• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1640
  • Last Modified:

Audit failures server 2008

I have a Server 2008 sp1 Standard 32bit used for hosting websites with many ips.  I am getting 4 audit failures exactly every 5 minutes.  I'll post the particulars below.  There is no account name listed and just NULL SID for id.  The source network address is always one of the private ip for a hosted site and it is always in the same subnet. Can't figure this out. Thanks

An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            
      Account Domain:            

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      -
      Source Network Address:      192.168.167.40
      Source Port:            57711

Detailed Authentication Information:
      Logon Process:            Kerberos
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0


 
System       
Provider[ Name] Microsoft-Windows-Security-Auditing
      [ Guid]       {54849625-5478-4994-a5ba-3e3b0328c30d}              
        EventID      4625       
        Version      0       
        Level      0       
        Task      12544       
        Opcode      0       
        Keywords      0x8010000000000000
      
-TimeCreated[ SystemTime]       2010-01-08T04:57:13.609Z            
        EventRecordID      2302825       
        Correlation      
 
-Execution                                 
       [ ProcessID]       672              
       [ ThreadID]       1032              
       Channel      Security      
      Computer      xxxx.xxxx.xxxxxxxxx.xxx       
      Security       
 
-EventData       
      SubjectUserSid      S-1-0-0      
      SubjectUserName      -       
      SubjectDomainName      -      
      SubjectLogonId      0x0       
      TargetUserSid      S-1-0-0       
      TargetUserName            
      TargetDomainName            
      Status      0xc000006d       
      FailureReason      %%2313       
      SubStatus      0xc000006a       
      LogonType      3       
      LogonProcessName      Kerberos       
      AuthenticationPackageName      Kerberos       
      WorkstationName      -       
      TransmittedServices      -       
      LmPackageName      -       
      KeyLength      0       
      ProcessId      0x0       
      ProcessName      -       
      IpAddress      192.168.167.40       
      IpPort      57711       
0
smillion
Asked:
smillion
  • 2
1 Solution
 
smillionAuthor Commented:
Well, the issue stopped abruptly this morning.  I can only corelate the turning on of another server that the server was replicating to.
0
 
farazhkhanCommented:
Hi,

If any of the above link resolved your issue then accept it, otherwise close this question by accepting your comments.

Regards,
Faraz H. Khan
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now