LogLogic
Microsoft Windows Server 2000/2003
Log Configuration Guide
Proprietary Information
This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.
Trademarks
LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners.
Notice
The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the
documentation.
LogLogic, Inc.
Preface
About This Guide . . . 5
Technical Support . . . 5
Documentation Support . . . 5
Conventions. . . 6
Chapter 1 – Configuring LogLogic’s Microsoft Windows Server 2000/2003 Log Collection Introduction to Microsoft Windows Server 2000/2003 . . . 7
Prerequisites . . . 7
Configuring Microsoft Windows Server 2000/2003 for Operational Events. . . 8
Installing and Configuring Lasso Collector. . . 8
Enabling the LogLogic Appliance to Capture Log Data . . . 9
Automatically Identifying a Microsoft Windows Server 2000/2003 Device . . . 9
Adding Microsoft Windows Server 2000/2003 Device . . . 9
Verifying the Configuration . . . 11
Chapter 2 – How LogLogic Supports Microsoft Windows Server 2000/2003 How LogLogic Captures Microsoft Windows Server 2000/2003 Data . . . 12
LogLogic Real-Time Reports . . . 13
Chapter 3 – Troubleshooting and FAQ Troubleshooting . . . 15
Frequently Asked Questions . . . 16
Appendix A – Event Reference LogLogic Support for Microsoft Windows Server 2000/2003 Events . . . 17
About This Guide
The LogLogic® Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft® Windows enables LogLogic Appliances to capture logs from machines running Microsoft Windows Server 2000/2003. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft Windows Server 2000/2003’s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help.
Technical Support
LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable,
experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support:
Telephone: Toll Free—1-800-957-LOGS Local—1-408-834-7480
EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com
You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide:
Your name, email address, phone number, and fax number Your company name and company address
Your machine type and release version
A description of the problem and the content of pertinent error messages (if any)
Documentation Support
Your feedback on LogLogic documentation is important to us. Send e-mail to
DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.
LogLogic documentation uses the following conventions to highlight code and command-line elements:
A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs).
A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example:
username: system
home directory: home\app
A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example:
LogLogic_home_directory\upgrade\
Windows Server 2000/2003 Log Collection
This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft Windows Server 2000/2003 logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft Windows Server 2000/2003 log data.
Introduction to Microsoft Windows Server 2000/2003 . . . 7
Prerequisites . . . 7
Configuring Microsoft Windows Server 2000/2003 for Operational Events . . . 8
Enabling the LogLogic Appliance to Capture Log Data . . . 9
Verifying the Configuration . . . 11
Introduction to Microsoft Windows Server 2000/2003
Microsoft Windows Server 2000/2003 operational events appear within the Windows Event Viewer and are located within the host machine’s Windows Event Log. The events are captured by Loglogic's Lasso Collector. The Lasso Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP.
The configuration procedures for Microsoft Windows Server 2000/2003 and the LogLogic Appliance depend upon your environment and how the Lasso Collector is configured. For more information, see How LogLogic Captures Microsoft Windows Server 2000/2003 Data on page 12 and the LogLogic Lasso Collector Guide.
Prerequisites
Prior to configuring Microsoft Windows Server 2000/2003 and the LogLogic Appliance, ensure that you meet the following prerequisites:
Microsoft Windows Server 2000/2003 Server installed Administrative access on the Windows server
Microsoft Windows Server 2000/2003 Server French
Note:For French Windows Event support you will need to run LogLogic Appliance Release 5.1or
later.
Lasso Collector Release 2.0 or later installed on the Windows server. For more information, see LogLogic Lasso Collector Guide.
LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft Windows Server 2000/2003 support
Events
Microsoft Windows operational events are posted in the Windows Event Viewer. The events are located in the Windows System logs. These events can be captured by LogLogic Appliance using Lasso Collector. For more information about the Windows Event Viewer, see the Microsoft Windows Server 2000/2003 Product Documentation.
Installing and Configuring Lasso Collector
Microsoft Windows Server 2000/2003 logs are collected and transported using Lasso. Lasso is used to collect and transfer Windows Event logs to the LogLogic Appliance.
By default, the Lasso program directory is located at: C:\Program Files\Lasso
Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages:
C:\Program Files\Lasso\LassoRepository\Spool
You can change the host machine and event log identification information by editing the
hostlist.ini configuration file in Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and
The following sections describe how to enable the LogLogic Appliance to capture Microsoft Windows Server 2000/2003 log data.
Automatically Identifying a Microsoft Windows Server 2000/2003
Device
With the auto-identification feature, the LogLogic Appliance recognizes Microsoft Windows Server 2000/2003 log messages by default. As the log messages come into the Appliance, they are automatically identified and a new Microsoft Windows Server 2000/2003 device type is added to the log source device list. Default values are used for certain properties, such as the device name.
To enable auto-identification in the LogLogic Appliance:
1. Log in to the LogLogic Appliance.
2. From the navigation menu, select Administration > System Settings. The General tab appears.
3. For Auto-identify Log Sources, select Yes.
4. Click Update.
Once the automatically identified device is added, you can edit its properties.
IMPORTANT! Do not change the auto-identified Device Type and Host IP information.
To edit an existing Microsoft Windows Server 2000/2003 device:
1. Log in to the LogLogic Appliance.
2. From the navigation menu, select Management > Devices. The Devices tab appears.
3. Click on an existing Microsoft Windows Server 2000/2003 device in the list and click
Modify Device.
The Modify Device tab appears.
4. Edit the device fields as needed, then click Update Device.
Adding Microsoft Windows Server 2000/2003 Device
If you do not want to utilize the auto-identification feature, you can manually add a Microsoft Windows Server 2000/2003 device to the LogLogic Appliance before you redirect the logs.
2. From the navigation menu, select Management > Devices. The Devices tab appears.
3. Click Add New.
The Add Device tab appears.
4. Type in the following information for the device:
Name—Name for the Microsoft Windows Server 2000/2003 device
Description (optional)—Description of the Microsoft Windows Server 2000/2003 device
Device Type—Select Microsoft Windows Server 2000/2003 from the drop-down menu
Host IP—IP address of the Microsoft Windows Server 2000/2003 appliance Enable Data Collection—Select the Yes radio button
Refresh Device Name through DNS Lookups (optional)—Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign.
Figure 1 Adding a Device to the LogLogic Appliance
5. Click Add.
6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Microsoft Windows Server 2000/2003
The section describes how to verify that the configuration changes made to Microsoft Windows Server 2000/2003 and the LogLogic Appliance are applied correctly.
To verify the configuration:
1. Log in to the LogLogic Appliance.
2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears.
3. Locate the IP address for each Microsoft Windows Server 2000/2003 device.
If the device name (Microsoft Windows Server 2000/2003) appears in the list of devices (Figure 2), then the configuration is correct.
Figure 2 Log Source Status Tab
If the device does not appear in the Log Source Status tab, check the Microsoft Windows Server 2000/2003 logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft Windows Server 2000/2003 configuration, the Lasso configuration, and the LogLogic Appliance configuration.
Windows Server 2000/2003
This chapter describes LogLogic's support for Microsoft Windows Server 2000/2003. LogLogic enables you to capture Microsoft Windows Server 2000/2003 log data to monitor Microsoft Windows Server 2000/2003 events. LogLogic supports Microsoft Windows Server 2000/2003 logs.
How LogLogic Captures Microsoft Windows Server 2000/2003 Data . . . 12
LogLogic Real-Time Reports . . . 13
How LogLogic Captures Microsoft Windows Server 2000/2003
Data
LogLogic's Lasso Collector is used to collect logs stored in the Windows Event Log. The Windows Event Collector is an open source application developed by LogLogic to collect and forward Windows event logs in Syslog format to the LogLogic Appliance. If the Windows Event Collector is in Agent Mode, logs are collected and forwarded from the Windows system where it is installed. If the Windows Event Collector is in Collector Mode, logs are collected and forwarded from Windows systems other than the system where it is installed.
The Windows Event Collector can also run in both modes at the same time. In hybrid mode, the Collector captures and forwards messages from the Windows machine where it is installed and from other Windows systems it is configured to access. Regardless of the mode used, all collected logs are converted into text format by the collector and then forwarded to the LogLogic
Appliance’s Syslog Listener via UDP or TCP.
Figure 3 Microsoft Windows Server 2000/2003 with Lasso Collector (in Agent Mode) and the LogLogic Appliance
LogLogic provides pre-configured Real-Time Reports for Microsoft Windows Server 2000/2003 log data.
The following Real-Time Reports are available:
All Unparsed Events—Displays data for all events retrieved from the Microsoft Windows Server 2000/2003 log for a specified time interval
Permission Modification—Displays events related to permission modifications performed on user and server objects
User Access—Displays data access and changes done to data during a specified time interval
User Authentication—Displays identity and access related events during a specified time interval
User Created/Deleted—Displays user creation and deletion events
User Last Activity—Displays user specific details and used to track user activity during a specified time interval
Windows Events—Displays Windows event information served during a specified time interval
To access LMI 4 Real-Time Reports:
1. In the left navigation pane, click Real-Time Reports.
2. Click Access Control.
The following Real-Time Reports are available: Permission Modification
User Access
User Authentication User Created/Deleted User Last Activity Windows Events
3. ClickEvent Logs.
2. Click Access Control.
The following Real-Time Reports are available: Permission Modification
User Access
User Authentication User Created/Deleted User Last Activity Windows Events
3. ClickOperational.
The following Real-Time Reports are available: All Unparsed Events
This chapter contains troubleshooting regarding the configuration and/or use of log collection for Microsoft Windows Server 2000/2003. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions.
Troubleshooting . . . 15
Frequently Asked Questions . . . 16
Troubleshooting
Is your version of Microsoft Windows Server 2000/2003 supported?
For more information, see Prerequisites on page 7.
Is your LogLogic Appliance running Release 5.1 or later?
If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information.
Are you running Lasso Collector 2.0 or later?
If you are running an release prior to 2.0, you might require an upgrade. Contact LogLogic Support for more information.
Is the appropriate Log Source Package (LSP) installed properly?
Check to make sure that the LSP that is installed includes support for Microsoft Windows Server 2000/2003. Also make sure that the package was installed
successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes.
If Microsoft Windows Server 2000/2003 events are not appearing on the
LogLogic Appliance...
You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab.
Make sure that you have properly installed and configured Lasso, and the no errors are present in Lasso’s error log (LassoTrace.log). For more information, see the LogLogic Lasso Collector Guide.
Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see
Automatically Identifying a Microsoft Windows Server 2000/2003 Device on page 9 and Adding Microsoft Windows Server 2000/2003 Device on page 9.
If events are not displaying on the LogLogic Appliance even after
configuring Microsoft Windows Server 2000/2003 and Lasso correctly...
Microsoft Windows Server 2000/2003 sends the logs, via UDP or TCP, in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Microsoft Windows Server 2000/2003 machine. For more information on
How does the LogLogic appliance collect logs from Microsoft Windows
Server 2000/2003?
For log collection, Lasso Collector is required in order to read the .evt files from the Windows machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog server. For more information, see How LogLogic Captures Microsoft Windows Server 2000/2003 Data on page 12.
What access permissions are required?
To configure logging on Microsoft Windows Server 2000/2003, the Windows user must have administrative permissions.
How do I configure logging on Microsoft Windows Server 2000/2003?
This appendix lists the LogLogic-supported Microsoft Windows Server 2000/2003 events. The Microsoft Windows Server 2000/2003 event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic’s Syslog Listener.
LogLogic Support for Microsoft Windows Server 2000/2003 Events
The following list describes the contents of each of the columns in the tables below. Item # – Item numbers with the suffix “F” show sample logs in French. Event ID – Microsoft Windows Server 2000/2003 event identifier.
Agile Reports/Search – Defines if the Microsoft Windows Server 2000/2003 event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic’s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data.
Operating System – Operating System (OS) where the event can be triggered. In some instances, duplicate Event IDs exist for different OSs.
Title/Comments – Description of the event
Event Category – Category of events such as System, Application, etc. Event Type – Type of event such as Success audit, Failure audit, etc. Reports Appears In – LogLogic-provided reports that the event appears in
#
Event ID Agile Reports /Search Operating SystemTitle / Comments Event
Category Event Type Reports Appears In
Sample Log Message
1 512 Agile Win2003 Windows is starting up. Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 621 Fri Aug 04 12:59:22 2006 512 Security SYSTEM User Success Audit LOGLOGIC-SRV1 System Event Windows is starting up. 25
1F 512 Agile Win2003 French
Windows is starting up. Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 7 Thu May 21 10:31:06 2009 512 Security SYSTEM User Success Audit
KKKKK-KNBMQ2EU3 Événements système Windows démarre. 1 2 512 Agile Win2000 Windows NT is starting up. Security Success
audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 621 Fri Aug 04 12:59:22 2006 512 Security SYSTEM User Success Audit LOGLOGIC-SRV1 System Event Windows NT is starting up. 25
3 513 Agile Win2003 Windows is shutting down. All logon sessions will be terminated by this shutdown.
Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 621 Fri Aug 04 12:59:22 2006 513 Security SYSTEM User Success Audit LOGLOGIC-SRV1 System Windows is shutting down.All logon sessions will be terminated by this shutdown. 25
3F 513 Agile Win2003
French Windows is shutting down.All logon sessions will be terminated by this shutdown.
Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 6 Thu May 21 10:29:57 2009 513 SECURITY Unknown User N/A Success Audit
KKKKK-KNBMQ2EU3 Événements système Windows s'arrête. Toutes les sessions vont être fermées par cet arrêt. 0 4 513 Agile Win2000 Windows NT is shutting down.
All logon sessions will be terminated by this shutdown.
Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 621 Fri Aug 04 12:59:22 2006 513 Security SYSTEM User Success Audit LOGLOGIC-SRV1 System Windows NT is shutting down.All logon sessions will be terminated by this shutdown. 25
5 516 Agile Win2003 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
Number of audit messages discarded: %1 Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity
5F Agile Win2003 French
Les ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Security Success audit / Failure audit User Access/ User Last Activity/ Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010516SecurityAdministrator UserSuccess AuditLOGLABS-2003FRA Suivi détailléLes ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Certains audits ont été perdus. Nombre de messages d'audit rejetés :%1 6 517 Agile Win2000,
Win2003 The audit log was cleared Primary User Name: %1 Primary Domain: %2 Primary Logon ID: %3 Client User Name: %4 Client Domain: %5 Client Logon ID: %6
Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Jul 25 12:17:36 10.201.20.214 MSWinEventLog 0 Security 7727 Fri Jul 21 14:32:00 2006 517 Security SYSTEM User Success Audit BLR-WSMTEST-DC1 System Event The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E7) Client User Name: dmsopann Client Domain: WIPRO Client Logon ID: (0x0,0x44A885) 1 6F 517 Agile Win2003
French The audit log was cleared Primary User Name: %1 Primary Domain: %2 Primary Logon ID: %3 Client User Name: %4 Client Domain: %5 Client Logon ID: %6
Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Jul 7 05:25:53 10.8.0.39
MSWinEventLog 0 Security 1151 Tue Jul 07 05:15:00 2009 517 Security SYSTEM Well Known Group Success Audit B0324-FR2003 Événements système Le journal d'audit a été effacé Utilisateur principal : SYSTEM Domaine principal : AUTORITE NT Id. de session principale : (0x0,0x3E7) Utilisateur client :
Administrateur Domaine client : DOMAIN Id. de session client : (0x0,0x489A86) 1<13>Jul 6 05:37:34
7 520 Agile Win2003 The system time was changed.
Process ID: %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon ID: %5 Client User Name: %6 Client Domain: %7 Client Logon ID: %8 Previous Time: %10 %9 New Time: %12 %11 Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Jun 12 14:54:42 10.0.0.61 MSWinEventLog 0 Security 923 Sun Jun 12 14:52:47 2005 520 Security loglogic2 User Success Audit IAM3 System Event The system time was changed. Process ID: 2128 Process Name:
C:\WINDOWS\system32\rundll32.exe Primary User Name: loglogic2 Primary Domain: SECTIS Primary Logon ID: (0x0,0xF15F58) Client User Name: loglogic2 Client Domain: SECTIS Client Logon ID: (0x0,0xF15F58) Previous Time: 2:51:48 PM 6/12/2005 New Time: 2:52:47 PM 6/12/2005 829 7F 520 Agile Win2003
French
The system time was changed.
Process ID: %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon ID: %5 Client User Name: %6 Client Domain: %7 Client Logon ID: %8 Previous Time: %10 %9 New Time: %12 %11 Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Jul 6 05:37:34 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 608 Mon Jul 06 05:37:34 2009 520 Security Administrateur User Success Audit B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/2009 567
8 528 Agile Win2000 Successful Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon/Logoff Success Audit User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
9 528 Agile Win2003 Successful Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Logon/Logoff Success Audit User Access/ User Last Activity <13>Jul 5 11:04:09 10.1.1.55
MSWinEventLog 0 security 130 Wed Jul 05 10:54:02 2006 528 Security qatest User Success Audit W2K3-LASSO Logon/ Logoff "Successful Logon: User Name: qatest Domain: SQA Logon ID: (0x0,0xD72AEE) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:
W2K3-LASSO Logon GUID:
9F 528 Agile Win2003
French Successful Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Success Audit User Access/ User Last Activity <13>May 21 10:24:28 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 40 Thu May 21 10:24:03 2009 528 Security SERVICE LOCAL Well Known Group Success Audit KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : SERVICE LOCAL Domaine : AUTORITE NT Id. de la session : (0x0,0x3E5) Type de session : 5 Processus de session : Advapi Package d'authentification : Negotiate Station de travail : GUID d'ouv. de session : - Nom de l'utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : WORKGROUP Id. de session de l'appelant : (0x0,0x3E7) ID de processus appelant : 868 Services en transit : - Adresse réseau source : - Port source : - 24
10 529 Agile Win2000 Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
11 529 Agile Win2003 Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:23:52 10.1.1.55
11F 529 Agile Win2003 French
Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 6 08:44:18 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 1332 Mon Jul 06 08:44:14 2009 529 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Nom d'utilisateur inconnu ou mot de passe incorrect Nom de l'utilisateur : test Domaine : B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1277
12 530 Agile Win2003 Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:42:13 10.1.1.55
MSWinEventLog 0 security 2904 Wed Jul 05 16:42:12 2006 530 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Account logon time restriction violation User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:
