Sign in with
Sign up | Sign in
Your question

2061 Security Log Events in less than 2 hours!

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
September 28, 2004 6:02:15 AM

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Hello all

I hope someone can help on this one.

On August 18 this year between 15:32 and 17:18, 2061
events were logged on my Security event viewer.

The IDs were: 512; 514; 515; 518; 528; 538(very many); 540
(very many); 565; 576(very many); 577; 578; 592; 593;
612; 617; 672; 673; 677; 680; 682; 683.

Does anyone know what happened? I cannot link this to
anything else for that day. We had no engineers around
doing anything to the server. It was just an ordinary
day.

It seems a bit spooky. Should I be worried?

Thanks in advance.
Anonymous
a b 8 Security
September 28, 2004 10:30:31 AM

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Hi Alan,

Please provide the detailed description of the Event ID 2061.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm&gt;

-----Original Message-----

"Alan Hodge" <anonymous@discussions.microsoft.com> wrote in message
news:06b301c4a539$d9d6abe0$a601280a@phx.gbl...
> Hello all
>
> I hope someone can help on this one.
>
> On August 18 this year between 15:32 and 17:18, 2061
> events were logged on my Security event viewer.
>
> The IDs were: 512; 514; 515; 518; 528; 538(very many); 540
> (very many); 565; 576(very many); 577; 578; 592; 593;
> 612; 617; 672; 673; 677; 680; 682; 683.
>
> Does anyone know what happened? I cannot link this to
> anything else for that day. We had no engineers around
> doing anything to the server. It was just an ordinary
> day.
>
> It seems a bit spooky. Should I be worried?
>
> Thanks in advance.
Anonymous
a b 8 Security
September 28, 2004 10:30:32 AM

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Hi Mike

The event ID isn't 2061. That was the number of events
logged during the 1 1/2 hour period on August 18.



>-----Original Message-----
>Hi Alan,
>
>Please provide the detailed description of the Event ID
2061.
The Event IDs were: 512; 514; 515; 518; 528; 538(very
many); 540 very many); 565; 576(very many); 577; 578;
592; 593;612; 617; 672; 673; 677; 680; 682; 683.

They were varying descriptions:

Events Event IDs

Account Logons: 672,673,677,680

Detailed Tracking: 592,593

Logon/Logoff: 538,540

Object Access: 565

Policy Change: 612,617

Privelege Use: 576,577

System Event: 514,515,518


Hope to hear from you soon

Alan


>--
>Hope this helps,
>Mike Rosado
>Windows 2000 MCSE + MCDBA
>Microsoft Enterprise Platform Support
>Windows NT/2000/2003 Cluster Technologies
>
>====================================================
>When responding to posts, please "Reply to Group" via
your newsreader so
>that others may learn and benefit from your issue.
>====================================================
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
><http://www.microsoft.com/info/cpyright.htm&gt;
>
>-----Original Message-----
>
>"Alan Hodge" <anonymous@discussions.microsoft.com> wrote
in message
>news:06b301c4a539$d9d6abe0$a601280a@phx.gbl...
>> Hello all
>>
>> I hope someone can help on this one.
>>
>> On August 18 this year between 15:32 and 17:18, 2061
>> events were logged on my Security event viewer.
>>
>> The IDs were: 512; 514; 515; 518; 528; 538(very many);
540
>> (very many); 565; 576(very many); 577; 578; 592; 593;
>> 612; 617; 672; 673; 677; 680; 682; 683.
>>
>> Does anyone know what happened? I cannot link this to
>> anything else for that day. We had no engineers around
>> doing anything to the server. It was just an ordinary
>> day.
>>
>> It seems a bit spooky. Should I be worried?
>>
>> Thanks in advance.
>
>
>.
>
Related resources
Anonymous
a b 8 Security
September 28, 2004 12:29:15 PM

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Also when you view the logged events in Event Viewer in the upper right
corner, third button down is a copy to clipboard, then you can paste in the
body of a reply message.

Please do so for each of the different events so we can see all of the event
detail.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Alan Hodge" wrote:
| Hi Mike
|
| The event ID isn't 2061. That was the number of events
| logged during the 1 1/2 hour period on August 18.
Anonymous
a b 8 Security
September 28, 2004 12:29:16 PM

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Dear Dave

Is there any way I can zip the events into a file and
email that to you. Otherwise it will take a long time to
copy and paste each individual event.

