• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1907
  • Last Modified:

Event Viewer showing multiple logon/logoff events

The Event Viewer is showing from 5-11 events per user logon/logoff. Filters did not work to satisfaction. An example is here:
 Type      Date      Time      Source      Category      Event      User      Computer
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       538      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       538      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       538      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       540      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Privilege Use       576      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       540      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Privilege Use       576      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       540      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Privilege Use       576      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Logon/Logoff       540      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:50 PM      Security      Privilege Use       576      SYSTEM      528-WINSERVER2
Success Audit      10/21/2004      3:38:43 PM      Security      System Event       517      SYSTEM      528-WINSERVER2


---This was one person logging into their system - Any ideas or known fixes?
0
tcpfargo
Asked:
tcpfargo
  • 2
  • 2
1 Solution
 
crissandCommented:
Yes, you can change the security audit to only the events that you want. The filters from event viewer are only for viewing events, not for registering in audit log.
0
 
kelo501Commented:
You can change the logging filter in the defult domain policy.

To reach the Default Domain Policy GPO, open the Microsoft Management Console—MMC—Active Directory Users and Computers snap-in, select your domain's root, right-click, select Properties, then click the Group Policy tab.

You can also download the GPMC at this link and make your changes with it.
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

kelo501
0
 
tcpfargoAuthor Commented:
Thanks guys. The 2nd reponse I think is in the right direction. But what is done in the group policy tab once we are there. Will the GPMC filter these out? Also the User id says "system" not the user name. I will be adding more points to this once we can get a little closer to the solution.
0
 
kelo501Commented:
once you are there click:
Security Settings > LocalPolicy > Audit Policy

in the right pane will be the objects you can configure.  Select one and right click properties to configure.

If you use the Group Policy Managment Console there is alot more information provide for each setting when you highlight it.

If you need anything let me know.

kelo
0
 
crissandCommented:
No objections.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now