• No results found

LogLogic Microsoft Windows Server 2000/2003 Log Configuration Guide

N/A
N/A
Protected

Academic year: 2021

Share "LogLogic Microsoft Windows Server 2000/2003 Log Configuration Guide"

Copied!
98
0
0

Loading.... (view fulltext now)

Full text

(1)

LogLogic

Microsoft Windows Server 2000/2003

Log Configuration Guide

(2)

Proprietary Information

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.

Trademarks

LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the

documentation.

LogLogic, Inc.

(3)

Preface

About This Guide . . . 5

Technical Support . . . 5

Documentation Support . . . 5

Conventions. . . 6

Chapter 1 – Configuring LogLogic’s Microsoft Windows Server 2000/2003 Log Collection Introduction to Microsoft Windows Server 2000/2003 . . . 7

Prerequisites . . . 7

Configuring Microsoft Windows Server 2000/2003 for Operational Events. . . 8

Installing and Configuring Lasso Collector. . . 8

Enabling the LogLogic Appliance to Capture Log Data . . . 9

Automatically Identifying a Microsoft Windows Server 2000/2003 Device . . . 9

Adding Microsoft Windows Server 2000/2003 Device . . . 9

Verifying the Configuration . . . 11

Chapter 2 – How LogLogic Supports Microsoft Windows Server 2000/2003 How LogLogic Captures Microsoft Windows Server 2000/2003 Data . . . 12

LogLogic Real-Time Reports . . . 13

Chapter 3 – Troubleshooting and FAQ Troubleshooting . . . 15

Frequently Asked Questions . . . 16

Appendix A – Event Reference LogLogic Support for Microsoft Windows Server 2000/2003 Events . . . 17

(4)
(5)

About This Guide

The LogLogic® Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft® Windows enables LogLogic Appliances to capture logs from machines running Microsoft Windows Server 2000/2003. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft Windows Server 2000/2003’s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help.

Technical Support

LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable,

experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support:

Telephone: Toll Free—1-800-957-LOGS Local—1-408-834-7480

EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com

You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support.  When contacting Customer Support, be prepared to provide:

Your name, email address, phone number, and fax number Your company name and company address

Your machine type and release version

A description of the problem and the content of pertinent error messages (if any)

Documentation Support

Your feedback on LogLogic documentation is important to us. Send e-mail to

DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.

(6)

LogLogic documentation uses the following conventions to highlight code and command-line elements:

A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs).

A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example:

username: system

home directory: home\app

A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: 

LogLogic_home_directory\upgrade\

(7)

Windows Server 2000/2003 Log Collection

This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft Windows Server 2000/2003 logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft Windows Server 2000/2003 log data.

Introduction to Microsoft Windows Server 2000/2003 . . . 7

Prerequisites . . . 7

Configuring Microsoft Windows Server 2000/2003 for Operational Events . . . 8

Enabling the LogLogic Appliance to Capture Log Data . . . 9

Verifying the Configuration . . . 11

Introduction to Microsoft Windows Server 2000/2003

Microsoft Windows Server 2000/2003 operational events appear within the Windows Event Viewer and are located within the host machine’s Windows Event Log. The events are captured by Loglogic's Lasso Collector. The Lasso Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP.

The configuration procedures for Microsoft Windows Server 2000/2003 and the LogLogic Appliance depend upon your environment and how the Lasso Collector is configured. For more information, see How LogLogic Captures Microsoft Windows Server 2000/2003 Data on page 12 and the LogLogic Lasso Collector Guide.

Prerequisites

Prior to configuring Microsoft Windows Server 2000/2003 and the LogLogic Appliance, ensure that you meet the following prerequisites:

Microsoft Windows Server 2000/2003 Server installed Administrative access on the Windows server

Microsoft Windows Server 2000/2003 Server French

Note:For French Windows Event support you will need to run LogLogic Appliance Release 5.1or

later.

