Lots of Event Security logs 529?? Explanation Please

  • Thread starter Super Boobahlicious
  • Start date
S

Super Boobahlicious

I have so many events in Failure Audit logs lately. I know that this type
of event is not necessarily directing to login to local machine.

However I still don't understand how this sessions are interpreted by the
system as if the machine is trying to log into the system?? eventhough not..

Any valid useful explanation??

Event is 529
Login Failure
Reason: Unknown user name or Password
User Name: mytest
Domain:SErver_app
Logon Type:3
Logon Process: NTLMssP
Workstation Name:mytest
 
R

Roger Abell [MVP]

"Super Boobahlicious" <SuperBoobahlicious@discussions.microsoft.com> wrote
in message news:33EB53AA-2089-4260-A7B8-26EA7EE52D88@microsoft.com...
>I have so many events in Failure Audit logs lately. I know that this type
> of event is not necessarily directing to login to local machine.
>
> However I still don't understand how this sessions are interpreted by the
> system as if the machine is trying to log into the system?? eventhough
> not..
>
> Any valid useful explanation??
>
> Event is 529
> Login Failure
> Reason: Unknown user name or Password
> User Name: mytest
> Domain:SErver_app
> Logon Type:3
> Logon Process: NTLMssP
> Workstation Name:mytest
>
>

For this event you asked
> Any valid useful explanation??
and of course there is.

This shows that there is some process on machine "mytest"
that is attempting to do a network login to the machine where
this event is recorded using an account server_app\mytest
(which is an admin/user defined account, not the machine
itself which would appear as server_app\mytest$ ) and this
shows the login attempts are failingl

Examine that machine's running processes and also look
for traces of that domain principal.
If the here all important missing $ in the account name is
due to your having edited the event message, then provide
the actual unedited message - little changes can make big
changes in meaning.
 
S

Super Boobahlicious

Roger thank you for the feedback.

Here is the unedited version in one of the failures..
Can you please more a bit.. I'm kinda of confuse?

How come this server is also intercepting all login failures.. Even though
not address to himself??

Security Failure Audit Logon/Logoff 529 NT
AUTHORITY\SYSTEM My-server-FS "Logon Failure:
Reason: Unknown user name or bad password
User Name: Dell
Domain: DVDZ1
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DVDZ1 "




"Roger Abell [MVP]" wrote:

> "Super Boobahlicious" <SuperBoobahlicious@discussions.microsoft.com> wrote
> in message news:33EB53AA-2089-4260-A7B8-26EA7EE52D88@microsoft.com...
> >I have so many events in Failure Audit logs lately. I know that this type
> > of event is not necessarily directing to login to local machine.
> >
> > However I still don't understand how this sessions are interpreted by the
> > system as if the machine is trying to log into the system?? eventhough
> > not..
> >
> > Any valid useful explanation??
> >
> > Event is 529
> > Login Failure
> > Reason: Unknown user name or Password
> > User Name: mytest
> > Domain:SErver_app
> > Logon Type:3
> > Logon Process: NTLMssP
> > Workstation Name:mytest
> >
> >
>
> For this event you asked
> > Any valid useful explanation??
> and of course there is.
>
> This shows that there is some process on machine "mytest"
> that is attempting to do a network login to the machine where
> this event is recorded using an account server_app\mytest
> (which is an admin/user defined account, not the machine
> itself which would appear as server_app\mytest$ ) and this
> shows the login attempts are failingl
>
> Examine that machine's running processes and also look
> for traces of that domain principal.
> If the here all important missing $ in the account name is
> due to your having edited the event message, then provide
> the actual unedited message - little changes can make big
> changes in meaning.
>
>
>
>
>
>
 
R

Roger Abell [MVP]

"Super Boobahlicious" <SuperBoobahlicious@discussions.microsoft.com> wrote
in message news:BCD43873-B032-4FBD-B0D4-89A4B7098F5D@microsoft.com...
> Roger thank you for the feedback.
>
> Here is the unedited version in one of the failures..
> Can you please more a bit.. I'm kinda of confuse?
>
> How come this server is also intercepting all login failures.. Even though
> not address to himself??
>

Hi Boobahlicious,

I do not know why you say "even though not addressed to himself".
If the event appears in non-DC ServerA's security event log then the
event is about an attempt to log into ServerA.
The event mentions a Domain of the attempted account and a
Workstation (in this case they are the same) which are info about
the account and the origin machine. As these are the same in this
new example, this is saying that an account named Dell defined on
machine DVDZ1 tried access from machine DVDZ1.
An event like this can happen if someone just tries to open up
a share seen in network neighborhood while logged in with a
machine local account (DVDZ1\Dell).

Roger


> Security Failure Audit Logon/Logoff 529 NT
> AUTHORITY\SYSTEM My-server-FS "Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Dell
> Domain: DVDZ1
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: DVDZ1 "
>
>
>
>
> "Roger Abell [MVP]" wrote:
>
>> "Super Boobahlicious" <SuperBoobahlicious@discussions.microsoft.com>
>> wrote
>> in message news:33EB53AA-2089-4260-A7B8-26EA7EE52D88@microsoft.com...
>> >I have so many events in Failure Audit logs lately. I know that this
>> >type
>> > of event is not necessarily directing to login to local machine.
>> >
>> > However I still don't understand how this sessions are interpreted by
>> > the
>> > system as if the machine is trying to log into the system?? eventhough
>> > not..
>> >
>> > Any valid useful explanation??
>> >
>> > Event is 529
>> > Login Failure
>> > Reason: Unknown user name or Password
>> > User Name: mytest
>> > Domain:SErver_app
>> > Logon Type:3
>> > Logon Process: NTLMssP
>> > Workstation Name:mytest
>> >
>> >
>>
>> For this event you asked
>> > Any valid useful explanation??
>> and of course there is.
>>
>> This shows that there is some process on machine "mytest"
>> that is attempting to do a network login to the machine where
>> this event is recorded using an account server_app\mytest
>> (which is an admin/user defined account, not the machine
>> itself which would appear as server_app\mytest$ ) and this
>> shows the login attempts are failingl
>>
>> Examine that machine's running processes and also look
>> for traces of that domain principal.
>> If the here all important missing $ in the account name is
>> due to your having edited the event message, then provide
>> the actual unedited message - little changes can make big
>> changes in meaning.
>>
>>
>>
>>
>>
>>
 
You must log in or register to reply here.

Similar threads

B
Understanding about Audit Logon Event
Replies
0
Views
47
BryanEM
B
M
Security Logs
Replies
0
Views
1K
Metalheadx
M
G
Mysterious event IDs 4723 and 4625
Replies
0
Views
471
GM1997_601
G
L
Unwanted security Audit Failure event from Oracle database connect
Replies
0
Views
366
Leoš Junek
L
B
Event ID 4625
Replies
0
Views
1K
Bev S
B
Back
Top Bottom