2061 Security Log Events in less than 2 hours!

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Hello all

I hope someone can help on this one.

On August 18 this year between 15:32 and 17:18, 2061
events were logged on my Security event viewer.

The IDs were: 512; 514; 515; 518; 528; 538(very many); 540
(very many); 565; 576(very many); 577; 578; 592; 593;
612; 617; 672; 673; 677; 680; 682; 683.

Does anyone know what happened? I cannot link this to
anything else for that day. We had no engineers around
doing anything to the server. It was just an ordinary
day.

It seems a bit spooky. Should I be worried?

Thanks in advance.
9 answers Last reply
More about 2061 security events hours
  1. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Hi Alan,

    Please provide the detailed description of the Event ID 2061.

    --
    Hope this helps,
    Mike Rosado
    Windows 2000 MCSE + MCDBA
    Microsoft Enterprise Platform Support
    Windows NT/2000/2003 Cluster Technologies

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    <http://www.microsoft.com/info/cpyright.htm>

    -----Original Message-----

    "Alan Hodge" <anonymous@discussions.microsoft.com> wrote in message
    news:06b301c4a539$d9d6abe0$a601280a@phx.gbl...
    > Hello all
    >
    > I hope someone can help on this one.
    >
    > On August 18 this year between 15:32 and 17:18, 2061
    > events were logged on my Security event viewer.
    >
    > The IDs were: 512; 514; 515; 518; 528; 538(very many); 540
    > (very many); 565; 576(very many); 577; 578; 592; 593;
    > 612; 617; 672; 673; 677; 680; 682; 683.
    >
    > Does anyone know what happened? I cannot link this to
    > anything else for that day. We had no engineers around
    > doing anything to the server. It was just an ordinary
    > day.
    >
    > It seems a bit spooky. Should I be worried?
    >
    > Thanks in advance.
  2. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Hi Mike

    The event ID isn't 2061. That was the number of events
    logged during the 1 1/2 hour period on August 18.


    >-----Original Message-----
    >Hi Alan,
    >
    >Please provide the detailed description of the Event ID
    2061.
    The Event IDs were: 512; 514; 515; 518; 528; 538(very
    many); 540 very many); 565; 576(very many); 577; 578;
    592; 593;612; 617; 672; 673; 677; 680; 682; 683.

    They were varying descriptions:

    Events Event IDs

    Account Logons: 672,673,677,680

    Detailed Tracking: 592,593

    Logon/Logoff: 538,540

    Object Access: 565

    Policy Change: 612,617

    Privelege Use: 576,577

    System Event: 514,515,518


    Hope to hear from you soon

    Alan


    >--
    >Hope this helps,
    >Mike Rosado
    >Windows 2000 MCSE + MCDBA
    >Microsoft Enterprise Platform Support
    >Windows NT/2000/2003 Cluster Technologies
    >
    >====================================================
    >When responding to posts, please "Reply to Group" via
    your newsreader so
    >that others may learn and benefit from your issue.
    >====================================================
    >
    >This posting is provided "AS IS" with no warranties, and
    confers no rights.
    ><http://www.microsoft.com/info/cpyright.htm>
    >
    >-----Original Message-----
    >
    >"Alan Hodge" <anonymous@discussions.microsoft.com> wrote
    in message
    >news:06b301c4a539$d9d6abe0$a601280a@phx.gbl...
    >> Hello all
    >>
    >> I hope someone can help on this one.
    >>
    >> On August 18 this year between 15:32 and 17:18, 2061
    >> events were logged on my Security event viewer.
    >>
    >> The IDs were: 512; 514; 515; 518; 528; 538(very many);
    540
    >> (very many); 565; 576(very many); 577; 578; 592; 593;
    >> 612; 617; 672; 673; 677; 680; 682; 683.
    >>
    >> Does anyone know what happened? I cannot link this to
    >> anything else for that day. We had no engineers around
    >> doing anything to the server. It was just an ordinary
    >> day.
    >>
    >> It seems a bit spooky. Should I be worried?
    >>
    >> Thanks in advance.
    >
    >
    >.
    >
  3. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Also when you view the logged events in Event Viewer in the upper right
    corner, third button down is a copy to clipboard, then you can paste in the
    body of a reply message.

    Please do so for each of the different events so we can see all of the event
    detail.

    --
    Regards,

    Dave Patrick ....Please no email replies - reply in newsgroup.
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    http://www.microsoft.com/protect

    "Alan Hodge" wrote:
    | Hi Mike
    |
    | The event ID isn't 2061. That was the number of events
    | logged during the 1 1/2 hour period on August 18.
  4. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Dear Dave

    Is there any way I can zip the events into a file and
    email that to you. Otherwise it will take a long time to
    copy and paste each individual event.