Regards

Alan

>-----Original Message-----
>Also when you view the logged events in Event Viewer in
the upper right
>corner, third button down is a copy to clipboard, then
you can paste in the
>body of a reply message.
>
>Please do so for each of the different events so we can
see all of the event
>detail.
>
>--
>Regards,
>
>Dave Patrick ....Please no email replies - reply in
newsgroup.
>Microsoft Certified Professional
>Microsoft MVP [Windows]
>http://www.microsoft.com/protect
>
>"Alan Hodge" wrote:
>| Hi Mike
>|
>| The event ID isn't 2061. That was the number of events
>| logged during the 1 1/2 hour period on August 18.
>
>
>.
>
Anonymous
a b 8 Security
September 28, 2004 12:46:51 PM

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Alan,

I'm by no means an expert in this subject matter of Security, Log On and/or
GPO, but I'll try to assist you to the best of my ability.

You have a laundry list of events that you cannot troubleshoot all together,
because they may all be unrelated to each other and just one or more of
these events can send off on a wild goose chase.

If these events are posing a problem, explain with elaborated details the
problem you're experiencing so we can try to troubleshoot the main problem.

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm&gt;

-----Original Message-----

"Alan Hodge" <anonymous@discussions.microsoft.com> wrote in message
news:379701c4a55a$108667a0$a301280a@phx.gbl...
> Hi Mike
>
> The event ID isn't 2061. That was the number of events
> logged during the 1 1/2 hour period on August 18.
>
>
>
> >-----Original Message-----
> >Hi Alan,
> >
> >Please provide the detailed description of the Event ID
> 2061.
> The Event IDs were: 512; 514; 515; 518; 528; 538(very
> many); 540 very many); 565; 576(very many); 577; 578;
> 592; 593;612; 617; 672; 673; 677; 680; 682; 683.
>
> They were varying descriptions:
>
> Events Event IDs
>
> Account Logons: 672,673,677,680
>
> Detailed Tracking: 592,593
>
> Logon/Logoff: 538,540
>
> Object Access: 565
>
> Policy Change: 612,617
>
> Privelege Use: 576,577
>
> System Event: 514,515,518
>
>
> Hope to hear from you soon
>
> Alan
>
>
> >--
> >Hope this helps,
> >Mike Rosado
> >Windows 2000 MCSE + MCDBA
> >Microsoft Enterprise Platform Support
> >Windows NT/2000/2003 Cluster Technologies
> >
> >====================================================
> >When responding to posts, please "Reply to Group" via
> your newsreader so
> >that others may learn and benefit from your issue.
> >====================================================
> >
> >This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ><http://www.microsoft.com/info/cpyright.htm&gt;
> >
> >-----Original Message-----
> >
> >"Alan Hodge" <anonymous@discussions.microsoft.com> wrote
> in message
> >news:06b301c4a539$d9d6abe0$a601280a@phx.gbl...
> >> Hello all
> >>
> >> I hope someone can help on this one.
> >>
> >> On August 18 this year between 15:32 and 17:18, 2061
> >> events were logged on my Security event viewer.
> >>
> >> The IDs were: 512; 514; 515; 518; 528; 538(very many);
> 540
> >> (very many); 565; 576(very many); 577; 578; 592; 593;
> >> 612; 617; 672; 673; 677; 680; 682; 683.
> >>
> >> Does anyone know what happened? I cannot link this to
> >> anything else for that day. We had no engineers around
> >> doing anything to the server. It was just an ordinary
> >> day.
> >>
> >> It seems a bit spooky. Should I be worried?
> >>
> >> Thanks in advance.
> >
> >
> >.
> >
Anonymous
a b 8 Security
September 28, 2004 12:46:52 PM

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Thanks for that Mike

The trouble I have is that I do know whether these events
are benign or not. I have recently cleared out a load of
email garbage because the server was being used as a
relay. You helped a lot on that and everything seems
fine now. I am wondering whether these events could be
related or not but I have nothing to indicate a problem
as such.

I think that the alarming bit is that the only events in
the security log are those I have identified and they all
appear on the same day.

I am not sure what else to do at this stage.