Lasso Collector Release 2.0 or later installed on the Windows server. For more information, see LogLogic Lasso Collector Guide.

LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft Windows Server 2000/2003 support

(8)

Events

Microsoft Windows operational events are posted in the Windows Event Viewer. The events are located in the Windows System logs. These events can be captured by LogLogic Appliance using Lasso Collector. For more information about the Windows Event Viewer, see the Microsoft Windows Server 2000/2003 Product Documentation.

Installing and Configuring Lasso Collector

Microsoft Windows Server 2000/2003 logs are collected and transported using Lasso. Lasso is used to collect and transfer Windows Event logs to the LogLogic Appliance.

By default, the Lasso program directory is located at: C:\Program Files\Lasso

Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages:

C:\Program Files\Lasso\LassoRepository\Spool

You can change the host machine and event log identification information by editing the

hostlist.ini configuration file in Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and

(9)

The following sections describe how to enable the LogLogic Appliance to capture Microsoft Windows Server 2000/2003 log data.

Automatically Identifying a Microsoft Windows Server 2000/2003

Device

With the auto-identification feature, the LogLogic Appliance recognizes Microsoft Windows Server 2000/2003 log messages by default. As the log messages come into the Appliance, they are automatically identified and a new Microsoft Windows Server 2000/2003 device type is added to the log source device list. Default values are used for certain properties, such as the device name.

To enable auto-identification in the LogLogic Appliance:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Administration > System Settings. The General tab appears.

3. For Auto-identify Log Sources, select Yes.

4. Click Update.

Once the automatically identified device is added, you can edit its properties.

IMPORTANT! Do not change the auto-identified Device Type and Host IP information.

To edit an existing Microsoft Windows Server 2000/2003 device:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Management > Devices. The Devices tab appears.

3. Click on an existing Microsoft Windows Server 2000/2003 device in the list and click

Modify Device.

The Modify Device tab appears.

4. Edit the device fields as needed, then click Update Device.

Adding Microsoft Windows Server 2000/2003 Device

If you do not want to utilize the auto-identification feature, you can manually add a Microsoft Windows Server 2000/2003 device to the LogLogic Appliance before you redirect the logs.

(10)

2. From the navigation menu, select Management > Devices. The Devices tab appears.

3. Click Add New.

The Add Device tab appears.

4. Type in the following information for the device:

Name—Name for the Microsoft Windows Server 2000/2003 device

Description (optional)—Description of the Microsoft Windows Server 2000/2003 device

Device Type—Select Microsoft Windows Server 2000/2003 from the drop-down menu

Host IP—IP address of the Microsoft Windows Server 2000/2003 appliance  Enable Data Collection—Select the Yes radio button

Refresh Device Name through DNS Lookups (optional)—Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign.

Figure 1 Adding a Device to the LogLogic Appliance

5. Click Add.

6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Microsoft Windows Server 2000/2003

(11)

The section describes how to verify that the configuration changes made to Microsoft Windows Server 2000/2003 and the LogLogic Appliance are applied correctly.

To verify the configuration:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears.

3. Locate the IP address for each Microsoft Windows Server 2000/2003 device.

If the device name (Microsoft Windows Server 2000/2003) appears in the list of devices (Figure 2), then the configuration is correct.

Figure 2 Log Source Status Tab

If the device does not appear in the Log Source Status tab, check the Microsoft Windows Server 2000/2003 logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft Windows Server 2000/2003 configuration, the Lasso configuration, and the LogLogic Appliance configuration.

(12)

Windows Server 2000/2003

This chapter describes LogLogic's support for Microsoft Windows Server 2000/2003. LogLogic enables you to capture Microsoft Windows Server 2000/2003 log data to monitor Microsoft Windows Server 2000/2003 events. LogLogic supports Microsoft Windows Server 2000/2003 logs.