    Regards

    Alan

    >-----Original Message-----
    >Also when you view the logged events in Event Viewer in
    the upper right
    >corner, third button down is a copy to clipboard, then
    you can paste in the
    >body of a reply message.
    >
    >Please do so for each of the different events so we can
    see all of the event
    >detail.
    >
    >--
    >Regards,
    >
    >Dave Patrick ....Please no email replies - reply in
    newsgroup.
    >Microsoft Certified Professional
    >Microsoft MVP [Windows]
    >http://www.microsoft.com/protect
    >
    >"Alan Hodge" wrote:
    >| Hi Mike
    >|
    >| The event ID isn't 2061. That was the number of events
    >| logged during the 1 1/2 hour period on August 18.
    >
    >
    >.
    >
  5. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Alan,

    I'm by no means an expert in this subject matter of Security, Log On and/or
    GPO, but I'll try to assist you to the best of my ability.

    You have a laundry list of events that you cannot troubleshoot all together,
    because they may all be unrelated to each other and just one or more of
    these events can send off on a wild goose chase.

    If these events are posing a problem, explain with elaborated details the
    problem you're experiencing so we can try to troubleshoot the main problem.

    --
    Hope this helps,
    Mike Rosado
    Windows 2000 MCSE + MCDBA
    Microsoft Enterprise Platform Support
    Windows NT/2000/2003 Cluster Technologies

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    <http://www.microsoft.com/info/cpyright.htm>

    -----Original Message-----

    "Alan Hodge" <anonymous@discussions.microsoft.com> wrote in message
    news:379701c4a55a$108667a0$a301280a@phx.gbl...
    > Hi Mike
    >
    > The event ID isn't 2061. That was the number of events
    > logged during the 1 1/2 hour period on August 18.
    >
    >
    >
    > >-----Original Message-----
    > >Hi Alan,
    > >
    > >Please provide the detailed description of the Event ID
    > 2061.
    > The Event IDs were: 512; 514; 515; 518; 528; 538(very
    > many); 540 very many); 565; 576(very many); 577; 578;
    > 592; 593;612; 617; 672; 673; 677; 680; 682; 683.
    >
    > They were varying descriptions:
    >
    > Events Event IDs
    >
    > Account Logons: 672,673,677,680
    >
    > Detailed Tracking: 592,593
    >
    > Logon/Logoff: 538,540
    >
    > Object Access: 565
    >
    > Policy Change: 612,617
    >
    > Privelege Use: 576,577
    >
    > System Event: 514,515,518
    >
    >
    > Hope to hear from you soon
    >
    > Alan
    >
    >
    > >--
    > >Hope this helps,
    > >Mike Rosado
    > >Windows 2000 MCSE + MCDBA
    > >Microsoft Enterprise Platform Support
    > >Windows NT/2000/2003 Cluster Technologies
    > >
    > >====================================================
    > >When responding to posts, please "Reply to Group" via
    > your newsreader so
    > >that others may learn and benefit from your issue.
    > >====================================================
    > >
    > >This posting is provided "AS IS" with no warranties, and
    > confers no rights.
    > ><http://www.microsoft.com/info/cpyright.htm>
    > >
    > >-----Original Message-----
    > >
    > >"Alan Hodge" <anonymous@discussions.microsoft.com> wrote
    > in message
    > >news:06b301c4a539$d9d6abe0$a601280a@phx.gbl...
    > >> Hello all
    > >>
    > >> I hope someone can help on this one.
    > >>
    > >> On August 18 this year between 15:32 and 17:18, 2061
    > >> events were logged on my Security event viewer.
    > >>
    > >> The IDs were: 512; 514; 515; 518; 528; 538(very many);
    > 540
    > >> (very many); 565; 576(very many); 577; 578; 592; 593;
    > >> 612; 617; 672; 673; 677; 680; 682; 683.
    > >>
    > >> Does anyone know what happened? I cannot link this to
    > >> anything else for that day. We had no engineers around
    > >> doing anything to the server. It was just an ordinary
    > >> day.
    > >>
    > >> It seems a bit spooky. Should I be worried?
    > >>
    > >> Thanks in advance.
    > >
    > >
    > >.
    > >
  6. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Thanks for that Mike

    The trouble I have is that I do know whether these events
    are benign or not. I have recently cleared out a load of
    email garbage because the server was being used as a
    relay. You helped a lot on that and everything seems
    fine now. I am wondering whether these events could be
    related or not but I have nothing to indicate a problem
    as such.

    I think that the alarming bit is that the only events in
    the security log are those I have identified and they all
    appear on the same day.

    I am not sure what else to do at this stage.

