event id 540

[rdgordon]

why is the workstation field blank on my event id 540?

 

[svsawkar]

What is event id 540?

Usually, if it is a blank audit, it is because the information is not known. Sometimes the generic SYSTEM and Everyone are specified, neither providing much help.

Whatcha looking to do?

/Siddharth

 

[rdgordon]

Well i have auditing of logon events for success and failure and auditing of account logon events for success and failure turned on.
All i want to do is be able to report when a user logs on and of and on what computer...
My log is full of 538 and 540 events, i mean tons of them.

So my first problem is why do i have so many events? The users aren't logging on and off every 5 minutes.

Next why is the workstation field blank in the event.

And lastly what should i set my event log size to because if it's going to fill up with this many events i need to make it bigger than the default

I know this is a lot.
Thanks

 

[svsawkar]

Don't use auditing as a means of determining logon times. You will need to search for that attribute across all DC's to get an accurate result.

Logoff time cannot be determined in any ways.

Finally, you could be seeing those events for a ton of reasons. Any time a remote resource is requested, or you are trying to get to something for the first time, it could trigger a ticket request. This may be what you are seeing.

If you don't have a workstation populated, it wasn't done / could not be determined if it came from a workstation.

/Siddharth