Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

too many "successful logon" events?

Status
Not open for further replies.
bustamove

bustamove

IS-IT--Management
May 27, 2003
171
CA
Hi,

We have a print server that receives a lot of "Successful Network Logon" (type 3) event logs, almost every second. They all from the same three computers only out of 500 PCs. Each of them initiate this message more than 15,000 per day.

netstat -o shows the process that's doing this is SVCHOST.EXE. Is this a known issue? I want to know why they are doing this? THanks
 
Sort by date Sort by votes
What's the text in the events?




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
Looks like this:

Successful Network Logon:
User Name: <those 3 logon users>
Domain: XXX
Logon ID: (0x0,0x17721CDD)
Logon Type: 3
Logon Process: Kerberos Authentication
Package: Kerberos
Workstation Name: <those 3 workstation names>
Logon GUID: {59fea2b0-5447-ba7d-da12-4318da945db8}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: <those 3 workstation IP addresses>
Source Port: <starts randomly, increment by 1>


All windows XP w/ latest patches.
Print server is W2K3

Thanks
 
Upvote 0 Downvote
It sounds like increased auditing on that machine. I would turn back auditing and see what happens.
 
Upvote 0 Downvote
i always have the auditing on, and this is not happening to other 500 computers. i don't quite understand the reason to turn off the auditing logs, the size doesn't bother us, but i am afraid of these constant connection may slow down the performance
 
Upvote 0 Downvote
Check the machines having the problem for increased logging. Maybe these machines are cranked up a bit.

As for the burden, event logging can be a HUGE drag on a system with lots of traffic.
 
Upvote 0 Downvote
thanks. but the computers are free of virus and adware according to scan result. computer are freshly installed w/patches and users have no admin rights.

one common thing i found is that they all have locally installed printer / drivers and the server is print server.

it is not really a big thing now, but i am afraid if all 500 pcs start to do this (say on some other servers), it will be very bad with or without event logging.

i really hope it will not happen to all because i dont know how to stop it.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
342
ADB100
ADB100
DrB0b
  • Locked
  • Question
RDWeb server getting hit with odd logon requests....
Replies
1
Views
329
DrB0b
DrB0b
tambrosi
  • Locked
  • Question
The log range read from the file &quot;edb.log&quot; error The read operation will fail with error -
Replies
0
Views
177
tambrosi
tambrosi
Auguy
  • Locked
  • Question
Cannot Run VB.net App as Scheduled Task, Error &quot;0xE0434352&quot;
Replies
5
Views
343
markdmac
markdmac
rod602
  • Locked
  • Question
Windows dhcp server events on ip lease
Replies
0
Views
142
rod602
rod602

Part and Inventory Search

Sponsor

Back
Top