Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Security event log error message

Posted on 2011-04-27
3
Medium Priority
?
372 Views
Last Modified: 2012-05-11
I'v been asked to investiogate the following event log but am having trouble detailing exactly what it measn. I have put my comments in capitals, in brackets to the right of each field. Can anyone help?

Instance ID: 534 (I KNOW WHAT THIS ONE MEANS)
User Name: NT AUTHORITY\SYSTEM  (WHATS THE SIMPLIST WAY TO DESCRIBE THIS?)
Machine Name: Server 1
Mesasge: Logon Failure
Reason: The user has not been granted the requested logon type at this machine
User Name: User1
Domain: Domain 1
Logon Type: 4 (WHATS THIS?)
Logon Process: Advapi (WHATS THIS?)
Caller User Name: NT AUTHORITY (WHATS THIS?)
Caller Logon ID: (0x0, 0x3E4 (CAN I TRACK THIS DOWN?)
Caller process ID: 2316 ( CAN THIS BE IDENTIFIED?)

A brief description woul dbe fantastic thanks
0
Comment
Question by:Jason Thomas
  • 2
3 Comments
 
LVL 29

Accepted Solution

by:
Michael Pfister earned 1000 total points
ID: 35481422
NT AUTHOPRITY/SYSTEM is the operating system itself. it uses several accounts with different right. SYSTEM is the one qith the highest permissions.

Logon type 4 is Batch: http://www.windowsecurity.com/articles/logon-types.html
This can be caused by a scheduled task running under an account that doesn't have the right to logon as a batch job

AdvApi is a logon process, see http://support.microsoft.com/kb/326985/en-us

The process can be identified by task manager (while viewing processes, add the column PID). But I'm afraid the task will be gone too fast to catch it.

0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 35496681
Pls see this link

@ http://www.eventid.net/display.asp?eventid=534+&source=

You are looking at the second table. This problem may occur if the Authenticated Users group has been removed from the Access this computer from the network user right. And this error may also occur if the user account that is used for anonymous access is denied access to the Web Server from the network.

Just some quick extraction from

@ http://www.eventid.net/display.asp?eventid=534&eventno=10&source=Security&phase=1
0
 
LVL 65

Expert Comment

by:btan
ID: 35496690
By the way, the caller ID (already mentioned it is NTAUTHORITY) and process ID (dynamic numbering) is not that interesting for troubleshooting though
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Spectre and Meltdown, how it affects me and my clients?
Integration Management Part 2
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question