Security event log filling up with Event 528 & 576 - Avapi.dll

Hello, I had 3 of my computers reject my clients login saying "Event log is full contact your administrator" blah blah blah. I thought that was a little weird, first time I saw this issue, and it happened on 3 computers in the same morning. I was able to circumvent the issue by doing what it said to do... clear the security event log. Anyways, heres what I see appear every minute or so:

8/8/2007      1:17:57 AM      Security      Success Audit      Privilege Use       576      NT AUTHORITY\NETWORK SERVICE      DISPATCH3      "Special privileges assigned to new logon:
       User Name:      NETWORK SERVICE
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x3E4)
       Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege"

8/8/2007      1:17:57 AM      Security      Success Audit      Logon/Logoff       528      NT AUTHORITY\NETWORK SERVICE      DISPATCH3      "Successful Logon:
       User Name:      NETWORK SERVICE
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x3E4)
       Logon Type:      5
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      
       Logon GUID:      {00000000-0000-0000-0000-000000000000}"

Is this an issue? Or is it okay to let it do it's thing?
knox203Asked:
Who is Participating?
 
and235100Connect With a Mentor Commented:
So - reinstall the software - remove the agent - then uninstall - surely?
If not - you may have to find an update (if one is available)
0
 
peakpeakCommented:
0
 
and235100Commented:
Don't worry about it - just increase the size of the log file and/or enable "overwrite events when needed" (or similar)
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
and235100Commented:
Can you confirm advapi.dll or avapi.dll?

The first - as peakpeak says - could be malware.
If the second - I would personally jsut run a full malware scan here: http://housecall.trendmicro.com/ and keep an eye on it. Avapi could be part of your AV solution.
0
 
peakpeakConnect With a Mentor Commented:
Well, you should at least investigate .... advapi32 is a legal process, advapi is not
0
 
knox203Author Commented:
I would be suprised if it is a virus... we have TrendMicro OfficeScan that installs automatically on any computer that joins the domain. And all our clients have restricted access.
0
 
knox203Author Commented:
I think I know what's causing the issue. I just installed Microsoft System Center Essentials a couple weeks ago, and recently uninstalled it. My error was not uninstalling the client on all computers before I uninstalled. OOPS!
0
 
jkrConnect With a Mentor Commented:
This is quite a normal behaviour - see http://www.eventid.net/display.asp?eventid=528&eventno=131&source=Security&phase=1 and http://www.eventid.net/display.asp?eventid=576&eventno=58&source=Security&phase=1

'advapi32.dll' is not a process, it is the 'Advanced Windows 32 Base API' and also contains the security components.
0
 
knox203Author Commented:
JKR, I know it's normal... for the most part. I get a new event every single minute, which isn't normal. I never had any of these issues until I uninstalled SCE 07 without uninstalling the Agents first. I uninstalled the agent on one of the computers and I don't get anymore Advapi logs. I'll let you all know what I come up with.
0
 
knox203Author Commented:
and235100:

That's exactly what I had done. It seemed to fix the issue! I'm still getting some Advapi logs, but not nearly as many. The events I'm seeing now is probably just from WSUS. Anyways, thanks guys for helping me see the error in my ways! =)
0
 
and235100Commented:
No problem - glad that we could provide some assistance.

Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.