|Subject:||SNMP Security Event Logs|
|Posted by:||Steve Gould (steven.gould at seattle.gov)|
|Date:||Fri, 24 Apr 2009|
Recently I was going through the Security logs on a number of servers
looking at successful logons. I noticed an oddity. Every 5 minutes an event
540 and 538 were being recorded from an employee account who had moved to a
different department. This worried me at first until I tracked down the
cause. We have a server monitor that uses SNMP and hits the servers every 5
Here is the weird part. When SNMP is touched, or the service restarted, a
Security event ID 540 and 538 are logged using the user name of the account
that was logged on when SNMP was first installed. I have verified this on
I don't like this situation as it muddies the logs a bit. The service should
log as SYSTEM if anything.
Does anyone know if this can be altered?