2003 DC filling up with event id 538 540 and 576
My Dc is rapidly filling up with security event ids 538 540 and 576. I back up my security logs weekly. Typically they are between 125MB and 175MB for the week. This week in less than 24 hours the security log was 175MB. My audit policy has not changed and the Audit privilege use policy is set to Failure only. Any ideas?
May 12th, 2010 7:39pm

Hi, As they are all success audit events, I suspect that you enable the audit in security policy. Please verify it by using rsop.msc or running gpresult /v on the DC. Meanwhile, please check if the following hotfix is installed on the DC: System Performance Decreases, and Many Event ID 576 Entries Are Logged to the Security Event Log http://support.microsoft.com/kb/822774This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2010 11:52am

I am also having this problem. 380mb in the Security Log in a single day, the vast majority of which are 538/540 and some 576 events. Most of the events are from the DC's computer account talking to itself. Audit privilege use is set to failure only. Looked at the hotfix and it says it only applies to Server 2003 SP1. I am running SP2. Any ideas?
February 16th, 2011 6:02am

I checked the version of lsasrv.dll on the server. It is 5.2.2370.4530. So it does not appear the HF is applicable.
Free Windows Admin Tool Kit Click here and download it now
February 21st, 2011 10:26am

I checked the version of lsasrv.dll on the server. It is 5.2.2370.4530. So it does not appear the HF is applicable. I'm on 5.2.3790.4806, so I'm guessing it's also not applicable to me, I also get a update.inf error, which doesn't allow me to run the .exe. This takes down our internal web sites (almost) every day around 11am for about 5 minutes. If anybody could throw some input my way it would be greatly appreciated
May 9th, 2011 3:02pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics