I have 4 systems - all new installed - which have many entries of event id 560 in the seclog. All systems have been checked for viruses/malware. None found. Running Windows XP Pro SP3 on these systems in a windows 2003 Server enviroment. Domain policy contains an audits for local policy. Securitelogs are filling and users cannot logon when full. Workarround: raised from 512 to 1024 and overwrite is neccesary. However every 2 or 3 days we have to delete the seclogs manually because they are full again. And, logs are filling differently. Some will fill every two hours, each 3 seconds for one hour. Other in a total different patron. Example of a seclog entry:

Type gebeurtenis: Controleren op mislukte pogingen

Bron van gebeurtenis: Security Categorie van gebeurtenis: Toegang tot object

Gebeurtenis-ID: 560 Datum:  29-6-2010 Tijd:  9:16:39 Gebruiker:  domainnameuser Computer: clientname Beschrijving: Object is geopend:

  Objectserver: SC Manager   Objecttype: SERVICE OBJECT   Objectnaam: CiSvc   Ingang-ID: -   Bewerking-ID: {0,1193942}   Proces-ID: 708   Bestandsnaam momentopname: C:WINDOWSsystem32services.exe   Primaire gebruikersnaam: clientname$   Primair domein: Domainname   Primaire aanmeldings-ID: (0x0,0x3E7)   Clientgebruikersnaam: username   Clientdomein: Domainname   Client-aanmeldings-ID: (0x0,0xD3F0)   Toegangspogingen:  Configuratiegegevens voor service instellen    Gegevens opvragen over de status van de service    De service starten    De service stoppen       Machtigingen:  -   Aantal beperkte SID's: 0

Zie Help en ondersteuning op http://go.microsoft.com/fwlink/events.asp voor meer informatie.

So, my question: How can i track of which system the audit came from? Or, how can i solve this?



Software/Hardware used:
Dell Optiplex different types, 1 Latitude, Windows XP Pro SP3