How LogLogic Captures Microsoft Windows Server 2000/2003 Data . . . 12

LogLogic Real-Time Reports . . . 13

How LogLogic Captures Microsoft Windows Server 2000/2003

Data

LogLogic's Lasso Collector is used to collect logs stored in the Windows Event Log. The Windows Event Collector is an open source application developed by LogLogic to collect and forward Windows event logs in Syslog format to the LogLogic Appliance. If the Windows Event Collector is in Agent Mode, logs are collected and forwarded from the Windows system where it is installed. If the Windows Event Collector is in Collector Mode, logs are collected and forwarded from Windows systems other than the system where it is installed.

The Windows Event Collector can also run in both modes at the same time. In hybrid mode, the Collector captures and forwards messages from the Windows machine where it is installed and from other Windows systems it is configured to access. Regardless of the mode used, all collected logs are converted into text format by the collector and then forwarded to the LogLogic

Appliance’s Syslog Listener via UDP or TCP.

Figure 3 Microsoft Windows Server 2000/2003 with Lasso Collector (in Agent Mode) and the LogLogic Appliance

(13)

LogLogic provides pre-configured Real-Time Reports for Microsoft Windows Server 2000/2003 log data.

The following Real-Time Reports are available:

All Unparsed Events—Displays data for all events retrieved from the Microsoft Windows Server 2000/2003 log for a specified time interval

Permission Modification—Displays events related to permission modifications performed on user and server objects

User Access—Displays data access and changes done to data during a specified time interval

User Authentication—Displays identity and access related events during a specified time interval

User Created/Deleted—Displays user creation and deletion events

User Last Activity—Displays user specific details and used to track user activity during a specified time interval

Windows Events—Displays Windows event information served during a specified time interval

To access LMI 4 Real-Time Reports:

1. In the left navigation pane, click Real-Time Reports.

2. Click Access Control.

The following Real-Time Reports are available:  Permission Modification

User Access

User AuthenticationUser Created/DeletedUser Last ActivityWindows Events

3. ClickEvent Logs.

(14)

2. Click Access Control.

The following Real-Time Reports are available:  Permission Modification

User Access

User AuthenticationUser Created/DeletedUser Last ActivityWindows Events

3. ClickOperational.

The following Real-Time Reports are available:  All Unparsed Events

(15)

This chapter contains troubleshooting regarding the configuration and/or use of log collection for Microsoft Windows Server 2000/2003. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions.

Troubleshooting . . . 15

Frequently Asked Questions . . . 16

Troubleshooting

Is your version of Microsoft Windows Server 2000/2003 supported?

For more information, see Prerequisites on page 7.

Is your LogLogic Appliance running Release 5.1 or later?

If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information.

Are you running Lasso Collector 2.0 or later?

If you are running an release prior to 2.0, you might require an upgrade. Contact LogLogic Support for more information.

Is the appropriate Log Source Package (LSP) installed properly?

Check to make sure that the LSP that is installed includes support for Microsoft Windows Server 2000/2003. Also make sure that the package was installed

successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes.

If Microsoft Windows Server 2000/2003 events are not appearing on the

LogLogic Appliance...

You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab.

Make sure that you have properly installed and configured Lasso, and the no errors are present in Lasso’s error log (LassoTrace.log). For more information, see the LogLogic Lasso Collector Guide.

Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see

Automatically Identifying a Microsoft Windows Server 2000/2003 Device on page 9 and Adding Microsoft Windows Server 2000/2003 Device on page 9.

If events are not displaying on the LogLogic Appliance even after

configuring Microsoft Windows Server 2000/2003 and Lasso correctly...

Microsoft Windows Server 2000/2003 sends the logs, via UDP or TCP, in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Microsoft Windows Server 2000/2003 machine. For more information on

(16)

How does the LogLogic appliance collect logs from Microsoft Windows

Server 2000/2003?

For log collection, Lasso Collector is required in order to read the .evt files from the Windows machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog server. For more information, see How LogLogic Captures Microsoft Windows Server 2000/2003 Data on page 12.

What access permissions are required?

