Hi All, We've just recently begun using ntsyslog to ship logs from our Win servers to our central syslog server. It's working quite well. I've begun seeing various different logon failures to our Win servers and it seems to be related to the "auto discovery" feature within WinXP explorer. Here are a copy of some of the logs: Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: USERNAME by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: G731-220-4 failed. The error code was: 3221225572 Feb 22 13:27:49 exchange.auckland.ac.nz/exchange.auckland.ac.nz security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: USERNAME by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: G731-220-4 failed. The error code was: 3221225572 How are other people handling this sort of event? It seems to be causing quite a few "false alarms". I'm not even sure if it's possible to turn this feature off and not allow users to turn it back on again. Any thoughts? Thanks, Harry -- Harry Hoffman ITSS Systems Team Leader University of Auckland hhoffmanat_private hhoffman@ip-solutions.net STANDARD DISCLAIMER: ********************************************** *This universe shipped by weight, not volume.* *Some expansion may have occured in shipping.* ********************************************* ------------------------------------------------- This mail sent through IpSolutions: http://www.ip-solutions.net/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 12:33:16 PST