How can I track where an audit comes from?

5 pts.
Tags:
Event ID
Microsoft Windows Server 2003
Microsoft Windows XP
Security
Security logs
Windows Server Security
I have 4 systems - all new installed - which have many entries of event id 560 in the seclog. All systems have been checked for viruses/malware. None found. Running Windows XP Pro SP3 on these systems in a windows 2003 Server enviroment. Domain policy contains an audits for local policy. Securitelogs are filling and users cannot logon when full. Workarround: raised from 512 to 1024 and overwrite is neccesary. However every 2 or 3 days we have to delete the seclogs manually because they are full again. And, logs are filling differently. Some will fill every two hours, each 3 seconds for one hour. Other in a total different patron. Example of a seclog entry:

Type gebeurtenis: Controleren op mislukte pogingen

Bron van gebeurtenis: Security Categorie van gebeurtenis: Toegang tot object

Gebeurtenis-ID: 560 Datum:  29-6-2010 Tijd:  9:16:39 Gebruiker:  domainnameuser Computer: clientname Beschrijving: Object is geopend:

  Objectserver: SC Manager   Objecttype: SERVICE OBJECT   Objectnaam: CiSvc   Ingang-ID: -   Bewerking-ID: {0,1193942}   Proces-ID: 708   Bestandsnaam momentopname: C:WINDOWSsystem32services.exe   Primaire gebruikersnaam: clientname$   Primair domein: Domainname   Primaire aanmeldings-ID: (0x0,0x3E7)   Clientgebruikersnaam: username   Clientdomein: Domainname   Client-aanmeldings-ID: (0x0,0xD3F0)   Toegangspogingen:  Configuratiegegevens voor service instellen    Gegevens opvragen over de status van de service    De service starten    De service stoppen       Machtigingen:  -   Aantal beperkte SID's: 0

Zie Help en ondersteuning op http://go.microsoft.com/fwlink/events.asp voor meer informatie.

So, my question: How can i track of which system the audit came from? Or, how can i solve this?



Software/Hardware used:
Dell Optiplex different types, 1 Latitude, Windows XP Pro SP3

Answer Wiki

Thanks. We'll let you know when a new response is added.

Your best option would be to look at a centralized logging solution which should include DHCP & DNS so you can perform lookups to track down the system the audit came from.

Here are some options of free:

http://www.manageengine.com/products/eventlog/index.html

http://www.solarwinds.com/products/freetools/kiwi_syslog_server/

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Labnuke99
    Try the Sysinternals TCPVIEW utility. This will tell you what connections a client computer has made - both inbound and outbound. This may help you identify the client computer and/or process which is causing these event log entries.
    32,960 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following