• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 430
  • Last Modified:

Event Viewer being flooded with success logs

My backup DC  Win 2000 box is being inundated with success login event logs from workstations. Getting dozens a second over many times during the day.  I believe this has just started because my SQL server also seems to be slower than usual. Ran a network virus scan but nothing picked up.  Any ideas?
0
infranetsupport
Asked:
infranetsupport
  • 4
  • 4
  • 2
  • +1
1 Solution
 
AlginaldCommented:
Remove the auditiing of successful logins in auditing in the default domain controller group policy.
Open the default domain controller policy, navigate to Computer Configuration / Windows Settings / Security Sttings / Local Policy / Audit Policy and change the audit account logon events entry.
0
 
duffman76Commented:
If your backup dc is what everyone is using for authentication then you will see this.  

You can turn off the success logs if you don't want to see them by right clicking the security log in eventviewer and then choosing filter and unchecking success audit.

With SQL and Outlook and anything else clients will authenticate constantly with your dc.  That would give you success logs assuming everything is working like it should.
0
 
infranetsupportAuthor Commented:
I dont want to remove the successful logins, i suspect there is an issue. what would cause my server to log so many audits, like 30, in a second?
0
[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

 
AlginaldCommented:
Is there any more information in the event entry, which workstation, which user, etc?
0
 
duffman76Commented:
If they all point to one user then that could be an issue.  If it is multiple users and workstations it could be any number of things.  You should try and see if you can limit your scope and find similarities in all the messages.
0
 
infranetsupportAuthor Commented:
Ive narrowed it down to two users but they are thin clients that login into citrix.  all the event log messages are simple successful login messages for one user to a workstation.
0
 
infranetsupportAuthor Commented:
It seems like the logins keep happening over and over again all day long.
0
 
duffman76Commented:
Is the workstation having a connection issue or does it have any software on it that may try to authenticate constantly.  
0
 
infranetsupportAuthor Commented:
THe workstations are thin clients and i believe wouldnt work very well at all if connection was at all lost. there is no special software running that would authenticate a lot. The TS clients all pretty much access a SQL server.
0
 
duffman76Commented:
If the sql database is using windows authentication they could authenticate each time they try to access a table or any part of the database.  
0
 
HRLCommented:
This may be a setting on the Citrix machines called session sharing. check out the following link for advice on forcing session sharing effectively.

http://support.citrix.com/article/CTX118579
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 4
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now