Please help it’s too urgent! Security log became full

265 pts.
Tags:
Microsoft Windows
Networking
Tech support
Hi, From two days ago the security log of some of clients became full with bellow events id and I should clear it every day!
Please help me I think it's too dangerous if this clients became more and more!
These errors are:
Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 5/15/2006 Time: 8:45:21 AM User: domain-nameuser-name1 Computer: COMPUTER-3 Description: Successful Network Logon: User Name: user-name1 Domain: domain-name Logon ID: (0x0,0x1972F8) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {e04c59d2-c283-c7e6-72c5-2dc852597fa2} 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -------------------------------

Event Type: Success Audit Event Source: Security Event Category: Privilege Use Event ID: 576 Date: 5/15/2006 Time: 8:45:21 AM User: domain-nameuser-name1 Computer: COMPUTER-3 Description: Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0,0x1972F8) Privileges: SeChangeNotifyPrivilege 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --------------------

Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 Date: 5/15/2006 Time: 8:45:21 AM User: domain-nameuser-name1 Computer: COMPUTER-3 Description: User Logoff: User Name: user-name1 Domain: domain-name Logon ID: (0x0,0x1972A8) Logon Type: 3 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Please Help!!! Thank you. ---- Regards Mahnaz
ASKED: May 17, 2006  1:46 AM
UPDATED: August 22, 2013  7:42 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

I am not sure what you are asking. Do you want to not have to clear these logs? Or do you want to stop them from happening at all?
If you don’t want to have to manually clear the logs that is fairly simple. On each computer, go into the event viewer and right-click the Security Log on the left and select properties. There will be an option “Over write as needed” that you can select.
If you are looking to prevent them all together, you will have to figure out where auditing is enable and “turn it off” If you only have this on a few machines, and provided they are not your only XP machines, then I would say these machines came in with auditing enabled in their local policies (assuming they are new installs).
I see this in my network because I am auditing in the Domain. I simply set the clients to over write as needed and it doesn’t become a problem. Perhaps there is a group policy that would do this for me but I have not looked in to it.
I hope this helps.

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • 9949748886
    I agree with Woods. If you don't want to see the message that the security log reached its maximum limit then in the event viewer, choose the "over-write as needed" option. But if you don't want these logs at all then you need to do disable the security auditing in Local security policy. 1. Control Panel->Adiministrative Tools-> Local Security policy 2. Expand Local Policies and double-click Audit policy. 3. Double-click the "Audit account logon events" in the right pane and a dialog box appears. 4. Uncheck the "success" option. (If you want you can also uncheck the "failure" option too, incase if you don't want it.) and save the settings. If the security auditing is enable at the domain level. Then you need to edit the Domain security policiy instead of Local Security policy in each client. Hope it may help you :) Regards, Shafi.
    0 pointsBadges:
    report
  • Northern
    Are your computers in a Domain, Windows Server 2000 or Server 2003? Is auditing turned on? If so you can set your security policies through Group Policy. Auditing can be turned on through: This will turn on auditing for all the pc's at the domain level: Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy: Set to Success/Failure. To manage Security Settings on the Security Log: Computer Configuration/Windows Settings/Security Settings/Event Log: Settings for Event Logs: Maximum Security log size: set this is KB Retain Security Log: # of days Retention Method for Security Log: Select an overwrite option: by days, as needed or clear manually. Note: If you select to clear manually then you have to remember to clear the logs manually when they fill up. This can be rather tediuous on a large network. If you're not on a domain you can set through Windows XP through the Local Security Policies which are found in Control Panel/Administrative Tools/Local Security Policies. I believe you would have to do this on each individual pc. Under Security Settings: select Local Policies, Audit Policies. This is where Auditing is set for success/failure. You set the security options You can manage the logs through Computer Management/System Tools/Event Viewer/Right Click Security/Go to Properties and select the log options you need. I use Group Policies to maintain this instead of each individual pc as this is an easier process. If you need to clear the security logs immediately because they are full, then go to the pc where the log is full and go to Computer Management/System Tools/Event Viewer/Right Click Security/Clear all events. You will be asked if you want to save the log file or just clear it. If you feel the need to save it for later viewing then save it and the log will be cleared. I hope this is what you are looking for and good luck! ls
    0 pointsBadges:
    report
  • Ebellardino
    9949748886 is correct. I have that enabled on my server. I also set the event viewer to over write. Good luck Ed
    0 pointsBadges:
    report
  • DaveInAZ
    The previous posters gave you a lot of excellent advice. There are two points that they probably took for granted, so they didn't mention them, but that may not be obvious to someone new to administering systems. The first point is that these are not really errors; they're just information. Some application, and it looks like it may be Kerberos in this case, is set up to log this information. It's not saying anything is broken; it's just letting you know what's happening because someone told it to do that. The other thing is that you say it started two days ago. That should tell you what to look at when you're trying to change this behavior. Something was added/changed on the system two days ago, and it's causing these log messages.
    0 pointsBadges:
    report
  • Aliyani
    Hi, Thanks of all your help,they were so usefull for me but it is so important for me to know why there are these events in security log as DaveInaZ said!!!??? All of clients are on domain win 2003 server and are winxp pro sp2. It's interresting that the user that makes logon/logoff on these client is same is user1 in all clients that has this problem!!!!From two days ago they didn't have any changes and the user1 is a simple and restricted user and it is belong to a typist!!!! Now just two client has this problem and I don't think it's about domain group policy!!? Am I right? So much thanks if you have any other advise. Thank you. ---- Regards Mahnaz
    265 pointsBadges:
    report
  • DaveInAZ
    Hi Mahnaz, I'm sure the clients SAY nothing on their systems has changed, but that's clearly not true. They just aren't aware of what changed or don't remember or don't want to tell you. But something changed or you wouldn't be seeing a change in behavior. Q.E.D. Since the events being logged all involve logging on or off the network, or assigning privileges, and one event specifically mentions Kerberos, which is a network authentication protocol and is available as freeware, that's the place to look. Either they just installed it or they changed one or more settings that cause those signon/signoff events to be logged. The changed setting is most likely to be a Kerberos setting, but it could be something related to OS/network security. Do a quick Google on Kerberos and you'll find a ton of information on it. Microsoft even has an article on enabling exactly the kind of logging you're seeing; http://support.microsoft.com/?id=262177. You could probably reverse their advice to disable it, if they're running Windows, but make sure you know what you're doing before taking this step. Kerberos is normally only used in high security situations, so turning it off may be a bad idea. Good luck!
    0 pointsBadges:
    report
  • Ultrix
    If the issue is continuing, perhaps you need to educate the specific user that they are to protect their sign-on information. Maybe it has leaked out ? At the very least, changing the password on the account will tell you a couple of things. Does the info entry go away? if so, they had let their user info out accidentally. Does the info show that the user is actually present at their station when the info is being logged? If not, they might have a trojan on their machine that is logging in for some reason.
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following