Hello everyone. I have been trying to tackle this for many months now and hopefully someone here can help.
Since day 1 with a 2008 SBS server, the server records 1 million + logon/logoff events a day.
Now the customer has a requirement to be PCI compliant. (which is almost impossible with that volume of logs.)
I tried to work with microsoft support on this and they didn't know why this is happening.
Quick details...
Server 2008 SBS standard SP2.
~30 workstations currently joined to domain.
stand alone server
Now I understand that there might be something else going on here but I'm at a loss to where I need to go.
Here are a few examples of what I'm swampped with.
Also, if I use auditpol to shut off logon/logoff, the logs go almost completely silent.
But its one of the requirements for PCI to record them and keep them for a year.
--------------------
A Kerberos service ticket was requested.
Account Information:
Account Name:<dcname>$@<domain>.LOCAL
Account Domain:<domain>.LOCAL
Logon GUID: {7c9ea43a-cb21-5989-9790-fce1233a1e9f}
Service Information:
Service Name: krbtgt
Service ID:<domain>\krbtgt
Network Information:
Client Address:::1
Client Port: 0
Additional Information:
Ticket Options:0x60810010
Ticket Encryption Type:0x17
Failure Code: 0x0
Transited Services:-
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.
-------------------
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain:-
Logon ID: 0x0
Logon Type:3
New Logon:
Security ID: SYSTEM
Account Name:<dcname>$
Account Domain:<domain>
Logon ID: 0x108e18b82
Logon GUID: {fc2c1d5d-ec46-8f87-b78e-ca1b2dff865e}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address:fe80::7c35:6f40:f3af:1e58
Source Port: 29683
Detailed Authentication Information:
Logon Process:Kerberos
Authentication Package:Kerberos
Transited Services:-
Package Name (NTLM only):-
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
-----------------------------------------
An account was logged off.
Subject:
Security ID: SYSTEM
Account Name:<dcname>$
Account Domain:<domain>
Logon ID: 0x108e18b55
Logon Type:3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
-------------------------------------------