Event ID 680 not logging

From http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=680

When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.

This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
Account Used for Logon By identifies the authentication package that processed the authentication request.

In Windows Server 2003 Microsoft eliminated event ID 681 and instead uses event ID 680 for both successful and failed NTLM authentication attempts. So on Windows Server 2003 don't look for event ID 681 and be sure to take into account the success/failure status of occurrences of event ID 680.

In other words, if you're forcing NTLM, you won't log a 680 because it's Kerberos-specific.  You'll probably have to undo your previous workaround and find an alternate fix, or apply the fix to the 2008 server instead of the 2003 DC, this way it'll be the only one affected by the change and the remaining systems will still og the events you want to see.

I did apply the fix to the 08 servers only not the 03 server.  I applied the fix today 3/28.  Logon events stopped logging on the 03 DC as of 3/21.

thanks,

my installation of a 3rd party program was the culprit