I have a Windows Server 2008 SP2 Domain Controller that is logging about 400 to 500 audit events per second in the security log.
I get repeated entries of:
4624 Logon
4634 Logoff
4672 Special Logon
I clear the security event log, and after 10 seconds I have about 5,000 entries.
Lsass.exe is constantly running at about 5% to 15% CPU.
4624 Logon:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: SYSTEM
Account Name: HSERVER$
Account Domain: HOPKINS
Logon ID: 0x5689610
Logon GUID: {21ab2e6f-e096-18fd-7904-caa887330f25}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: fe80::84a0:133d:9782:3644 (This is my actual SERVER address)
Source Port: 56303
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
4634 Logoff
An account was logged off.
Subject:
Security ID: SYSTEM
Account Name: HSERVER$
Account Domain: HOPKINS
Logon ID: 0x568967a
Logon Type: 3
I don’t think this is caused by any of my workstations.
The output from a NETSTAT –AN has about 5000 entries as shown below…
Proto Local Address Foreign Address State
UDP 0.0.0.0:55428 *:*
UDP 0.0.0.0:55429 *:*
UDP 0.0.0.0:55430 *:*
UDP 0.0.0.0:55431 *:*
UDP 0.0.0.0:55432 *:*
UDP 0.0.0.0:55433 *:*
UDP 0.0.0.0:55434 *:*
…
UDP [::]:55481 *:*
UDP [::]:55482 *:*
UDP [::]:55483 *:*
UDP [::]:55484 *:*
UDP [::]:55485 *:*
UDP [::]:55486 *:*
UDP [::]:55487 *:*
UDP [::]:55488 *:*
UDP [::]:55489 *:*
UDP [::]:55490 *:*
UDP [::]:55491 *:*
I don’t know what to do about this other than starting to shutdown services and keep checking till it stops.
Thanks for any help or insight