W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3444 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1464 " 48511
12F 530 Agile Win2003 French
13 530 Agile Win2000 Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
14 531 Agile Win2003 Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:45:06 10.1.1.55
MSWinEventLog 0 security 2940 Wed Jul 05 16:45:06 2006 531 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Account currently disabled User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3000 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1468 " 48547
14F 531 Agile Win2003 French
Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 6 08:50:26 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 1399 Mon Jul 06 08:50:18 2009 531 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte actuellement désactivé Nom de l'utilisateur : test Domaine :
B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1344 15 531 Agile Win2000 Logon Failure: Reason:
Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity
16 532 Agile Win2000 Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated byLogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
16F 532 Agile Win2003 French
Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 18 04:17:27 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 193700 Sat Jul 18 04:17:24 2009 532 Security SYSTEM User Failure Audit
B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le compte d'utilisateur mentionné est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 192727
17 532 Agile Win2003 Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:47:03 10.1.1.55
MSWinEventLog 0 security 2954 Wed Jul 05 16:47:02 2006 532 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The specified user account has expired User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:
W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2960 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1470 " 48561
18 533 Agile Win2000 Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity
19 533 Agile Win2003 Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:48:07 10.1.1.55
MSWinEventLog 0 security 2976 Wed Jul 05 16:48:06 2006 533 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: User not allowed to logon at this computer User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:
W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2996 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1472 " 48583
19F 533 Agile Win2003 French
Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 22 05:08:53 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 1371 Wed Jul 22 05:08:53 2009 533 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Utilisateur non autorisé à se connecter sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN Type de session : 2 Processus d'ouv. de session : User32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant :
B0324-FR2003$ Domaine appelant : DOMAIN ID de session de l'appelant : (0x0,0x3E7) ID de processus appelant : 308 Services en transit : - Adresse réseau source : 127.0.0.1 Port source : 0 1317
20 534 Agile Win2003 Logon Failure: Reason: The user has not been granted the requested
logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:28:08 10.1.1.55
20F 534 Agile Win2003 French
Logon Failure: Reason: The user has not been granted the requested
logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 22 04:39:40 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 913 Wed Jul 22 04:39:38 2009 534 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Il n'a pas été accordé à l'utilisateur le type de session demandé sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN Type de session : 2 Processus d'ouv. de session : User32 Package
d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN ID de session de l'appelant : (0x0,0x3E7) ID de processus appelant : 308 Services en transit : - Adresse réseau source : 127.0.0.1 Port source : 0 862 21 534 Agile Win2000 Logon Failure: Reason: The
user has not been granted the requested
logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
22 535 Agile Win2003 Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Sep 7 14:19:29 10.1.1.55 MSWinEventLog 0 security 67016 Thu Sep 07 14:19:28 2006 535 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The specified account's password has expired User Name: expire Domain: SQA Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name:
22F 535 Agile Win2003 French
Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 6 08:52:46 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 1422 Mon Jul 06 08:52:44 2009 535 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le mot de passe spécifié pour ce compte est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1366 23 535 Agile Win2000 Logon Failure: Reason: The
specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
24 536 Agile Win2003 Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity
24F 536 Agile Win2003 French
Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 16 10:37:58 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 177163 Thu Jul 16 10:37:21 2009 536 Security SYSTEM User Failure Audit
B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le composant NetLogon n'est pas actif Nom de l'utilisateur : Meng Kangjian Domaine : B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package
