This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 83%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Can anybody please interpret, what is this log about?
Is this log generated by any service starting or some attacker is trying to access the server using disabled account?
Please suggest.
2020-12-10T09:46:03Z DB01.test.com.np 192.168.1.1 AccelOps-WUA-WinLog-Security [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="xxxxxxxx" [timeZone]="+0545" [eventName]="Security" [eventSource]="Microsoft-Windows-Security-Auditing" [eventId]="4625" [eventType]="Information" [domain]="" [computer]="DB01.test.com.np" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Dec 10 2020 09:46:02" [deviceTime]="Dec 10 2020 09:46:02" [msg]="An account failed to log on." [[Subject]][Security ID]="S-1-5-18" [Account Name]="DB01$" [Account Domain]="test" [Logon ID]="0x3E7" [Logon Type]="5" [[Account For Which Logon Failed]][Security ID]="S-1-0-0" [Account Name]="sp_farm_svc" [Account Domain]="test" [[Failure Information]][Failure Reason]="Account currently disabled." [Status]="0xC000006E" [Sub Status]="0xC0000072" [[Process Information]][Caller Process ID]="0x228" [Caller Process Name]="C:\Windows\System32\services.exe" [[Network Information]][Workstation Name]="DB01" [Source Network Address]="" [Source Port]="" [[Detailed Authentication Information]][Logon Process]="Advapi" [Authentication Package]="Negotiate" [Transited Services]="" [Package Name (NTLM only)]="" [Key Length]="0"
Thanks.
Something here may help.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
--please don't forget to Accept as answer if the reply is helpful--
Hi DSPatrick,
I want to know if the raw log has been generated by any service itself since it is the case of audit failure, also using disabled account and using logon process advapi, so i am confused if someone is trying to login or service itself is creating this event.
Will be helpful, if you can share your thought.
Thanks