    Regards

    Alan

    >-----Original Message-----
    >Alan,
    >
    >I'm by no means an expert in this subject matter of
    Security, Log On and/or
    >GPO, but I'll try to assist you to the best of my
    ability.
    >
    >You have a laundry list of events that you cannot
    troubleshoot all together,
    >because they may all be unrelated to each other and just
    one or more of
    >these events can send off on a wild goose chase.
    >
    >If these events are posing a problem, explain with
    elaborated details the
    >problem you're experiencing so we can try to
    troubleshoot the main problem.
    >
    >--
    >Hope this helps,
    >Mike Rosado
    >Windows 2000 MCSE + MCDBA
    >Microsoft Enterprise Platform Support
    >Windows NT/2000/2003 Cluster Technologies
    >
    >====================================================
    >When responding to posts, please "Reply to Group" via
    your newsreader so
    >that others may learn and benefit from your issue.
    >====================================================
    >
    >This posting is provided "AS IS" with no warranties, and
    confers no rights.
    ><http://www.microsoft.com/info/cpyright.htm>
    >
    >-----Original Message-----
    >
    >"Alan Hodge" <anonymous@discussions.microsoft.com> wrote
    in message
    >news:379701c4a55a$108667a0$a301280a@phx.gbl...
    >> Hi Mike
    >>
    >> The event ID isn't 2061. That was the number of events
    >> logged during the 1 1/2 hour period on August 18.
    >>
    >>
    >>
    >> >-----Original Message-----
    >> >Hi Alan,
    >> >
    >> >Please provide the detailed description of the Event
    ID
    >> 2061.
    >> The Event IDs were: 512; 514; 515; 518; 528; 538(very
    >> many); 540 very many); 565; 576(very many); 577; 578;
    >> 592; 593;612; 617; 672; 673; 677; 680; 682; 683.
    >>
    >> They were varying descriptions:
    >>
    >> Events Event IDs
    >>
    >> Account Logons: 672,673,677,680
    >>
    >> Detailed Tracking: 592,593
    >>
    >> Logon/Logoff: 538,540
    >>
    >> Object Access: 565
    >>
    >> Policy Change: 612,617
    >>
    >> Privelege Use: 576,577
    >>
    >> System Event: 514,515,518
    >>
    >>
    >> Hope to hear from you soon
    >>
    >> Alan
    >>
    >>
    >> >--
    >> >Hope this helps,
    >> >Mike Rosado
    >> >Windows 2000 MCSE + MCDBA
    >> >Microsoft Enterprise Platform Support
    >> >Windows NT/2000/2003 Cluster Technologies
    >> >
    >> >====================================================
    >> >When responding to posts, please "Reply to Group" via
    >> your newsreader so
    >> >that others may learn and benefit from your issue.
    >> >====================================================
    >> >
    >> >This posting is provided "AS IS" with no warranties,
    and
    >> confers no rights.
    >> ><http://www.microsoft.com/info/cpyright.htm>
    >> >
    >> >-----Original Message-----
    >> >
    >> >"Alan Hodge" <anonymous@discussions.microsoft.com>
    wrote
    >> in message
    >> >news:06b301c4a539$d9d6abe0$a601280a@phx.gbl...
    >> >> Hello all
    >> >>
    >> >> I hope someone can help on this one.
    >> >>
    >> >> On August 18 this year between 15:32 and 17:18, 2061
    >> >> events were logged on my Security event viewer.
    >> >>
    >> >> The IDs were: 512; 514; 515; 518; 528; 538(very
    many);
    >> 540
    >> >> (very many); 565; 576(very many); 577; 578; 592;
    593;
    >> >> 612; 617; 672; 673; 677; 680; 682; 683.
    >> >>
    >> >> Does anyone know what happened? I cannot link this
    to
    >> >> anything else for that day. We had no engineers
    around
    >> >> doing anything to the server. It was just an
    ordinary
    >> >> day.
    >> >>
    >> >> It seems a bit spooky. Should I be worried?
    >> >>
    >> >> Thanks in advance.
    >> >
    >> >
    >> >.
    >> >
    >
    >
    >.
    >
  7. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    How many different events? 22? It would be best to post here so that all can
    learn from this. Besides I may not know the answer. You might be able to
    research this on your own through TechNet and or eventid.net

    http://search.microsoft.com/search/search.aspx?View=en-us&s=1&st=a
    http://www.eventid.net/search.asp

    --
    Regards,

    Dave Patrick ....Please no email replies - reply in newsgroup.
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    http://www.microsoft.com/protect

    "Alan Hodge" wrote:
    | Dear Dave
    |
    | Is there any way I can zip the events into a file and
    | email that to you. Otherwise it will take a long time to
    | copy and paste each individual event.
    |
    | Regards
    |
    | Alan
  8. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Dave

    I followed your advice and ended up at:

    http://www.gfi/eventlogscan/

    I scanned the serve and one critical result came up which
    I have copied below:

    Event Type: Success Audit
    Event Source: Security
    Event Category: Policy Change
    Event ID: 612
    Date: 18/08/2004
    Time: 15:32:40
    User: NT AUTHORITY\SYSTEM
    Computer: HODGESERV
    Description:
    Audit Policy Change:
    New Policy:
    Success Failure
    + + Logon/Logoff
    - + Object Access
    + + Privilege Use
    + + Account Management
    + + Policy Change
    + + System
    + + Detailed Tracking
    - + Directory Service Access
    + + Account Logon

    Changed By:
    User Name: HODGESERV$
    Domain Name: HODGE
    Logon ID: (0x0,0x3E7)

    It looks like there has been a policy change but I do not
    know by whom or what the implications are. Are you able
    to help with this?