d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0
25 536 Agile Win2000 Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
26 537 Agile Win2003 Logon Failure: Reason: An error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Failure Audit User Access/ User Last Activity
26F 537 Agile Win2003 French
Logon Failure: Reason: An error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 17 08:07:50 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 196324 Fri Jul 17 08:07:50 2009 537 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Erreur lors de l'ouverture de session Nom de l'utilisateur : Domaine : Type d'ouverture de session : 3 Processus d'ouv. de session : Kerberos Package d'authentification : Kerberos Nom de station de travail : - Code du statut : 0xC0000133 Code du sous-statut : 0x0 Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : - Port source : - 195243
27 537 Agile Win2000 Logon Failure:
Reason: An unexpected error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
28 538 Agile Win2000 Description: User Logoff: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon/Logoff Success Audit User Access/ User Last Activity <13>Jul 5 11:04:08 10.1.1.55
MSWinEventLog 0 security 1 Wed Jul 05 10:19:11 2006 538 Security qatest User Success Audit W2K3-LASSO Logon/ Logoff "User Logoff: User Name: qatest Domain: SQA Logon ID: (0x0,0x2ABA3D) Logon Type: 5 " 45608
28F 538 Agile Win2000 French
Description: User Logoff: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon/Logoff Success Audit User Access/ User Last Activity <13>May 21 11:01:37 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 110 Thu May 21 11:01:37 2009 538 Security
Administrateur User Success Audit KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de la session utilisateur : Utilisateur : Administrateur Domaine :
29 539 Agile Win2003 Logon Failure:
Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:34:07 10.1.1.55
MSWinEventLog 0 security 2803 Wed Jul 05 16:34:06 2006 539 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Account locked out User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2304 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1455 " 48410
29F 539 Agile Win2003
French Logon Failure: Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 17 03:30:03 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 193000 Fri Jul 17 03:30:03 2009 539 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte verrouillé Nom de l'utilisateur : test Domaine : B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 0.8.0.45 Port source : 0 192031
30 539 Agile Win2000 Logon Failure:
Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity
31 540 Agile Win2003 Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Success Audit User Access/ User Last Activity <13>Jul 5 11:04:08 10.1.1.55
MSWinEventLog 0 security 3 Wed Jul 05 10:19:59 2006 540 Security SYSTEM Well Known Group Success Audit
W2K3-LASSO Logon/Logoff "Successful Network Logon: User Name:
W2K3-LASSO$ Domain: SQA Logon ID: (0x0,0xD30C93) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID:
{e6b578ec-aae0-9e50-b248-c2004fb821e 8} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 " 45610
31F 540 Agile Win2003 French
Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Success Audit User Access/ User Last Activity <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 15 Thu May 21 10:31:14 2009 540 Security ANONYMOUS LOGON Well Known Group Success Audit
KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : Domaine : Id. de la session : (0x0,0xA565) Type de session : 3 Processus de session : NtLmSsp Package d'authentification : NTLM Nom de la station de travail : GUID d'ouv. de session : - Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : - Port source : - 9 32 540 Agile Win2000 Successful Network Logon:
User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon/Logoff Success Audit User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
33 548 Agile Win2003 Logon Failure: Reason: Domain sid inconsistent User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Transited Services: %7 Security Failure Audit User Access/ User Last Activity/ User Authenticat ion
33F Agile Win2003 French Échec de l'ouverture de session Security Success audit / Failure audit User Access / User Authenticat ion/ User Last Activity/ Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010548SecurityAdministrator UserSuccess AuditLOGLABS-2003FRA Suivi détailléÉchec de l'ouverture de session : Raison : SID du domaine incohérent Nom d'utilisateur : %1 Domaine : %2 Type d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de station de travail : %6 Services en transit : %7
34 548 Agile Win2000 Logon Failure: Reason: Domain sid inconsistent User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Security Failure Audit User Access / User Last Activity / User Authenticat ion
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
35 549 Agile Win2003 Logon Failure: Reason: All sids were filtered out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package : %5 Workstation Name: %6 Security Failure Audit User Access / User Last Activity/ User Authenticat ion
