Hi!
I have a few of virtual machines on the Hyper-V for testing:
1. Win Server 2008 R2 Enterprise - Domain Controller
2. Win Server 2008 R2 Enterprise - SQL 2008 R2 Express
3. Win Server 2008 R2 Enterprise - Exchange Server 2010 SP1
4. Win 7 Enterprise for experiments.
All machines are in domain.
I turned on auditing at DC for logging successful logon events (Only successful logon events, nothing more). Then i opened event log - windows log - security. And there's awful number of equal logs. Every few seconds. Audit success, event ID is 4642. SID is NULL SID. Account name and domain name fields are empty.
What's this log means and why do i have such a giant quantity of them? And how can i turn them off? I need only logon logs when i physically log on on one of these machines.
I found a lot of discussions about these events on technet, but didn't find any solution or description for this problem
Thanx!
There's log text below
Log Name: SecuritySource: Microsoft-Windows-Security-Auditing
Date: 5/14/2013 6:39:27 AM
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: Betta.gusev.local
Description:
An account was successfully logged on.
Subject:
Security ID:NULL SID
Account Name:-
Account Domain:-
Logon ID:0x0
Logon Type:3
New Logon:
Security ID:SYSTEM
Account Name:BETTA$
Account Domain:GUSEVDC1
Logon ID:0xe087af
Logon GUID:{ab4eb213-7f50-377e-8c17-10d3abf24884}
Process Information:
Process ID:0x0
Process Name:-
Network Information:
Workstation Name:
Source Network Address:127.0.0.1
Source Port:59371
Detailed Authentication Information:
Logon Process:Kerberos
Authentication Package:Kerberos
Transited Services:-
Package Name (NTLM only):-
Key Length:0