Security Log Analysis
Posted on 2007-07-30
I have a domain user account that has generated 1 million logon failures, the event log is the following.
530,AUDIT FAILURE,Security,Mon Jul 30 05:59:58 2007,NT AUTHORITY\SYSTEM,Logon Failure: Reason: Account logon time restriction violation User Name: sorin negrea Domain: MACBETH Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: TD-4031-32RY
680,AUDIT FAILURE,Security,Mon Jul 30 05:59:58 2007,NT AUTHORITY\SYSTEM,Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: sorin negrea Source Workstation: TD-4031-32RY Error Code: 0xC000006F
How can I further analyse this event? Is it possible to actually point out if this is caused by a PC process ?eg. Outlook on client PC trying to maintain connectivty with exchange during restricted hours.
Is there an application that can better manage and help correlate windows event logs.