General discussion

Locked

security log _event id 538/540

By travisr ·
I can't find an answer to this anywhere. How does a file server log events for users connecting to resources? Does the server log a logon event every time a user opens a file in a directory, or should it just log one event for the intitial authentication within a certain time period?
I am seeing a tremendous amount of logon and logoff events for certain user id's in a very short period of time.
Thanks,

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

security log _event id 538/540

by Joseph Moore In reply to security log _event id 53 ...

Ok. 538 is the successful logoff message, and 540 is the successful logon message. You need to look at the Type of event these are. Here is Technet article 140714 which talks about this:

Here are the Event IDs and type designations for the most common log on and log off events:


Interactive logon Event ID 528 Type 2
Interactive logoff Event ID 538 Type 2
Network logon Event ID 528 Type 3
Net Use connection Event ID 528 Type 3 Network logoff Event ID 538 Type 3
Net use disconnection Event ID 538 Type 3
Autodisconnect Event ID 538 Type 3



When a user logs on or off the computer at the Windows NT console, the event is recorded in the Security Log. A successful log on event generates Event ID 528, Logon Type 2, and a User log off event generates Event ID 538, Logon Type 2, where Logon Type 2 indicates an interactive log on event. Double-click the event to bring up the Event Detail window, then check the Logon Type in the Description box.

The connection events are Logon Type 3, which indicates a network log on event. A successful Net Use or File Manager connection or a successful directed Net View to a Windows NT share generates Event ID 528, a successful log on event of Logon Type 3. An event is only generated by the initial connection from a particular user. Subsequent Net Views or Net Uses from the same user to the same computer do not generate any additional events unless the user has disconnected (or has been autodisconnected) from all shares.

Collapse -

security log _event id 538/540

by Joseph Moore In reply to security log _event id 53 ...

So, the whole point of that article is that you are probably also seeing drives being mapped, then drives mappings timing out (the Autodisconnect setting).

Most likely, everything is ok.

hope this helps

Collapse -

security log _event id 538/540

by travisr In reply to security log _event id 53 ...

Poster rated this answer

Collapse -

security log _event id 538/540

by travisr In reply to security log _event id 53 ...

This question was closed by the author

Back to Networks Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums