It look like an issue in the Windows Server.
Try find a Windows 10 device and open the Feedback Hub app and in the form select Windows Server and submit all log files and explain the issue there.
Those who are facing the same issue try to upvote the issue (if it is in the Feedback Hub) or create a new bug report.
Windows Server 2019 Event Viewer shows excessive Security Event Logs (e.g. 5379, 5382, 4797, 4798, 4946, 4948)
When I log in to the window server 2019. it is discovered that there are excessive Security Event Logs for:
-5379 Credential Manager credentials were read
-5382 Vault credentials were read
-4797 An attempt was made to query the existence of a blank password for an account
-4798 A user's local group membership was enumerated
-4946 A change was made to the Windows Firewall exception list. A rule was added
-4948 A change was made to the Windows Firewall exception list. A rule was deleted
We have several new servers installed Windows Server 2019, all the servers are experiencing same issues, especially event 5379 appeared 20 times a minutes and the other events follows.
Since the servers are new, we are sure that we did not perform such actions as described in the event logs. Interestingly, for 4946, 4798, the user name described in the log is "NULL" and "Guest". For 4797, 4798, 5379, all the local accounts are involved as described in user name.
Checking auditpol /get /category:* , we have configured the following:
System Integrity (Success and Failure)
Other System Events (Success and Failure)
Security State Change (Success)
Logon (Success and Failure)
Logoff (Success)
Account Lockout (Success)
Special Logon (Success)
Network Policy Server (Success and Failure)
Audit Policy Change (Success)
Authentication Policy Change (Success)
Computer Account Management (Success)
Security Group Management (Success)
User Account Management (Success)
Directory Service Access (Success)
Kerberos Service Ticket Operations (Success)
Kerberos Authentication Service (Success)
Credential Validation (Success)
What are the causes to lead this abnormal action?
What condition will trigger such event logs ?
Are there any security issues for the such events?
Is that a known issue for these excessive events in Windows Server 2019? Because I also find many people talking about similar issues in the forums
Thanks.
2 answers
Sort by: Most helpful
-
Reza-Ameri 16,836 Reputation points
2021-09-09T15:12:01.367+00:00 -
Paul Mertens 1 Reputation point
2021-10-19T12:05:19.863+00:00 I'm having similar issues on Windows 10 Pro. Whenever the PC is not actively being used, lsass.exe logs an excessive amount of events, e.g. 5379, 4672, 4624, 4634.
Most are for the logged on user, but also other users and SYSTEM.