System, Firewall,Secure logs

Similar Messages

• System and security logs

  1. Login, Clear Logs and log off events in Windows 2003 when does this happen and what are the IDs for
  these events ?  what is the system login?
  2. In an event when administrator account and password are shared by more than one person, is it is possible
  to prove who cleared the security logs?
  3. If there is no keyboard monitoring is there a way to prove from which PC the delete came from?
  4.  Can a schedule a task be run in advance to delete the security logs at a later point of time in Window
  2003 using utilities like WMI, powershell etc?
  5. In Windows 2003 servers, Microsoft allows 2 remote connections and 1 console session also called session
  0. What is session 0 ans when is this launched?
  6.  Can security and the system logs on the  server be deleted remotely from any other server in
  windows 2003 if the account has admin rights? Please comment if firewall setting needs to be enabled in window 2003. 
  dhomya

  1.) If you enable auditing here are the events
  https://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
  2.) Probably not unless you know who was at what console at what time.
  3/4.)
  http://blogs.msdn.com/b/ericfitz/archive/2007/08/10/help-someone-has-deleted-events-from-my-windows-event-log.aspx
  5.) http://support.microsoft.com/kb/278845
  6.) See 3/4
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• "System Preferences":"Security":"Firewall":"Advanced":"Stealth" a no-go !

  Under "System Preferences":"Security" panel:"Firewall" tab:"Advanced" button:"Stealth Mode" checkbox --
  checking this checkbox (and un-checking, and re-checking) does not result in "Utilties":"System Profiler":"Firewall" entry: reporting a "Yes" under the Stealth Mode entry.
  It always says "No".
  It this really on ?

  Can't help with your issue, since I've never enabled the firewall, preferring to let my router's NAT system protect my machines, none of which are laptops or use wifi, but if you want to report this issue to Apple's engineering, send a bug report or an enhancement request via its Bug Reporter system. To do this, join the Mac Developer Program—it's free and available for all Mac users and gets you a look at some development software. Since you already have an Apple username/ID, use that. Once a member, go to Apple BugReporter and file your bug report or enhancement request. The nice thing with this procedure is that you get a response and a follow-up number; thus, starting a dialog with engineering.

• Only one Server Audit can write to Security Log

  Hi,
  I have a problem when i want to enable a
  second audit server to security log...
  Permissions are right, the first Audit Server works fine but when i enable the second i have the 33204 error.
  (SQL Server Audit could not write to the security log.) its strange...
  I used Process Monitor tool from Sysinternals to debug the ACCESS on the Registry Key HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security but there is not difference when i enable the first Audit Server or the second...
  I am not the only person who has this issue, i see that in other places...
  Can you help me?
  Thanks!
  Regads.

   Have you granted access to the new service account via secpol? This may be the root cause for this problem. For the detailed instructions please visit: 
  http://msdn.microsoft.com/en-us/library/cc645889.aspx.
  BTW. I would strongly recommend using secpol.msc to manage the local security policy instead of modifying the registry keys directly.
  Please let us know if this information helped
  -Raul Garcia.
  SQL Server Security
  This posting is provided "AS IS" with no warranties, and confers no rights.

• WBEMTEST doesn't give Security logs

  Hi,
  I did a WMI test and queried to see the security logs. Nothing found. I see only Application and System logs. No security logs were found.
  I used the below query.
  select * from win32_ntlogevent
  Thanks in advance.
  Rajiv,
  Technical Support Engineer.

  On Windows Server 10 TP, I don't see the same behavior you describe...
  Get-WmiObject -Query 'select * from win32_ntlogevent' | group -Property LogFile -NoElement
  Count Name                    
   1140 Security                
      1 System                  
     24 Windows PowerShell
  Hope this helps, Martin

• Windows 2008 member server, repeating event 4625 in the security log

  Hello,
     I'm having an issue with a member server on our 2008 domain, security log is filling up with event 4625, here are the details:
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          4/23/2014 2:04:42 PM
  Event ID:      4625
  Task Category: Logon
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      my.member.server
  Description:
  An account failed to log on.
  Subject:
   Security ID:  NULL SID
   Account Name:  -
   Account Domain:  -
   Logon ID:  0x0
  Logon Type:   3
  Account For Which Logon Failed:
   Security ID:  NULL SID
   Account Name:  
   Account Domain:  
  Failure Information:
   Failure Reason:  Unknown user name or bad password.
   Status:   0xc000006d
   Sub Status:  0xc000006a
  Process Information:
   Caller Process ID: 0x0
   Caller Process Name: -
  Network Information:
   Workstation Name: -
   Source Network Address: 10.0.0.115
   Source Port:  51366
  Detailed Authentication Information:
   Logon Process:  Kerberos
   Authentication Package: Kerberos
   Transited Services: -
   Package Name (NTLM only): -
   Key Length:  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
      <EventID>4625</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12544</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2014-04-23T18:04:42.197Z" />
      <EventRecordID>99893119</EventRecordID>
      <Correlation />
      <Execution ProcessID="744" ThreadID="844" />
      <Channel>Security</Channel>
      <Computer>KLINEWEB.kline.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-0-0</Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="TargetUserSid">S-1-0-0</Data>
      <Data Name="TargetUserName">
      </Data>
      <Data Name="TargetDomainName">
      </Data>
      <Data Name="Status">0xc000006d</Data>
      <Data Name="FailureReason">%%2313</Data>
      <Data Name="SubStatus">0xc000006a</Data>
      <Data Name="LogonType">3</Data>
      <Data Name="LogonProcessName">Kerberos</Data>
      <Data Name="AuthenticationPackageName">Kerberos</Data>
      <Data Name="WorkstationName">-</Data>
      <Data Name="TransmittedServices">-</Data>
      <Data Name="LmPackageName">-</Data>
      <Data Name="KeyLength">0</Data>
      <Data Name="ProcessId">0x0</Data>
      <Data Name="ProcessName">-</Data>
      <Data Name="IpAddress">10.0.0.115</Data>
      <Data Name="IpPort">51366</Data>
    </EventData>
  </Event>
  The IP address that appears in source network address all belong to VPN clients. And it looks like its only happening with 4-5 IPs, all of which are VPN clients. These clients shouldn't be connecting to anything on this server, which is why its puzzling.
  Our DC is Windows 2008 and the VPN server is another member server on the domain. I suspect the issue is at the client PCs since there are many other VPN clients connected that don't generate the event ID.
  Can anyone tell what the issue might be?
  Thanks.

  Hi Rayminette,
  There are multiple login sources that could possibly be generating the errors:
  FTP logins - check your FTP log to see if login failures are showing up at the same time.
  Logins via Basic Authentication over http or https (simple, but possibly dangerous, way to password-protect a web site).
  ASP scripts.
  This logon type 8 indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation
  I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous
  if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source
  code and thereby gain the password.
  Reference from:
  What is the source of thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext)?
  I hope this helps.

• WRT600N Security Log

  Is anyone else having this prob?
  When I view my logs , my security log keeps saying incorect username-password=admin and gives my laptop pc address.
  Starnge even though i can lod in with no probs with my password. I am hoping this is just a bug that will be fixed in the next patch.

  It's a domain enviroment. Printers are all through a Print Server.
  Below is the log of 1 such event.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2014-04-04 03:04:24 PM
  Event ID:      4634
  Task Category: Logoff
  Level:         Information
  Keywords:      Audit Success
  User:          N/A
  Computer:      (computer name.domain)
  Description:
  An account was logged off.
  Subject:
  Security ID:
  S-1-5-21-213254720-224688177-246369
  Account Name:
  (username)
  Account Domain:
  (domain)
  Logon ID:
  0x197EC67
  Logon Type: 3
  This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4634</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12545</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2014-04-04T13:04:24.783747600Z" />
      <EventRecordID>108300</EventRecordID>
      <Correlation />
      <Execution ProcessID="724" ThreadID="756" />
      <Channel>Security</Channel>
      <Computer>(computer name.domain)</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="TargetUserSid">S-1-5-21-213254720-224688177-246369</Data>
      <Data Name="TargetUserName">(username)</Data>
      <Data Name="TargetDomainName">(domain)</Data>
      <Data Name="TargetLogonId">0x197ec67</Data>
      <Data Name="LogonType">3</Data>
    </EventData>
  </Event>

• How to stop QuickTime Streaming messages in secure.log?