    Your help so far has been very much appreciated.

    Thanks in advance.

    Alan


    >-----Original Message-----
    >How many different events? 22? It would be best to post
    here so that all can
    >learn from this. Besides I may not know the answer. You
    might be able to
    >research this on your own through TechNet and or
    eventid.net
    >
    >http://search.microsoft.com/search/search.aspx?View=en-
    us&s=1&st=a
    >http://www.eventid.net/search.asp
    >
    >--
    >Regards,
    >
    >Dave Patrick ....Please no email replies - reply in
    newsgroup.
    >Microsoft Certified Professional
    >Microsoft MVP [Windows]
    >http://www.microsoft.com/protect
    >
    >"Alan Hodge" wrote:
    >| Dear Dave
    >|
    >| Is there any way I can zip the events into a file and
    >| email that to you. Otherwise it will take a long time
    to
    >| copy and paste each individual event.
    >|
    >| Regards
    >|
    >| Alan
    >
    >
    >.
    >
  9. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Alan,

    As mention before, I'm by no means an expert in this subject matter of
    Security, Log On and/or GPO, but I'll try to assist you to the best of my
    ability.

    Have you tried using Security Configuration and Analysis to isolate what GPO
    is causing the Event ID 612?

    816580 HOW TO: Analyze System Security in Windows Server 2003
    http://support.microsoft.com/?id=816580

    You are correct, it is a policy change that occurred. You need to focus in
    on an Audit Policy as mentioned in the article below:

    840633 Event ID 612 appears in the security log every time that you restart
    http://support.microsoft.com/?id=840633

    --
    Hope this helps,
    Mike Rosado
    Windows 2000 MCSE + MCDBA
    Microsoft Enterprise Platform Support
    Windows NT/2000/2003 Cluster Technologies

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    <http://www.microsoft.com/info/cpyright.htm>

    -----Original Message-----

    "Alan Hodge" <anonymous@discussions.microsoft.com> wrote in message
    news:087501c4a607$02651f60$a401280a@phx.gbl...
    > Dave
    >
    > I followed your advice and ended up at:
    >
    > http://www.gfi/eventlogscan/
    >
    > I scanned the serve and one critical result came up which
    > I have copied below:
    >
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Policy Change
    > Event ID: 612
    > Date: 18/08/2004
    > Time: 15:32:40
    > User: NT AUTHORITY\SYSTEM
    > Computer: HODGESERV
    > Description:
    > Audit Policy Change:
    > New Policy:
    > Success Failure
    > + + Logon/Logoff
    > - + Object Access
    > + + Privilege Use
    > + + Account Management
    > + + Policy Change
    > + + System
    > + + Detailed Tracking
    > - + Directory Service Access
    > + + Account Logon
    >
    > Changed By:
    > User Name: HODGESERV$
    > Domain Name: HODGE
    > Logon ID: (0x0,0x3E7)
    >
    > It looks like there has been a policy change but I do not
    > know by whom or what the implications are. Are you able
    > to help with this?
    >
    > Your help so far has been very much appreciated.
    >
    > Thanks in advance.
    >
    > Alan
    >
    >
    > >-----Original Message-----
    > >How many different events? 22? It would be best to post
    > here so that all can
    > >learn from this. Besides I may not know the answer. You
    > might be able to
    > >research this on your own through TechNet and or
    > eventid.net
    > >
    > >http://search.microsoft.com/search/search.aspx?View=en-
    > us&s=1&st=a
    > >http://www.eventid.net/search.asp
    > >
    > >--
    > >Regards,
    > >
    > >Dave Patrick ....Please no email replies - reply in
    > newsgroup.
    > >Microsoft Certified Professional
    > >Microsoft MVP [Windows]
    > >http://www.microsoft.com/protect
    > >
    > >"Alan Hodge" wrote:
    > >| Dear Dave
    > >|
    > >| Is there any way I can zip the events into a file and
    > >| email that to you. Otherwise it will take a long time
    > to
    > >| copy and paste each individual event.
    > >|
    > >| Regards
    > >|
    > >| Alan
    > >
    > >
    > >.
    > >
Ask a new question

Read More

Security Events Servers Windows