I would not filter 529 events as you would - like you said - be ignoring any unsuccessful logon attempts.

Logon Type 3 is a network logon, so the attempted logons are coming from the "SERVERNAME1", so I would focus my efforts on that machine. Keep in mind that this name can be spoofed, but if you have a computer with that name on your network then it's probably safe to start the investigation there.

If the event comes every hour, then it's probably a scheduled task (or possibly a service) on the remote computer that is trying to access resources on the computer where the event is logged.

Does this help for now? If you can send us more information (e.g. regarding "SERVERNAME1") then we should be able to narrow this down.

"SERVERNAME1" happens to be the server that is reporting the logon activity, the Computername in the event, and the Workstation name in the event. It's like the server is trying to log on to itself.

I will check the application log and see if there is any corresponding activity there. Since there is no Caller Process ID, I don't know how I could check on the services to find out which is doing this.

Thanks for your help.

This is difficult, since none of the important information like the caller info or the source info are logged.

Since there is no caller process id, I suspect that logon is over the network, event though it's going to the same machine (e.g. \\localhost, \\127.0.0.1).

What services do you have running? Logon type 3 could also mean a logon from IIS.

I would look at other auditing entries around the same time, possibly 592/593 events that indicate a process starting or stopping. You could also use EventSentry's process tracking.

Here is a list of the services running:

.NET Runtime Optimization Service v2.0.50727_X86
Alerter
Application Experience Lookup Service
Application Layer Gateway Service
Application Management
ASP.NET State Service
Automatic Updates
Background Intelligent Transfer Service
Backup Exec Error Recording Service
Backup Exec PureDisk Filesystem Service
Backup Exec Remote Agent for Windows Systems
ClipBook
COM+ Event System
COM+ System Application
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
DFS Replication
DHCP Client
Distributed File System
Distributed Link Tracking Client
Distributed Link Tracking Server
Distributed Transaction Coordinator
DNS Client
DSM BMU SOL Proxy
DSM SA Connection Service
DSM SA Data Manager
DSM SA Event Manager
DSM SA Shared Services
Error Reporting Service
Event Log
EventSentry
File Replication
File Server Resource Manager
File Server Storage Reports Manager
Help and Support
HTTP SSL
Human Interface Device Access
IIS Admin Service
IMAPI CD-Burning COM Service
Indexing Service
Intersite Messaging
IPSEC Services
Kerberos Key Distribution Center
License Logging
LiveUpdate
Logical Disk Manager
Logical Disk Manager Administrative Service
Messenger
Microsoft .NET Framework NGEN v4.0.30319_X86
Microsoft Software Shadow Copy Provider
mr2kserv
Net Logon
Net.Tcp Port Sharing Service
NetMeeting Remote Desktop Sharing
Network Connections
Network DDE
Network DDE DSDM
Network Location Awareness (NLA)
Network Provisioning Service
NT LM Security Support Provider
Performance Logs and Alerts
Plug and Play
Pml Driver HPZ12
Portable Media Serial Number Service
Print Spooler
Protected Storage
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Desktop Help Session Manager
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
Remote Registry
Removable Storage
Resultant Set of Policy Provider
Routing and Remote Access
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
Smart Card
SMS Agent Host
SMS Remote Control Agent
SNMP Service
SNMP Trap Service
Special Administration Console Helper
SQL Server VSS Writer
Symantec Endpoint Protection
Symantec Event Manager
Symantec Management Client
Symantec Network Access Control
Symantec Settings Manager
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Telnet
Terminal Services
Terminal Services Session Directory
Themes
Uninterruptible Power Supply
Virtual Disk Service
Volume Shadow Copy
WebClient
Windows Audio
Windows CardSpace
Windows Event Collector
Windows Firewall/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Installer
Windows Internal Database (MICROSOFT##SSEE)
Windows Management Instrumentation
Windows Management Instrumentation Driver Extensions
Windows Presentation Foundation Font Cache 3.0.0.0
Windows Presentation Foundation Font Cache 4.0.0.0
Windows Remote Management (WS-Management)
Windows Search
Windows Time
Windows User Mode Driver Framework
WinHTTP Web Proxy Auto-Discovery Service
Wireless Configuration
WMI Performance Adapter
Workstation
World Wide Web Publishing Service

You should be able to rule out all services that are not running under the LocalSystem account, since that is mentioned in the 529 event.

I would also, for now, rule out any built-in services that are part of Windows (e.g. Windows Installer, Terminal Services etc. with the exception of the WWW service.

Then, I would turn any service off that is non-essential (e.g. SMS Agent Host?) and see if that gets rid of the event. Or, maybe do that after business hours.

Does that help?

Please also keep in mind that this is a public forum, so please don't post too much information about your environment for security reasons.