SNMP Security Event Logs

Discussion in 'Server Security' started by Steve Gould, Apr 24, 2009.

  1. Steve Gould

    Steve Gould Guest

    Recently I was going through the Security logs on a number of servers
    looking at successful logons. I noticed an oddity. Every 5 minutes an event
    540 and 538 were being recorded from an employee account who had moved to a
    different department. This worried me at first until I tracked down the
    cause. We have a server monitor that uses SNMP and hits the servers every 5
    minutes.

    Here is the weird part. When SNMP is touched, or the service restarted, a
    Security event ID 540 and 538 are logged using the user name of the account
    that was logged on when SNMP was first installed. I have verified this on
    numerous servers.

    I don't like this situation as it muddies the logs a bit. The service should
    log as SYSTEM if anything.

    Does anyone know if this can be altered?

    Thanks,

    Steve
     
    Steve Gould, Apr 24, 2009
    #1
    1. Advertisements

  2. Steve Gould

    Mel K. Guest

    SNMP Service should run under Local System Account by default (Server 2003
    SP2). Check the service logon settings and change if necessary.
     
    Mel K., May 8, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.