Regards

Alan

>-----Original Message-----
>Alan,
>
>I'm by no means an expert in this subject matter of
Security, Log On and/or
>GPO, but I'll try to assist you to the best of my
ability.
>
>You have a laundry list of events that you cannot
troubleshoot all together,
>because they may all be unrelated to each other and just
one or more of
>these events can send off on a wild goose chase.
>
>If these events are posing a problem, explain with
elaborated details the
>problem you're experiencing so we can try to
troubleshoot the main problem.
>
>--
>Hope this helps,
>Mike Rosado
>Windows 2000 MCSE + MCDBA
>Microsoft Enterprise Platform Support
>Windows NT/2000/2003 Cluster Technologies
>
>====================================================
>When responding to posts, please "Reply to Group" via
your newsreader so
>that others may learn and benefit from your issue.
>====================================================
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
><http://www.microsoft.com/info/cpyright.htm&gt;
>
>-----Original Message-----
>
>"Alan Hodge" <anonymous@discussions.microsoft.com> wrote
in message
>news:379701c4a55a$108667a0$a301280a@phx.gbl...
>> Hi Mike
>>
>> The event ID isn't 2061. That was the number of events
>> logged during the 1 1/2 hour period on August 18.
>>
>>
>>
>> >-----Original Message-----
>> >Hi Alan,
>> >
>> >Please provide the detailed description of the Event
ID
>> 2061.
>> The Event IDs were: 512; 514; 515; 518; 528; 538(very
>> many); 540 very many); 565; 576(very many); 577; 578;
>> 592; 593;612; 617; 672; 673; 677; 680; 682; 683.
>>
>> They were varying descriptions:
>>
>> Events Event IDs
>>
>> Account Logons: 672,673,677,680
>>
>> Detailed Tracking: 592,593
>>
>> Logon/Logoff: 538,540
>>
>> Object Access: 565
>>
>> Policy Change: 612,617
>>
>> Privelege Use: 576,577
>>
>> System Event: 514,515,518
>>
>>
>> Hope to hear from you soon
>>
>> Alan
>>
>>
>> >--
>> >Hope this helps,
>> >Mike Rosado
>> >Windows 2000 MCSE + MCDBA
>> >Microsoft Enterprise Platform Support
>> >Windows NT/2000/2003 Cluster Technologies
>> >
>> >====================================================
>> >When responding to posts, please "Reply to Group" via
>> your newsreader so
>> >that others may learn and benefit from your issue.
>> >====================================================
>> >
>> >This posting is provided "AS IS" with no warranties,
and
>> confers no rights.
>> ><http://www.microsoft.com/info/cpyright.htm&gt;
>> >
>> >-----Original Message-----
>> >
>> >"Alan Hodge" <anonymous@discussions.microsoft.com>
wrote
>> in message
>> >news:06b301c4a539$d9d6abe0$a601280a@phx.gbl...
>> >> Hello all
>> >>
>> >> I hope someone can help on this one.
>> >>
>> >> On August 18 this year between 15:32 and 17:18, 2061
>> >> events were logged on my Security event viewer.
>> >>
>> >> The IDs were: 512; 514; 515; 518; 528; 538(very
many);
>> 540
>> >> (very many); 565; 576(very many); 577; 578; 592;
593;
>> >> 612; 617; 672; 673; 677; 680; 682; 683.
>> >>
>> >> Does anyone know what happened? I cannot link this
to
>> >> anything else for that day. We had no engineers
around
>> >> doing anything to the server. It was just an
ordinary
>> >> day.
>> >>
>> >> It seems a bit spooky. Should I be worried?
>> >>
>> >> Thanks in advance.
>> >
>> >
>> >.
>> >
>
>
>.
>
Anonymous
a b 8 Security
September 28, 2004 2:16:34 PM

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

How many different events? 22? It would be best to post here so that all can
learn from this. Besides I may not know the answer. You might be able to
research this on your own through TechNet and or eventid.net

http://search.microsoft.com/search/search.aspx?View=en-...
http://www.eventid.net/search.asp

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Alan Hodge" wrote:
| Dear Dave
|
| Is there any way I can zip the events into a file and
| email that to you. Otherwise it will take a long time to
| copy and paste each individual event.
|
| Regards
|
| Alan
Anonymous
a b 8 Security
September 29, 2004 6:30:50 AM

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Dave

I followed your advice and ended up at:

http://www.gfi/eventlogscan/

I scanned the serve and one critical result came up which
I have copied below:

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 18/08/2004
Time: 15:32:40
User: NT AUTHORITY\SYSTEM
Computer: HODGESERV
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- + Object Access
+ + Privilege Use
+ + Account Management
+ + Policy Change
+ + System
+ + Detailed Tracking
- + Directory Service Access
+ + Account Logon

Changed By:
User Name: HODGESERV$
Domain Name: HODGE
Logon ID: (0x0,0x3E7)

It looks like there has been a policy change but I do not
know by whom or what the implications are. Are you able
to help with this?

