Thank you for looking at this problem.
At the moment i get 155 eventlog msg daily from a Sophos update account, every 10 minutes.
I used to get Event-ID: 4776 but only once very 24H.
"Source: Microsoft Windows security auditing.
Event-ID: 4776
Taskcategory: Credential Validation
The domain controller attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: SophosSAUSERVER101
Source Workstation: SERVER10
Error Code: 0x0"
This account is available on this server but somehow filling up the log, i used to have Logon/Logoff msgs here but i cannot see them anymore.
Once this change occured, these msg started to appear every 7 days two, 4 to 6 at a time.
"Source: Microsoft Windows security auditing.
Event-ID: 4904/4905
Taskcategory: Audit Policy Change
An attempt was made to register a security event source.
Subject :
Security ID: SYSTEM
Account Name: SERVER10$
Account Domain: FOJA
Logon ID: 0x3e7
Process:
Process ID: 0xb24
Process Name: C:\Windows\System32\VSSVC.exe
Event Source:
Source Name: VSSAudit"
Anybody got any idea why this started or how to turn it of so the normal Logoff/Logon start to show again.
It all started once i got 8 of these MSGS around 4-9-2012:
"Source: Microsoft Windows security auditing.
Event-ID: 4719
Taskcategory: Audit Policy Change
System audit policy was changed.
Subject:
Security ID: SYSTEM
Account Name: SERVER10$
Account Domain: FOJA
Logon ID: 0x3e7
Audit Policy Change:
Category: Logon/Logoff
Subcategory: IPsec Quick Mode
Subcategory GUID: {0cce9219-69ae-11d9-bed3-505054503030}
Changes: Success removed, Failure removed"
But i justed checked and 'Success, Failure' are still part of the Default Domain Policy - Logon Audit?\
Thanks for any insight you are able to provide.
Kind regards
Arris
This thread was automatically locked due to age.
