Hello I have many of those events, about 10 per seconds and for about 15 minutes.
An account failed to log on. Subject: Security ID: SYSTEM Account Name: WIN-ML7A3VSKKVU$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 8 Account For Which Logon Failed: Security ID: NULL SID Account Name: root Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x444 Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-ML7A3VSKKVU Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): - Key Length: 0
I'm try to identify the source of the problem, I have checked the services but I didn't find anything strange, I compared the running services with other severs and they are the same. The only thing that I have found is a task in windows scheduler for windows defender and it starts exactly a few seconds before the audit failures. When I start the task it doesn't generate any exception and it runs for less than a minute.
Thanks