SNMP Security Event Logs

Recently I was going through the Security logs on a number of servers
looking at successful logons. I noticed an oddity. Every 5 minutes an event
540 and 538 were being recorded from an employee account who had moved to a
different department. This worried me at first until I tracked down the
cause. We have a server monitor that uses SNMP and hits the servers every 5
minutes.

Here is the weird part. When SNMP is touched, or the service restarted, a
Security event ID 540 and 538 are logged using the user name of the account
that was logged on when SNMP was first installed. I have verified this on
numerous servers.

I don't like this situation as it muddies the logs a bit. The service should
log as SYSTEM if anything.

Does anyone know if this can be altered?

Thanks,

Steve

 

SNMP Service should run under Local System Account by default (Server 2003
SP2). Check the service logon settings and change if necessary.

--
Thank you,
Mel K.
MCSA: M
"Steve Gould" <steven.gould at seattle.gov> wrote in message
news:OUxS5CQxJHA.4980@TK2MSFTNGP02.phx.gbl...
> Recently I was going through the Security logs on a number of servers
> looking at successful logons. I noticed an oddity. Every 5 minutes an
> event 540 and 538 were being recorded from an employee account who had
> moved to a different department. This worried me at first until I tracked
> down the cause. We have a server monitor that uses SNMP and hits the
> servers every 5 minutes.
>
> Here is the weird part. When SNMP is touched, or the service restarted, a
> Security event ID 540 and 538 are logged using the user name of the
> account that was logged on when SNMP was first installed. I have verified
> this on numerous servers.
>
> I don't like this situation as it muddies the logs a bit. The service
> should log as SYSTEM if anything.
>
> Does anyone know if this can be altered?
>
> Thanks,
>
> Steve
>