Event Log Anonymous Login entries
Mike Sanders
We see these events regularly they only involve the
Computers ROGUE and ALLEN03. These each have a timestamp
of 3:45:50 PM. At 3:46:39 PM we lost a service that we
have been unable to restart.
1) Do you have any suggestions why machines ROGUE and
ALLEN03 generate these on a regular basis?
2) Do you think there is any connection to the RSA service
no-restart issue?
The anonymous logins occur regularly at about a 10 minute
interval in groups of 4 [see below] for each of the
machines.
Thanks,
Mike Sanders
===========================================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 12/30/2003
Time: 3:45:50 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: CLAVEY1
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x484B0B0)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12/30/2003
Time: 3:45:50 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: CLAVEY1
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x484B0B0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: ROGUE
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.x.4
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
--------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 12/30/2003
Time: 3:45:50 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: CLAVEY1
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x484B0A7)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
--------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12/30/2003
Time: 3:45:50 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: CLAVEY1
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x484B0A7)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: ROGUE
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.x.4
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
====================================
Application Log Event
====================================
Event Type: Error
Event Source: Storage Replicator RSA
Event Category: None
Event ID: 1049
Date: 12/30/2003
Time: 3:46:39 PM
User: N/A
Computer: CLAVEY1
Description:
Job 'ClaveyLarkspur2RagingWire' on pair 'CLAVEY1:CLAVEY2'
is disconnected. Cancelling the job on this pair. :
Job 'ClaveyLarkspur2RagingWire' on pair 'CLAVEY1:CLAVEY2'
is disconnected. Cancelling the job on this pair. :
Connection to Windows socket lost.