We've noticed an issue on one of our servers - an important service we need (IBSERVER, which is an Interbase Database Service) - keeps failing, and it seems to coincide with multiple logons of the same logon which happens sporadically throughout the day. What makes matters worse is that the logon username has administrative rights and has been used throughout our environment (regionally) so I can't just reset the password or disable the account (please don't lecture me on this sort of thing - I completely understand Microsoft's recommendations for admin accounts but I can't speak for the rest of the national team).
Anyway to cut a long story short, the logons are promptly followed by a log off.. all within the same second we get the following event IDs - 540,576,538
There are numerous other 'normal' logons on the server all through the day but this logon is particularly worrying because it was happening a lot on a Sunday when no IT staff would be around, so it's either one of our own automated systems using those credentials, or it's a software interface (there are a few connecting back to that server), or (god forbid) it's something or someone nefarious (a virus or whatever).
So I'm wondering is there a way to check which hostname or IP these logons are coming from ? should I write a short logon script to log to a text file ? or is there a better way ? I need to figure out why this logon is happening so often in order to fix our other system.