?
Solved

Security event log filling up with Event 528 & 576 - Avapi.dll

Posted on 2007-08-08
11
Medium Priority
?
3,145 Views
Last Modified: 2013-12-23
Hello, I had 3 of my computers reject my clients login saying "Event log is full contact your administrator" blah blah blah. I thought that was a little weird, first time I saw this issue, and it happened on 3 computers in the same morning. I was able to circumvent the issue by doing what it said to do... clear the security event log. Anyways, heres what I see appear every minute or so:

8/8/2007      1:17:57 AM      Security      Success Audit      Privilege Use       576      NT AUTHORITY\NETWORK SERVICE      DISPATCH3      "Special privileges assigned to new logon:
       User Name:      NETWORK SERVICE
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x3E4)
       Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege"

8/8/2007      1:17:57 AM      Security      Success Audit      Logon/Logoff       528      NT AUTHORITY\NETWORK SERVICE      DISPATCH3      "Successful Logon:
       User Name:      NETWORK SERVICE
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x3E4)
       Logon Type:      5
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      
       Logon GUID:      {00000000-0000-0000-0000-000000000000}"

Is this an issue? Or is it okay to let it do it's thing?
0
Comment
Question by:knox203
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 28

Expert Comment

by:peakpeak
ID: 19655128
0
 
LVL 32

Expert Comment

by:and235100
ID: 19655140
Don't worry about it - just increase the size of the log file and/or enable "overwrite events when needed" (or similar)
0
 
LVL 32

Expert Comment

by:and235100
ID: 19655168
Can you confirm advapi.dll or avapi.dll?

The first - as peakpeak says - could be malware.
If the second - I would personally jsut run a full malware scan here: http://housecall.trendmicro.com/ and keep an eye on it. Avapi could be part of your AV solution.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 28

Assisted Solution

by:peakpeak
peakpeak earned 664 total points
ID: 19655186
Well, you should at least investigate .... advapi32 is a legal process, advapi is not
0
 

Author Comment

by:knox203
ID: 19655317
I would be suprised if it is a virus... we have TrendMicro OfficeScan that installs automatically on any computer that joins the domain. And all our clients have restricted access.
0
 

Author Comment

by:knox203
ID: 19655910
I think I know what's causing the issue. I just installed Microsoft System Center Essentials a couple weeks ago, and recently uninstalled it. My error was not uninstalling the client on all computers before I uninstalled. OOPS!
0
 
LVL 86

Assisted Solution

by:jkr
jkr earned 664 total points
ID: 19655993
This is quite a normal behaviour - see http://www.eventid.net/display.asp?eventid=528&eventno=131&source=Security&phase=1 and http://www.eventid.net/display.asp?eventid=576&eventno=58&source=Security&phase=1

'advapi32.dll' is not a process, it is the 'Advanced Windows 32 Base API' and also contains the security components.
0
 

Author Comment

by:knox203
ID: 19656132
JKR, I know it's normal... for the most part. I get a new event every single minute, which isn't normal. I never had any of these issues until I uninstalled SCE 07 without uninstalling the Agents first. I uninstalled the agent on one of the computers and I don't get anymore Advapi logs. I'll let you all know what I come up with.
0
 
LVL 32

Accepted Solution

by:
and235100 earned 672 total points
ID: 19660223
So - reinstall the software - remove the agent - then uninstall - surely?
If not - you may have to find an update (if one is available)
0
 

Author Comment

by:knox203
ID: 19662879
and235100:

That's exactly what I had done. It seemed to fix the issue! I'm still getting some Advapi logs, but not nearly as many. The events I'm seeing now is probably just from WSUS. Anyways, thanks guys for helping me see the error in my ways! =)
0
 
LVL 32

Expert Comment

by:and235100
ID: 19665158
No problem - glad that we could provide some assistance.

Thanks.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question