cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Filling up the Windows 2003 security audit log - secWinAD

Go to solution
Former Member

on ‎10-02-2008 5:44 PM

0 Kudos

I am getting about 25 logon/logoff messages (mostly event id 552) every second logged to the Windows 2003 security log. The user in the message is the service account we use for Active Directory integration. We only have about 25 users logged in. Why am I seeing so much activity? The 300 meg log is showing less than 24 hours of activity before it is being overwritten. We are on BOE XI R2 SP3 using WebSphere WAS.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-07-2008 9:44 PM
0 Kudos

Hi Kristof,

Thanks for your reply.

> - Is tracing enabled...

No, I verified that none of the service command lines include "-trace"

> ...Kerberos, check the config files...

"debug=true;" is NOT present in our bscLogin.conf file

> ...log Kerberos events...

We have had logging turned before. It is controlled by a Windows registry setting: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel

We are not logging Kerberos events.

We did do some trouble shooting with Kerberos awhile ago. I'm thinking that maybe some debug setting somewhere didn't get reset, but I'm not finding anything.

Thanks again for your reply,

Nick

Show replies
Show replies
BasicTek
Advisor
Advisor
‎10-08-2008 3:00 AM
0 Kudos

I'd suggest contacting IBM to verify you have their latest version of the java SDK (1.5 or above is recommended)

using udp_preference_limit =1 in the libdefaults section of the krb5.ini to force TCP

And if those don't work then open a message with support to investigate.

Regards,

Tim

Answers (1)

Answers (1)

Former Member
‎10-06-2008 5:24 PM
0 Kudos

I am seeing the CMS.exe service continually running at 10 - 15% of the CPU. Is anybody else seeing this?

Show replies
Show replies
Former Member
‎10-07-2008 12:08 AM
0 Kudos

Hello Nick,

I haven't come in contact with a WebSphere deployment yet, but perhaps you could check the following:

- Is tracing enabled on the CMC (or any other) service? You should look for a "-trace" in the service's commandline

- If you're using kerberos, check the config files to see if debugging is not enabled

- The BO technical paper detailing the setup of Windows AD / SSO mentions the possibility to log Kerberos events to the eventlog. Are you sure this hasn't been enabled?

Hope this helps.

Kind regards,

Kristof

Ask a Question