Hi,
We are monitoring security event logs on our Exchange 2013 server in terms of any suspicious events. For some time we see every day high load of events like below.
I checked all blocked accounts in AD domain which could cause it, but there isn't any (all users which left company were deleted, also there is no any disconnected mailboxes).
I also tried to corelate security event to IIS logs, and search there for account but I could not find matche.
If there is any way to check what/who is cause such events ?
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: exchange-server$
Account Domain: farbic
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xC000006E
Sub Status: 0xC0000072
Process Information:
Caller Process ID: 0x1ddc
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: exchange-server
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Authz
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0