3 Replies Latest reply on Feb 15, 2013 11:01 AM by nicole pauls

    SVBuild User Logons Flooding Logs

    fkhodaei

      First time posting, so thanks in advance for any help here.

       

      In LEM, under User Logons, I see a large number of "SVBUILD" logons (about 3 entries per second) and apparently a service is just having to authenticate against AD every time. Any idea how we can decrease this frequency so that our logs are not flooded with these?

       

      SVBuild is apparently an SVN by Collabnet.

        • Re: SVBuild User Logons Flooding Logs
          nicole pauls

          Yikes!

           

          I did a quick search and it looks like this isn't a standard SVN user or anything. My guess is that your SVN server is set to authenticate against active directory (either using SVBuild or another account) and other accounts (or SVBuild) are constantly authenticating for access to what SVN hosts.

           

          You might look at those UserLogons for the SourceMachine or DestinationMachine and see if you can tell where the logons are coming from. That might narrow down which server is authenticating, then you can figure out what app might be causing it, and whether you can change the behavior.

           

          You could exclude it from your filters and rules if it comes to that, too, but tracking it to the source might give you some info about what's happening.

            • Re: SVBuild User Logons Flooding Logs
              fkhodaei

              Thanks Nicole, I appreciate the reply.

               

              Correct, the SVN is authenticating against AD with a few specific user accounts that actually use the SVN. The sourcemachine is logged as "SVBuild" which I believe is the server running the SVN, and the destination machine is our AD/DC. I'm hoping to track down the root cause of the logs, since even if I filter them out, they are still being generated on the server. Any other ideas or help would be appreciated. Thanks.

                • Re: SVBuild User Logons Flooding Logs
                  nicole pauls

                  You might take a look at what shows up in the Event Log as "Caller Process Name" (on vista and later, I think it was more spotty in previous versions, might have just been Process Name) and see if you can identify which process it is (in LEM, that might appear in either LogonProcess, ExtraneousInfo, or somewhere else, I don't have one in front of me to double check - worst case use LEM to find a logon and cross-ref in the original event log). If it's not a local logon, is running a service, or is using IIS it might not reveal its true identity (or it's something that's authenticating remotely). If it is remote, you might be able to track it down by what appears in the event log as "Source Network Address" (in LEM that'd be SourceMachine, generally).