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 35F 549 Agile Win2003 French Échec de l'ouverture de session Security Success audit / Failure audit User Access / User Authenticat ion/ User Last Activity/ Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010549SecurityAdministrator UserFailure AuditLOGLABS-2003FRA Suivi détailléÉchec de l'ouverture de session : Raison : Tous les SID étaient épuisés Utilisateur : %1 Domaine : %2 Type d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de la station de travail : %6
36 550 Agile Win2003 Notification message that could indicate a possible denial-of-service attack. Security Logon / Logoff User Access / User Last Activity
37 551 Agile Win2003 User initiated logoff: User Name: %1 Domain: %2 Logon ID: %3 Security Success audit / Failure audit / Information /Error User Access <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 619 Fri Aug 04 12:58:16 2006 551 Security Unknown User N/A Success Audit
LOGLOGIC-SRV1 Logon/Logoff User initiated logoff: User Name: Administrator Domain: LOGLOGIC-SRV1 Logon ID: (0x0,0x14d2b) 23
37F 551 Agile Win2003 French
User initiated logoff: User Name: %1 Domain: %2 Logon ID: %3 Security Success audit / Failure audit/ Information/ Error User Access <13>Jul 1 03:18:31 kkkkk-knbmq2eu3.forestA
MSWinEventLog 4 Security 3252 Wed Jul 01 03:18:31 2009 551 Security
Administrateur User Success Audit KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de session initiée par l'utilisateur : Utilisateur : Administrateur Domaine : FORESTA Id. d'ouv. de session : (0x0,0x260dd) 3228 38 552 Agile Win2003 Logon attempt using explicit
credentials: Logged on user: User Name: %1 Domain: %2 Logon ID: %3 Logon GUID: %4
User whose credentials were used:
Target User Name: %5 Target Domain: %6 Target Logon GUID: %7 Target Server Name: %8 Target Server Info: %9 Caller Process ID: %10 Source Network Address: %11 Source Port: %12 Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity/ User Authenticat ion <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 614 Fri Aug 04 12:30:37 2006 552 Security SYSTEM User Success Audit LOGLOGIC-SRV1 Logon/Logoff Logon attempt using explicit credentials: Logged on user: User Name: LOGLOGIC-SRV1$ Domain: WORKGROUP Logon ID: (0x0,0x3E7) Logon GUID: - User whose credentials were used: Target User Name: Administrator Target Domain: LOGLOGIC-SRV1 Target Logon GUID: - Target Server Name: localhost Target Server Info: localhost Caller Process ID: 568 Source Network Address: 127.0.0.1 Source Port: 0 18
38F 552 Win2003
French
39 560 Agile Win2003 Object Open: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon ID: %11 Client User Name: %12 Client Domain: %13 Client Logon ID: %14 Accesses: %15 Privileges: %16
Restricted Sid Count: %17 Access Mask: %18
Object Access Success Audit User Access/ User Last Activity <13>Jul 5 15:58:59 10.1.1.55
MSWinEventLog 0 security 2074 Wed Jul 05 15:58:58 2006 560 Security qatest User Success Audit W2K3-LASSO Object Access "Object Open: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\Control Set001\Services\Eventlog\Security Handle ID: 452 Operation ID:
{0,17577785} Process ID: 3280 Image File Name: C:\WINDOWS\system32\mmc.exe Primary User Name: qatest Primary Domain: SQA Primary Logon ID: (0x0,0x668A8) Client User Name: - Client Domain: - Client Logon ID: - Accesses: Set key value Privileges: - Restricted Sid Count: 0 Access Mask: 0x2 " 47681
39F 560 Agile Win2003
French Object Open: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon ID: %11 Client User Name: %12 Client Domain: %13 Client Logon ID: %14 Accesses: %15 Privileges: %16
Restricted Sid Count: %17 Access Mask: %18
Object Access Success Audit User Access/ User Last Activity <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.forestA
MSWinEventLog 4 Security 12 Tue Jun 30 10:42:33 2009 560 Security SYSTEM User Success Audit
KKKKK-KNBMQ2EU3 Accès aux objets Objet ouvert Serveur de l'objet : Security Type de l'objet : Key Nom de l'objet : \REGISTRY\MACHINE\SYSTEM\Control Set001\Services\Eventlog\Security Identificateur du handle : 204
Identificateur de l'opération : {0,1577787} Id. du processus : 2404 Nom du fichier image : C:\Program
Files\Snare\SnareCore.exe Utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA Id d'ouv. de session principale : (0x0,0x3E7) Utilisateur du client : - Domaine du client : - Id. d'ouv. de session client : - Accès : %%1538 %%4432 %%4433 %%4435 %%4436 Privilèges : - Nombre de SID restreint : 0 Masque d'accès : 0x2001B 11
40 560 Agile Win2000 Object Open: Object Server: %1 Object Type: %2 Object Name: %3 New Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses %14
Object Access Success Audit
User Access/ User Last Activity
41 562 Agile Win2003 The handle to an object was closed.
Object Access Special Multi-use Subcategor y User Access / User Last Activity
MSWinEventLog 0 Security 0 Tue Jul 21 8 59 57 2010 4658
Microsoft-Windows-Security-Auditing Unknown Success
hayward.Loglabs08Native.lab File System The handle to an object was closed. Subject : Security ID: S-1-5-18 Account Name: HAYWARD$ Account Domain: LOGLABS08NATIVE Logon ID: 0x3e7 Object: Object Server: Security Handle ID: 0x1c0 Process Information: Process ID: 0x7e8 Process Name: C:\Program Files\VMware\VMware
Tools\vmtoolsd.exe 51813549 42 563 Agile Win2000 Object Open for Delete:
Object Server: %1 Object Type: %2 Object Name: %3 New Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses %14 Privileges %15
Object Access Success Audit
User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
