SNMP Security Event Logs

Giganews Newsgroups
Subject: SNMP Security Event Logs
Posted by:  Steve Gould (steven.gould at seattle.gov)
Date: Fri, 24 Apr 2009

Recently I was going through the Security logs on a number of servers
looking at successful logons. I noticed an oddity. Every 5 minutes an event
540 and 538 were being recorded from an employee account who had moved to a
different department. This worried me at first until I tracked down the
cause. We have a server monitor that uses SNMP and hits the servers every 5
minutes.

Here is the weird part. When SNMP is touched, or the service restarted, a
Security event ID 540 and 538 are logged using the user name of the account
that was logged on when SNMP was first installed. I have verified this on
numerous servers.

I don't like this situation as it muddies the logs a bit. The service should
log as SYSTEM if anything.

Does anyone know if this can be altered?

Thanks,

Steve

Replies