Event Log Managment

Logs .. Logs and More Logs

Analyzing ID 537 and the Status Codes

When looking through the logs have you ever come across that generic login failure event id 537?  Doesn’t really give you much at first glance, 90% of the time the user name in description field is blank.  This event comes in 2 forms, the workstation version and the DC version.

First I’m going to show the workstation version followed by the DC version.

As seen in the security log from Wrkstation1:

Event Type:        Failure Audit

Event Source:    Security

Event ID:              537

User:                     NT AUTHORITY\SYSTEM

Computer:          Wrkstation1

Description:

Logon Failure:

                Reason:                                An error occurred during logon

                User Name:       

                Domain:                              

                Logon Type:       3

                Logon Process:  Kerberos

                Authentication Package:               Kerberos

                Workstation Name:       

                Status code:       0xC000006D

                Substatus code:                0xC0000133

 

As seen in the security log on DC1:

 

Event Type:        Failure Audit

Event Source:    Security

Event ID:              537

User:                     NT AUTHORITY\SYSTEM

Computer:          DC1

Description:

Logon Failure:

                Reason:                                An error occurred during logon

                User Name:       

                Domain:                              

                Logon Type:       3

                Logon Process:  Kerberos

                Authentication Package:               Kerberos

                Workstation Name:       

                Status code:       0xC000006D

                Substatus code:                0xC0000133

                Caller User Name:          

                Caller Domain:  

                Caller Logon ID:

                Caller Process ID:            

                Transited Services:         

                Source Network Address:            192.168.1.144

                Source Port:       0

 

 

When you get the information from the DC you will be able to track down the system that generated the logon failure either by the Source Network Address or by the Workstation Name in the description field.  The part of this event that holds any real data is the status code (and thank you Microsoft for using HEX codes instead of plain English).

Most of the time you will beat your head against a wall trying to figure out what in the world these codes mean.

Well stop looking I have found a MSDN reference to the NTSTATUS codes. 

 

Now in the above 2 examples the Status code: 0xC000006D means that “The attempted logon is invalid. This is either due to a bad username or authentication information.”  Since we already know this look at the Substatus code:  0xC0000133 which means “The time at the primary domain controller is different from the time at the backup domain controller or member server by too large an amount.”  Now the “too large an amount” refers to 5 minutes.  Check the system time on the DC where the event happened and check the workstation (Source Network Address).

 

Hope this helps.

Advertisements

February 24, 2009 - Posted by | Event Log | , , ,

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: