revo1059
asked on
CRM and domain audit log
We are seeing hundreds/thousands of log entries identical to the one below, between 5-7 a second
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon Account: (the crm admin user)
Source Workstation: (crm server)
Error Code: 0x0e
it says below each time Audit Success.
If I shutdown the CRM email then the entries stop.
What would cause it to do that and is is normal? I had 610,000 events in the log before I cleared it. I clear it and the entries start piling up again. I rebooted the CRM server and it started backup and the entries started again.
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_P
Logon Account: (the crm admin user)
Source Workstation: (crm server)
Error Code: 0x0e
it says below each time Audit Success.
If I shutdown the CRM email then the entries stop.
What would cause it to do that and is is normal? I had 610,000 events in the log before I cleared it. I clear it and the entries start piling up again. I rebooted the CRM server and it started backup and the entries started again.
ASKER
Its a copy/paste so thats exactly what the error code is. Since it says audit successful there doesn't appear to me much more info.
Alright. In Audit log, when you see this entries, there are two tabs. One is general and other is Details. In Details you have an option to select XML View. Please post what do you see in the details. I do not think there is something wrong with these entries I just want to verify if we have something else going on. For a normal desktop, it can reach to 6 to 7 thousand (even more in a corporate environment) in a month so I am sure for a server this number is going to be high. If Email router is the root cause then we may have to check on email router's end.
Is there anything suspicious going on with email router logs?
Is there anything suspicious going on with email router logs?
ASKER
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Se curity-Aud iting" Guid="{54849625-5478-4994- A5BA-3E3B0 328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80200000000000 00</Keywor ds>
<TimeCreated SystemTime="2018-01-16T14: 45:45.9021 40700Z" />
<EventRecordID>386284080</ EventRecor dID>
<Correlation />
<Execution ProcessID="572" ThreadID="2228" />
<Channel>Security</Channel >
<Computer>(company computer)</Computer>
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSO FT_AUTHENT ICATION_PA CKAGE_V1_0 </Data>
<Data Name="TargetUserName">crma dmin</Data >
<Data Name="Workstation">CRM-SRV -2K8R2</Da ta>
<Data Name="Status">0x0</Data>
</EventData>
</Event>
- <System>
<Provider Name="Microsoft-Windows-Se
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80200000000000
<TimeCreated SystemTime="2018-01-16T14:
<EventRecordID>386284080</
<Correlation />
<Execution ProcessID="572" ThreadID="2228" />
<Channel>Security</Channel
<Computer>(company computer)</Computer>
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSO
<Data Name="TargetUserName">crma
<Data Name="Workstation">CRM-SRV
<Data Name="Status">0x0</Data>
</EventData>
</Event>
So this is a normal event log entry, you can find more details here:
https://docs.microsoft.com /en-us/win dows/devic e-security /auditing/ event-4776
Are you using a single box setup? i.e. domain controller and everything installed on a single machine?
https://docs.microsoft.com
Are you using a single box setup? i.e. domain controller and everything installed on a single machine?
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Are you sure the error code we are getting is: 0x0e
Have you expanded the error details? is there any other information available.
Regards,
Chinmay.