security event log floods with 538 540 576

Hi
The security event log is filling up with 538, 540, 576 events. It may do 5 or 6 a second, pauses for 20-30 seconds and does it again around the clock. Some of these are for the server itself, a domain member server running exchange or any of the switched on XP-Pro workstations. I have only just noticed this, but it seems to have been happening for the whole of April with 380,000 events logged. We have been experiencing many 18456 errors in the application event log due to a SQL server 2005 problem. This stopped this week, but I'm not sure exactly why! . There was a valid instance of SQL server installed in Dec 2009, a third party installed another database in the existing instance at the end of March. It was removed again but the problems all began then!
peter_lawrieAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

r_panosCommented:
The event IDs you mentioned are quite common and come in different "type" flavours that generate apparently same IDs. It's quite normal as "...Some user rights (aka privileges) are exercised so frequently that the system and security log would quickly become overwhelemed if Windows were to log every single instance these "high volume" rights were used..." (http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=576)

Che ck also the articles for the other IDs (p.e. http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=540) and try to figure out the best auditing policy for your environment, by enabling/disabling the opprtune events.

The 18456 error could be many things (SQL password policy for example) but I found it often when SQL Server Agent (some job or SSIS package) was trying to access a DB not available anymore.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
peter_lawrieAuthor Commented:
Thanks for the response.
security logging of Logons  is enabled in group policy. I could always turn it off, but why should these be logged throughout the night! Machines may be switched on but there's nobody there!
I had already seen the pages you mentioned on 540 and 576, but they did not answer the question as to why round the clock? Should I just switch the logging off.
Thanks for your comment on 18456, I assumed it was due to a deleted DB, but the events continued for several days after removing the DBs and restarting the server.
0
r_panosCommented:
Exchange or other application activity is probably the issue.

Db may be cancelled but jobs (think about backup jobs that backup user and system Dbs) are not necessary deleted or modified to reflect the changes you've made to your SQl Server.
0
peter_lawrieAuthor Commented:
I've turned logon logging off in AD so there should be no more messages - I still don't understand why there are so many logon attempts (even if they are successful when there's nobody there. I understand these 'logons' actually refer to access to a share, but what is accessing the shares from an idle workstation?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.