auditing File Access on File Servers
https://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Security Logs

As local admin or domain admin that equipped the right to browse domain computer file remotely.
Is there any log can track or audit such access?

Hi,
Have you configured appropriate auditing policies to audit access on these files you want to monitor? Please make sure that you have configured SACL on these files.
If yes, you can find audit events in the Security log.
More information for you:
Understanding File and Handle Audit Events in Windows Vista, in Windows Server 2008, in Windows 7, Windows Server 2008 R2, in Windows 8, and in Windows Server 2012
http://support.microsoft.com/kb/2771404
Auditing File Access on File Servers
http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
Scenario: File Access Auditing
http://technet.microsoft.com/en-us/library/hh831476.aspx
Best Regards,
Amy

Security log 4634 shows another user logging off

Security log shows users logoff that weren't even using the machine. There are no 4642 logon logs, just the 4643 logoff logs.
These user aren't even accessing another machine via the network. All machines also have no malware or virus on them.
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
What could be causing this?

It's a domain enviroment. Printers are all through a Print Server.
Below is the log of 1 such event.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2014-04-04 03:04:24 PM
Event ID: 4634
Task Category: Logoff
Level: Information
Keywords: Audit Success
User: N/A
Computer: (computer name.domain)
Description:
An account was logged off.
Subject:
Security ID:
S-1-5-21-213254720-224688177-246369
Account Name:
(username)
Account Domain:
(domain)
Logon ID:
0x197EC67
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2014-04-04T13:04:24.783747600Z" />
<EventRecordID>108300</EventRecordID>
<Correlation />
<Execution ProcessID="724" ThreadID="756" />
<Channel>Security</Channel>
<Computer>(computer name.domain)</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserSid">S-1-5-21-213254720-224688177-246369</Data>
<Data Name="TargetUserName">(username)</Data>
<Data Name="TargetDomainName">(domain)</Data>
<Data Name="TargetLogonId">0x197ec67</Data>
<Data Name="LogonType">3</Data>
</EventData>
</Event>

Exchange 2013 Health Mailbox filling up security logs

I'm doing security audits and having the Exchange 2013 Health Mailbox fill up my security logs. I've read that if I delete the mailboxes and re-create them and restart the service the errors will go away. My question is how do I delete them?
I found the full mailbox name with this command.
get-mailbox -monitoring | select-object -expandproperty name
Do I use this method?
Remove-Mailbox -Identity contoso\johnor this one?Remove-Mailbox -Identity contoso\john -Permanent $trueOr something else?
Thanks!
Fernando

I did help on the setup in Exchange server folder. Looks like prepares Active Directory forest for Exchange Install. /PrepareAD, /p So this is what I'm supposed to run?
C:\Program Files\Microsoft\Exchange Server\V15\Bin>setup /?
Welcome to Microsoft Exchange Server 2013 Cumulative Update 3 Unattended Setup
For detailed help, type one of the following options:
Setup /help:Install - Install Exchange server roles.
Setup /help:Upgrade - Upgrade an existing Exchange server.
Setup /help:Uninstall - Uninstall Exchange server roles.
Setup /help:RecoverServer - Recover an existing Exchange server.
Setup /help:PrepareTopology - Prepare your topology for Exchange.
Setup /help:Delegation - Delegate server installations.
Setup /help:UmLanguagePacks - Add or remove Unified Messaging
language packs.
C:\Program Files\Microsoft\Exchange Server\V15\Bin>Setup /help:PrepareTopology
Welcome to Microsoft Exchange Server 2013 Cumulative Update 3 Unattended Setup
Microsoft Exchange Server 2013 Setup Parameter Help
Prepare Topology Usage:
Setup /PrepareAD [<OptionalParameters>]
/IAcceptExchangeServerLicenseTerms
Setup /PrepareSchema [<OptionalParameters>]
/IAcceptExchangeServerLicenseTerms
Setup /PrepareDomain [<OptionalParameters>]
/IAcceptExchangeServerLicenseTerms
Setup /PrepareDomain:<domainA, domainB> [<OptionalParameters>]
/IAcceptExchangeServerLicenseTerms
Setup /PrepareAllDomains [<OptionalParameters>]
/IAcceptExchangeServerLicenseTerms
--Prepare Topology Required Parameters--
/PrepareAD, /p
Prepares the Active Directory forest for the Exchange
installation.
Fernando

Server 2012 Domain Controller Logging event 2004, with error "crc check"...

Pretty new domain, and domain controller, running server 2012 as a Hyper-V VM.
Getting this error when it reboots. I have done a chkdsk, thinking maybe the vhdx file is corrupt in some way. Have also checked the system log for events talking about file corruption. Nothing.
The disk in question has 10+ GB free, so disk space is not an issue. I ran dcdiag /q /a & it told me that DFSR has logged events in the last 24 hours, but nothing else. AD seems to think everything is cool.
Not sure what to look at next... Thanks for any pointers/help.
The DFS Replication service stopped replication on volume C:. This failure can occur because the disk is full, the disk is failing, or a quota limit has been reached. This can also occur if the DFS Replication service encountered errors while attempting to
stage files for a replicated folder on this volume.
Additional Information:
Error: 23 (Data error (cyclic redundancy check).)
Volume: 0F55C346-589F-11E2-93EB-806E6F6E6963

I have a series of the following Events logged, and then the 2nd event. The 2nd event is being logged every 8 hours.
Log Name:      DFS Replication
Source:        DFSR
Date:          2/15/2013 7:36:49 AM
Event ID:      2212
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      MyDC.Domain.lan
Description:
The DFS Replication service has detected an unexpected shutdown on volume C:. This can occur if the service terminated abnormally (due to a power loss, for example) or an error occurred on the volume. The service has automatically initiated a recovery process.
The service will rebuild the database if it determines it cannot reliably recover. No user action is required.
Additional Information:
Volume: C:
GUID: 0F55C346-589F-11E2-93EB-806E6F6E6963
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="DFSR" />
    <EventID Qualifiers="32768">2212</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-14T23:36:49.000000000Z" />
    <EventRecordID>196</EventRecordID>
    <Channel>DFS Replication</Channel>
    <Computer>MyDC.domain.lan</Computer>
    <Security />
</System>
<EventData>
    <Data>0F55C346-589F-11E2-93EB-806E6F6E6963</Data>
    <Data>C:</Data>
</EventData>
</Event>
Log Name:      DFS Replication
Source:        DFSR
Date:          2/15/2013 7:36:49 AM
Event ID:      2004
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MyDC.Domain.lan
Description:
The DFS Replication service stopped replication on volume C:. This failure can occur because the disk is full, the disk is failing, or a quota limit has been reached. This can also occur if the DFS Replication service encountered errors while attempting to
stage files for a replicated folder on this volume.
Additional Information:
Error: 23 (Data error (cyclic redundancy check).)
Volume: 0F55C346-589F-11E2-93EB-806E6F6E6963
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="DFSR" />
    <EventID Qualifiers="49152">2004</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-14T23:36:49.000000000Z" />
    <EventRecordID>197</EventRecordID>
    <Channel>DFS Replication</Channel>
    <Computer>MyDC.Domain.lan</Computer>
    <Security />
</System>
<EventData>
    <Data>0F55C346-589F-11E2-93EB-806E6F6E6963</Data>
    <Data>C:</Data>
    <Data>23</Data>
    <Data>Data error (cyclic redundancy check).</Data>
</EventData>
</Event>

Security Log Event ID 4624 Auditing - Few Questions

Similar Messages

Maybe you are looking for