troubleshooting Question

Security Log Analysis

Avatar of Admin1980
Admin1980 asked on
SecurityOS SecurityMicrosoft Forefront ISA Server
3 Comments1 Solution349 ViewsLast Modified:
Hi Experts,

I have a domain user account that has generated 1 million logon failures, the event log is the following.

530,AUDIT FAILURE,Security,Mon Jul 30 05:59:58 2007,NT AUTHORITY\SYSTEM,Logon Failure:     Reason:  Account logon time restriction violation     User Name: sorin negrea     Domain: MACBETH     Logon Type: 3     Logon Process: NtLmSsp      Authentication Package: NTLM     Workstation Name: TD-4031-32RY  
680,AUDIT FAILURE,Security,Mon Jul 30 05:59:58 2007,NT AUTHORITY\SYSTEM,Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon account:  sorin negrea    Source Workstation: TD-4031-32RY    Error Code: 0xC000006F    

How can I further analyse this event?  Is it possible to actually point out if this is caused by a PC process ?eg. Outlook on client PC trying to maintain connectivty with exchange during restricted hours.  

Is there an application that can better manage and help correlate windows event logs.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 3 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros