I have 4 systems - all new installed - which have many entries of event id 560 in the seclog. All systems have been checked for viruses/malware. None found. Running Windows XP Pro SP3 on these systems in a windows 2003 Server enviroment. Domain policy contains an audits for local policy. Securitelogs are filling and users cannot logon when full. Workarround: raised from 512 to 1024 and overwrite is neccesary. However every 2 or 3 days we have to delete the seclogs manually because they are full again. And, logs are filling differently. Some will fill every two hours, each 3 seconds for one hour. Other in a total different patron. Example of a seclog entry:
Type gebeurtenis: Controleren op mislukte pogingen
Bron van gebeurtenis: Security Categorie van gebeurtenis: Toegang tot object
Objectserver: SC Manager Objecttype: SERVICE OBJECT Objectnaam: CiSvc Ingang-ID: - Bewerking-ID: {0,1193942} Proces-ID: 708 Bestandsnaam momentopname: C:WINDOWSsystem32services.exe Primaire gebruikersnaam: clientname$ Primair domein: Domainname Primaire aanmeldings-ID: (0x0,0x3E7) Clientgebruikersnaam: username Clientdomein: Domainname Client-aanmeldings-ID: (0x0,0xD3F0) Toegangspogingen: Configuratiegegevens voor service instellen Gegevens opvragen over de status van de service De service starten De service stoppen Machtigingen: - Aantal beperkte SID's: 0
Try the Sysinternals TCPVIEW utility. This will tell you what connections a client computer has made - both inbound and outbound. This may help you identify the client computer and/or process which is causing these event log entries.
Free Guide: Managing storage for virtual environments
Complete a brief survey to get a complimentary 70-page whitepaper featuring the best methods and solutions for your virtual environment, as well as hypervisor-specific management advice from TechTarget experts. Don’t miss out on this exclusive content!
Discuss This Question: 1  Reply