  The secure.log of the server is flooded with these kind of messages:
  Jan 25 12:13:08 server com.apple.SecurityServer[41]: Succeeded authorizing right 'com.apple.server.admin.streaming' by client '/usr/sbin/QuickTimeStreamingServer' for authorization created by '/System/Library/CoreServices/ServerManagerDaemon.bundle'
  Jan 25 12:13:40: --- last message repeated 13 times ---
  Jan 25 12:13:40 server com.apple.SecurityServer[41]: Succeeded authorizing right 'com.apple.server.admin.streaming' by client '/usr/sbin/QuickTimeStreamingServer' for authorization created by '/System/Library/CoreServices/ServerManagerDaemon.bundle'
  Jan 25 12:15:03: --- last message repeated 7 times ---
  Jan 25 12:15:03 server com.apple.SecurityServer[41]: Succeeded authorizing right 'com.apple.server.admin.streaming' by client '/usr/sbin/QuickTimeStreamingServer' for authorization created by '/System/Library/CoreServices/ServerManagerDaemon.bundle'
  Jan 25 12:15:34: --- last message repeated 3 times ---
  I have tried to adjust the idle time setting in /Library/Preferences/com.apple.servermgrd.plist to 300, the supposed Maximum above which idle time defaults to 60 seconds. In my experience this initially works after which the flooding starts all over. The default interval is also a lot smaller than 60 secs.
  How to effectively eliminate these messages apart from disabling QuickTime Streaming all together?

  I would.  (Ignore it.)  OS X logging has long had this misfeature; various versions of applications have been far too chatty, others have log ominous messages that are harmless, and there's the occasional innocuous-nasty message logged.  
  If this particular message bugs you — I have several similar "favorites" in my own logs — add it onto a grep --invert-match pattern or such, and filter it out of the logs before you review them.  When you're running OS X or another Unix box in production, message filters based on grep or similar are used to reduce the chatter, and also to flag the nasty messages.

• How to monitor user logs,security logs,trace file,and performance monitori

  Hi guys,
  pls tel me how to monitor user logs,security logs,trace file,and performance monitoring.
  thanks
  regards
  kamal

  Hi,
  you can have a look in the Netweaver administration :
  http://<portal>:<port>/nwa
  Go to monitoring, Java system reports, etc..., you will find what you want.
  Fabien.

• Security log 4634 shows another user logging off

  Security log shows users logoff that weren't even using the machine. There are no 4642 logon logs, just the 4643 logoff logs.
  These user aren't even accessing another machine via the network. All machines also have no malware or virus on them.
  Logon Type: 3
  This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
  What could be causing this?

  It's a domain enviroment. Printers are all through a Print Server.
  Below is the log of 1 such event.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2014-04-04 03:04:24 PM
  Event ID:      4634
  Task Category: Logoff
  Level:         Information
  Keywords:      Audit Success
  User:          N/A
  Computer:      (computer name.domain)
  Description:
  An account was logged off.
  Subject:
  Security ID:
  S-1-5-21-213254720-224688177-246369
  Account Name:
  (username)
  Account Domain:
  (domain)
  Logon ID:
  0x197EC67
  Logon Type: 3
  This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4634</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12545</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2014-04-04T13:04:24.783747600Z" />
      <EventRecordID>108300</EventRecordID>
      <Correlation />
      <Execution ProcessID="724" ThreadID="756" />
      <Channel>Security</Channel>
      <Computer>(computer name.domain)</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="TargetUserSid">S-1-5-21-213254720-224688177-246369</Data>
      <Data Name="TargetUserName">(username)</Data>
      <Data Name="TargetDomainName">(domain)</Data>
      <Data Name="TargetLogonId">0x197ec67</Data>
      <Data Name="LogonType">3</Data>
    </EventData>
  </Event>

• Leopard Firewall Security

  I am concerned about the security holes in Leopard mentioned in this Article:
  http://www.eweek.com/article2/0,1895,2209676,00.asp?kc=EWKNLBOE110307STR1
  http://tinyurl.com/35mb6q
  I would have expected Leopard to be more secure. If it is not then Apple will have a real problem. The preference settings for the firewall seem to offer less functionality then in Tiger. It is not 100% clear what if anything the firewall is doing. Apple is usually good at simplifying setup, but still enabling finer control of settings if necessary. They may have done that but it is not clear from the preference screens.
  At this point I'm not sure if my system is more or less secure than it was prior to my upgrade to Leopard.
  Thanks,
  Dana

  See my post
  http://discussions.apple.com/thread.jspa?messageID=5742612#5742612
  If you are behind a (wireless) router then it will have a firewall built in and you should be fine.
  If you are not - if you are totally exposed to the Internet - then with Leopard firewall turned on you should be OK. But if you are directly connected to the Internet you may wish to use a better front-end config program for the OS X firewall:
  http://www.hanynet.com/waterroof/
  The operating system firewall built into OS X - IPFW - is actually very capable and very robust. But it has to be configured. The Leopard GUI front-end only creates a very basic config, WaterRoof and software like it can make the computer very secure including controlling what is allowed out as well as what is allowed in.

• Firewall Security

  My firewall is logging an entry that says "RosettaStoneDaem is listening". Anyone know what this is about? It says it even if I do not have my modem/router turned on.
  Thanks

  The IOS zone-based firewall could be used on your router.
  It canbe challenging to setup from scratch but if you use the Cisco Configuration Professional (CCP) GUI, it's not too dificult.
  There are some good links on this page:
  http://www.cisco.com/c/en/us/products/security/ios-firewall/index.html

• Wrt160n security log

  I have the wrt160n ver 2, and I noticed that after enableing logs it does not show the log in of the console when I select the security log section.

  When you click on "View Log" and select incoming Log does it display you any log listed in it. Security Log will only Displays a temporary log of packets that have been dropped by the firewall. If your firewall hasnt droped on any packets then i wont display you anything listed under.

• WRT160N security log (new thread)

  I posted this as a reply to an existing old thread on the topic, but not sure if the new post would bring the thread back to the front for visibility ... so trying to jump start the topic.
  My WRT160N has the SPI firewall enabled and configured to block anonymous Internet connections, and it appears to be working (I've run different online scanners like Shields Up and they all seem to indicate that the port connection attempts to my Intenet IP address are being blocked).  But nothing shows up in the security log ... ever.  Shouldn't these blocked attempts be recorded there? 
  BTW, the router firmware is at v1.02.2 ... kind of bummed that I just bought this and I get a unit with apparently the last update to an old firmware build. :-\
  Thanks in advance for any feedback.

  "I beleive the security log of the scanner on your computer will only tell you the firewall on the computer  not on the router... "
  Sorry, not sure I follow ... I am speaking about the firewall on the Linksys router and its security log.  The router firewall appears to be doing its job and not letting anything thru (so my computer ... hopefully ... isn't seeing it), but nothing from my testing is being recorded in the router log.

• Firewall security setting blocking Outlook Express

  I'm a Verizon DSL customer with a Versalink 7500.
  If I set the Firewall security setting to anything above Minimum, Outlook Express fails with the following:
  The connection to the server has failed.
  Account: 'verizon email', Server: 'pop.verizon.net',
  Protocol: POP3, Port: 995, Secure(SSL): Yes, Socket Error: 10060,
  Error Number: 0x800CCC0E
  Suggestions?

  I didn't notice that the port got changed.  In any event, I changed it back to 995 and got a similar error.
  I rechecked the "This server requires a secure connection (SSL)" box.  
  The "Log on using Secure Password Authentication" box is already unchecked.  
  Here are my OE settings.