43 563 Agile Win2003 Object Open for Delete: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses: %14 Privileges: %15 Access Mask: %16
Object Access Success Audit
User Access/ User Last Activity
43F 563 Agile Win2003 French
Objet ouvert pour suppression Security Success audit/ Failure audit User Access / User Last Activity/ Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010563SecurityAdministrator UserSuccess AuditLOGLABS-2003FRA Suivi détailléObjet ouvert pour suppression : Serveur d'objet : %1 Type d'objet : %2 Nom de l'objet : %3 Identificateur du handle : %4 Identificateur de l'opération : {%5,%6} Id. du processus : %7 Utilisateur principal : %8 Domaine principal : %9 Id d'ouv. de session principale : %10 Utilisateur client : %11 Domaine client : %12 Id. d'ouv. de session client : %13 Accès : %14 Privilèges : %15 Masque d'accès : %16 17
44 564 Agile Win2000 Object Deleted: Object Server: %1 Handle ID: %2 Process ID: %3
Object Access Success Audit
User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
45 564 Agile Win2003 Object Deleted: Object Server: %1 Handle ID: %2 Process ID: %3 Image File Name: %4
Object Access Success Audit
User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
45F 564 Agile Win2003
French Object Deleted: Object Server: %1 Handle ID: %2 Process ID: %3 Image File Name: %4
Object Access Success Audit User Access/ User Last Activity <13>Jul 23 09:21:20 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 8498 Thu Jul 23 09:21:14 2009 564 Security
Administrateur User Success Audit B0324-FR2003 Accès aux objets Objet supprimé : Serveur d'objet : Security Id. de handle : 1516 Id. de processus : 2544 Nom du fichier d'image :
46 565 Agile Win2000 Object Open: Object Server: %1 Object Type: %2 Object Name: %3 New Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses %14 Privileges %15 Properties:%16%17%18%19 %20%21%22%23%24%25 Directory Service Success Audit User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
47 565 Agile Win2003 Object Open: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Process Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon ID: %11 Client User Name: %12 Client Domain: %13 Client Logon ID: %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service Success Audit User Access/ User Last Activity <13>Jul 5 11:04:09 10.1.1.55
47F 565 Agile Win2003
French Object Open: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Process Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon ID: %11 Client User Name: %12 Client Domain: %13 Client Logon ID: %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service Success Audit User Access/ User Last Activity <13>Jun 30 10:43:21 kkkkk-knbmq2eu3.forestA
MSWinEventLog 4 Security 34 Tue Jun 30 10:43:14 2009 565 Security Unknown User N/A Success Audit
KKKKK-KNBMQ2EU3 Accès Active Directory Security Account Manager 30
48 566 Agile Win2003 Object Operation: Object Server: %1 Operation Type: %2 Object Type: %3 Object Name: %4 Handle ID: %5 Primary User Name: %6 Primary Domain: %7 Primary Logon ID: %8 Client User Name: %9 Client Domain: %10 Client Logon ID: %11 Accesses: %12 Properties: %13 Additional Info: %14 Additional Info2: %15 Access Mask: %16 Directory Service Success Audit User Access/ User Last Activity <13>Jul 5 11:09:53 10.1.1.55
MSWinEventLog 0 security 306 Wed Jul 05 11:09:53 2006 566 Security SYSTEM Well Known Group Success Audit W2K3-LASSO Directory Service Access "Object Operation: Object Server: DS Operation Type: Object Access Object Type:
%{19195a5b-6da0-11d0-afd3-00c04fd930 c9} Object Name:
%{0d374542-7f4a-4f11-acdb-5a70b025bc 6b} Handle ID: - Primary User Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon ID: (0x0,0x3E7) Client User Name: W2K3-LASSO$ Client Domain: SQA Client Logon ID:
48F 566 Agile Win2003
French Object Operation: Object Server: %1 Operation Type: %2 Object Type: %3 Object Name: %4 Handle ID: %5 Primary User Name: %6 Primary Domain: %7 Primary Logon ID: %8 Client User Name: %9 Client Domain: %10 Client Logon ID: %11 Accesses: %12 Properties: %13 Additional Info: %14 Additional Info2: %15 Access Mask: %16 Directory Service Success Audit User Access/ User Last Activity <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.forestA
MSWinEventLog 4 Security 16 Tue Jun 30 10:42:33 2009 566 Security SYSTEM User Success Audit
KKKKK-KNBMQ2EU3 Accès Active Directory Opération d'objet : Serveur d'objet : DS Type d'opération : Object Access Type d'objet :
%{f30e3bc2-9ff0-11d1-b603-0000f80367c 1} Nom d'objet :
%{4e9f93a1-5253-4632-be3c-781ee698fa 35} ID de handle : - Nom d'utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA ID d'ouv de session principale : (0x0,0x3E7) Nom d'utilisateur client :
KKKKK-KNBMQ2EU3$ Domaine client : FORESTA ID d'ouv de session client : (0x0,0x1813EA) Accès : %%7685 Propriétés : %%7685 %{771727b1-31b8-4cdf-ae62-4fe39fadf89 e} %{bf967a76-0de6-11d0-a285-00aa00304 9e2} %{f30e3bc2-9ff0-11d1-b603-0000f80367c 1} Informations additionnelles : Informations additionnelles 2 : Masque d'accès : 0x20 15
49 566 Agile Win2000 Object Operation: Operation Type %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Primary User Name: %7 Primary Domain: %8 Primary Logon ID: %9 Client User Name: %10 Client Domain: %11 Client Logon ID: %12 Requested Accesses %13 Directory Service Success Audit User Access/ User Last Activity
The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.
50 567 Agile Win2003 An attempt was made to access an object