Everyday Security log become full and user can’t logon

265 pts.
Microsoft Windows
Network monitoring
Performance management
Hi, Sometimes in some of computers in my domain when I check their eventlog, I see some events about other users logon in their security log like below:
------------- Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 Date: 2006/09/27 Time: 10:09:32 ?.? User: S-1-5-21-727744907-765012080-2873131892-1146 Computer: COMPUTER-25 Description: User Logoff: User Name: bahra-f Domain: itdomain Logon ID: (0x0,0x1F256B) Logon Type: 3 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -----------
That the Computer-25 is the name of computer and bahra-f is the username of other user in the domain that can't logon on this computer. What's the meaning of this security message log? In my domain everybody can logon just on her or his computer and all of them is Win XP pro sp2 and the domain OS is Win Server 2003 R2. Now for some of users everyday the security log become full and they can't logon and I should clear their logs. Could you please help me? Thank you. ----- Regards Mahnaz

Answer Wiki

Thanks. We'll let you know when a new response is added.


A Logon Type 3 event is generated most commonly when a user logs on to a remote computer on a network for such purposes as to access a shared file or folder which is available on that computer. It can also be triggered by IIS logons if IIS is running on this computer. Have you noted any event ID #528 (successful logon) with a logon type 2 in your security logs? Logon type 2 indicates an interactive logon which occurs when a user logs on to a computer from the console.

Hope that helps!

Good luck!

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Astronomer
    Why don't you just set the logs to overwrite events as needed? If you right click on the log and chose properties, you can set the maximum log size larger and tell it to "Overwrite events as needed". I you do this, the logs won't overflow. rt
    15 pointsBadges:
  • PDMeat
    As was already stated, you should just set a group policy to set the security event logs on all these PCs to "overwrite events as needed". Another option worth considering is the "prohibit logon if security log full" option- turn it off. There's no need to kill yourself with trying to catch people logging on and off the local PC when the domain controllers will log any logon/logoff to the domain anyways. I would set the event log size and remote the restriction to prohibit logon if sec log is full with group policy as stated above. You might consider getting a security event log management software like manage engine's event log analyzer http://manageengine.adventnet.com/products/eventlog/index.html (free for up to 5 hosts) to record all of the domain controller security logs to catch who is doing what.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: