Recurring Security Log errors 4624, 4672, 4634
We have only ten workstations, all WinXP Pro, except for one Windows 7 machine. We have have a Windows 2003 Server SP2, a Windows Server 2003 R2, and just added a Windows Server 2008 R2 with all updates complete. The logs on the 2003 servers are fine. The 2008 Server Security log has an event that keeps recurring every few seconds. All are Audit Success. Logon Kerberos 4624, Special Logon of the 2008 Server itself 4672 and then Logoff of the 2008 server error 4634 (This event is generated when a logon session is destroyed........) I get this cycle thousands of times a day. I don't want to just set the server not to report this event. I want to fix the core problem.
January 21st, 2012 2:48pm
Event ID 4624: An account was successfully logged on. Event ID 4634: An account was successfully logged off. Event ID 4672 : Special Logon It is perfectly normal.These Might be useful for detecting any "super user" account logons. These event lets you know whenever an account assigned any "administrator equivalent" user rights logs on. (services and applications that interact closely with the operating system) You can check the Domain security logs are configured via the Default Domain Controller Group Policy. It is located under Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy . Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
January 21st, 2012 4:33pm
I agree with Gopi, In addition check out this article you might find it useful: http://www.ultimatewindowssecurity.com/securitylog/resourcekits/book2008/chapter2.aspx MCTS - Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/
January 21st, 2012 4:41pm
Thank you for your quick reply. It just seems counterintuitive to me that it is the norm for this machine to be logging itself on and off every few seconds, especially with a message that the session was destroyed. Keep in mind that at the moment the machine, although being promoted to FSMO, is not doing anything like backup, file sharing, or apps. It is a FSMO & DC on a very small network. It seems like a waste of machine resources. Why would the machine be doing this?? Are you certain the way to handle this is to stop the auditing/reporting of the process?
January 25th, 2012 11:57am
It seems like a waste of machine resources. Why would the machine be doing this?? Are you certain the way to handle this is to stop the auditing/reporting of the process? we are not suggesting to enable /disable the auditing.As you said it a very small network, you choose what you need. ---------- I don't want to just set the server not to report this event. I want to fix the core problem. By going to that location you can enable/disable auditing on the specific object. Please check on what are objects that you require Auditing and on which you don't require. please refer to below link : Auditing settings on objects http://technet.microsoft.com/en-us/library/cc780909%28WS.10%29.aspxGopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
January 25th, 2012 1:39pm
Gopi, Thank you so much for the dialog and please excuse my lack of knowledge. To me is seems auditing in this case would imply something is logging on and off that is being audited. By stopping the auditing it won’t be reported but the logging on and off every few seconds will continue to occur and use system resources. What am I missing and what is it that is logging on and off. ? Your help is much appreciated.
January 26th, 2012 1:44pm
please Refer to the below link : for the Process ID/Information,Source Network Address,Account Name for tracking.what is logging on and off. http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624 Hope this helps.. Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
January 26th, 2012 4:02pm
Yes, this confirms to me that the sever in question is logging on to itself and that it is being logged off from itself every few seconds. What I still don’t understand is why it would be O.K. for this DC to be in this continuous loop of logging on and logging off from itself with "logon session is destroyed" ? Again, I really appreciate your taking the time to look at this.
January 26th, 2012 7:29pm
If a user turns off his/her computer, Windows does not have an opportunity to log the logoff event until the system restarts. Therefore, some logoff events are logged much later than the time at which they actually occur. eventid=4634 if the computer is shut down or loses network connectivity it may not record a logoff event at all. http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4634 Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
January 27th, 2012 3:25am
Gopi, Thanks again. This would explain for some frequent logoff events but not this loop of the server logging itself on and off every few seconds 24/7.
January 27th, 2012 5:22pm
Any other ideas as to why this is happening?
February 3rd, 2012 6:35pm
I am experiencing a similiar problem with the security logs on a SBS 2008 server with 12 XP workstations, 1 Win7 (all joined to the domain) and 1 Mac. I'm getting 200,000+ events in the security logs EVERY DAY. Any idea what would cause this or how to stop it? I'm of the same mindset as LRabinow...I don't want to just configure the server to stop reporting these events, I'd like to know what's causing them. I've run the best practices analyzer several times and it's clean. Any suggestions would be greatly appreciated.
March 1st, 2012 1:02am