Your help so far has been very much appreciated.

Thanks in advance.

Alan


>-----Original Message-----
>How many different events? 22? It would be best to post
here so that all can
>learn from this. Besides I may not know the answer. You
might be able to
>research this on your own through TechNet and or
eventid.net
>
>http://search.microsoft.com/search/search.aspx?View=en-
us&s=1&st=a
>http://www.eventid.net/search.asp
>
>--
>Regards,
>
>Dave Patrick ....Please no email replies - reply in
newsgroup.
>Microsoft Certified Professional
>Microsoft MVP [Windows]
>http://www.microsoft.com/protect
>
>"Alan Hodge" wrote:
>| Dear Dave
>|
>| Is there any way I can zip the events into a file and
>| email that to you. Otherwise it will take a long time
to
>| copy and paste each individual event.
>|
>| Regards
>|
>| Alan
>
>
>.
>
Anonymous
a b 8 Security
September 29, 2004 10:34:42 AM

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Alan,

As mention before, I'm by no means an expert in this subject matter of
Security, Log On and/or GPO, but I'll try to assist you to the best of my
ability.

Have you tried using Security Configuration and Analysis to isolate what GPO
is causing the Event ID 612?

816580 HOW TO: Analyze System Security in Windows Server 2003
http://support.microsoft.com/?id=816580

You are correct, it is a policy change that occurred. You need to focus in
on an Audit Policy as mentioned in the article below:

840633 Event ID 612 appears in the security log every time that you restart
http://support.microsoft.com/?id=840633

--
Hope this helps,
Mike Rosado
Windows 2000 MCSE + MCDBA
Microsoft Enterprise Platform Support
Windows NT/2000/2003 Cluster Technologies

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
<http://www.microsoft.com/info/cpyright.htm&gt;

-----Original Message-----

"Alan Hodge" <anonymous@discussions.microsoft.com> wrote in message
news:087501c4a607$02651f60$a401280a@phx.gbl...
> Dave
>
> I followed your advice and ended up at:
>
> http://www.gfi/eventlogscan/
>
> I scanned the serve and one critical result came up which
> I have copied below:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Policy Change
> Event ID: 612
> Date: 18/08/2004
> Time: 15:32:40
> User: NT AUTHORITY\SYSTEM
> Computer: HODGESERV
> Description:
> Audit Policy Change:
> New Policy:
> Success Failure
> + + Logon/Logoff
> - + Object Access
> + + Privilege Use
> + + Account Management
> + + Policy Change
> + + System
> + + Detailed Tracking
> - + Directory Service Access
> + + Account Logon
>
> Changed By:
> User Name: HODGESERV$
> Domain Name: HODGE
> Logon ID: (0x0,0x3E7)
>
> It looks like there has been a policy change but I do not
> know by whom or what the implications are. Are you able
> to help with this?
>
> Your help so far has been very much appreciated.
>
> Thanks in advance.
>
> Alan
>
>
> >-----Original Message-----
> >How many different events? 22? It would be best to post
> here so that all can
> >learn from this. Besides I may not know the answer. You
> might be able to
> >research this on your own through TechNet and or
> eventid.net
> >
> >http://search.microsoft.com/search/search.aspx?View=en-
> us&s=1&st=a
> >http://www.eventid.net/search.asp
> >
> >--
> >Regards,
> >
> >Dave Patrick ....Please no email replies - reply in
> newsgroup.
> >Microsoft Certified Professional
> >Microsoft MVP [Windows]
> >http://www.microsoft.com/protect
> >
> >"Alan Hodge" wrote:
> >| Dear Dave
> >|
> >| Is there any way I can zip the events into a file and
> >| email that to you. Otherwise it will take a long time
> to
> >| copy and paste each individual event.
> >|
> >| Regards
> >|
> >| Alan
> >
> >
> >.
> >
!