To configure logging on Microsoft Windows Server 2000/2003, the Windows user must have administrative permissions.

How do I configure logging on Microsoft Windows Server 2000/2003?

(17)

This appendix lists the LogLogic-supported Microsoft Windows Server 2000/2003 events. The Microsoft Windows Server 2000/2003 event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic’s Syslog Listener.

LogLogic Support for Microsoft Windows Server 2000/2003 Events

The following list describes the contents of each of the columns in the tables below. Item # – Item numbers with the suffix “F” show sample logs in French. Event ID – Microsoft Windows Server 2000/2003 event identifier.

Agile Reports/Search – Defines if the Microsoft Windows Server 2000/2003 event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic’s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data.

Operating System – Operating System (OS) where the event can be triggered. In some instances, duplicate Event IDs exist for different OSs.

Title/Comments – Description of the event

Event Category – Category of events such as System, Application, etc. Event Type – Type of event such as Success audit, Failure audit, etc. Reports Appears In – LogLogic-provided reports that the event appears in

(18)

#

Event ID Agile Reports /Search Operating System

Title / Comments Event

Category Event Type Reports Appears In

Sample Log Message

1 512 Agile Win2003 Windows is starting up. Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 621 Fri Aug 04 12:59:22 2006 512 Security SYSTEM User Success Audit LOGLOGIC-SRV1 System Event Windows is starting up. 25

1F 512 Agile Win2003 French

Windows is starting up. Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 7 Thu May 21 10:31:06 2009 512 Security SYSTEM User Success Audit

KKKKK-KNBMQ2EU3 Événements système Windows démarre. 1 2 512 Agile Win2000 Windows NT is starting up. Security Success

audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 621 Fri Aug 04 12:59:22 2006 512 Security SYSTEM User Success Audit LOGLOGIC-SRV1 System Event Windows NT is starting up. 25

3 513 Agile Win2003 Windows is shutting down. All logon sessions will be terminated by this shutdown.

Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 621 Fri Aug 04 12:59:22 2006 513 Security SYSTEM User Success Audit LOGLOGIC-SRV1 System Windows is shutting down.All logon sessions will be terminated by this shutdown. 25

3F 513 Agile Win2003

French Windows is shutting down.All logon sessions will be terminated by this shutdown.

Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 6 Thu May 21 10:29:57 2009 513 SECURITY Unknown User N/A Success Audit

KKKKK-KNBMQ2EU3 Événements système Windows s'arrête. Toutes les sessions vont être fermées par cet arrêt. 0 4 513 Agile Win2000 Windows NT is shutting down.

All logon sessions will be terminated by this shutdown.

Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 621 Fri Aug 04 12:59:22 2006 513 Security SYSTEM User Success Audit LOGLOGIC-SRV1 System Windows NT is shutting down.All logon sessions will be terminated by this shutdown. 25

5 516 Agile Win2003 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

Number of audit messages discarded: %1 Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity

(19)

5F Agile Win2003 French

Les ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Security Success audit / Failure audit User Access/ User Last Activity/ Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010516SecurityAdministrator UserSuccess AuditLOGLABS-2003FRA Suivi détailléLes ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Certains audits ont été perdus. Nombre de messages d'audit rejetés :%1 6 517 Agile Win2000,

Win2003 The audit log was cleared Primary User Name: %1 Primary Domain: %2 Primary Logon ID: %3 Client User Name: %4 Client Domain: %5 Client Logon ID: %6

Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Jul 25 12:17:36 10.201.20.214 MSWinEventLog 0 Security 7727 Fri Jul 21 14:32:00 2006 517 Security SYSTEM User Success Audit BLR-WSMTEST-DC1 System Event The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E7) Client User Name: dmsopann Client Domain: WIPRO Client Logon ID: (0x0,0x44A885) 1 6F 517 Agile Win2003

French The audit log was cleared Primary User Name: %1 Primary Domain: %2 Primary Logon ID: %3 Client User Name: %4 Client Domain: %5 Client Logon ID: %6

Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Jul 7 05:25:53 10.8.0.39

MSWinEventLog 0 Security 1151 Tue Jul 07 05:15:00 2009 517 Security SYSTEM Well Known Group Success Audit B0324-FR2003 Événements système Le journal d'audit a été effacé Utilisateur principal : SYSTEM Domaine principal : AUTORITE NT Id. de session principale : (0x0,0x3E7) Utilisateur client :

Administrateur Domaine client : DOMAIN Id. de session client : (0x0,0x489A86) 1<13>Jul 6 05:37:34

(20)

7 520 Agile Win2003 The system time was changed.

Process ID: %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon ID: %5 Client User Name: %6 Client Domain: %7 Client Logon ID: %8 Previous Time: %10 %9 New Time: %12 %11 Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Jun 12 14:54:42 10.0.0.61 MSWinEventLog 0 Security 923 Sun Jun 12 14:52:47 2005 520 Security loglogic2 User Success Audit IAM3 System Event The system time was changed. Process ID: 2128 Process Name:

C:\WINDOWS\system32\rundll32.exe Primary User Name: loglogic2 Primary Domain: SECTIS Primary Logon ID: (0x0,0xF15F58) Client User Name: loglogic2 Client Domain: SECTIS Client Logon ID: (0x0,0xF15F58) Previous Time: 2:51:48 PM 6/12/2005 New Time: 2:52:47 PM 6/12/2005 829 7F 520 Agile Win2003

French

The system time was changed.

Process ID: %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon ID: %5 Client User Name: %6 Client Domain: %7 Client Logon ID: %8 Previous Time: %10 %9 New Time: %12 %11 Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity <13>Jul 6 05:37:34 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 608 Mon Jul 06 05:37:34 2009 520 Security Administrateur User Success Audit B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/2009 567

8 528 Agile Win2000 Successful Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon/Logoff Success Audit User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

9 528 Agile Win2003 Successful Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Logon/Logoff Success Audit User Access/ User Last Activity <13>Jul 5 11:04:09 10.1.1.55

MSWinEventLog 0 security 130 Wed Jul 05 10:54:02 2006 528 Security qatest User Success Audit W2K3-LASSO Logon/ Logoff "Successful Logon: User Name: qatest Domain: SQA Logon ID: (0x0,0xD72AEE) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:

W2K3-LASSO Logon GUID:

(21)

9F 528 Agile Win2003

French Successful Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Success Audit User Access/ User Last Activity <13>May 21 10:24:28 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 40 Thu May 21 10:24:03 2009 528 Security SERVICE LOCAL Well Known Group Success Audit KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : SERVICE LOCAL Domaine : AUTORITE NT Id. de la session : (0x0,0x3E5) Type de session : 5 Processus de session : Advapi Package d'authentification : Negotiate Station de travail : GUID d'ouv. de session : - Nom de l'utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : WORKGROUP Id. de session de l'appelant : (0x0,0x3E7) ID de processus appelant : 868 Services en transit : - Adresse réseau source : - Port source : - 24

10 529 Agile Win2000 Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

11 529 Agile Win2003 Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:23:52 10.1.1.55

(22)

11F 529 Agile Win2003 French

Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 6 08:44:18 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 1332 Mon Jul 06 08:44:14 2009 529 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Nom d'utilisateur inconnu ou mot de passe incorrect Nom de l'utilisateur : test Domaine : B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1277

12 530 Agile Win2003 Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:42:13 10.1.1.55

MSWinEventLog 0 security 2904 Wed Jul 05 16:42:12 2006 530 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Account logon time restriction violation User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:

W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3444 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1464 " 48511

12F 530 Agile Win2003 French

(23)

13 530 Agile Win2000 Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

14 531 Agile Win2003 Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:45:06 10.1.1.55

MSWinEventLog 0 security 2940 Wed Jul 05 16:45:06 2006 531 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Account currently disabled User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3000 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1468 " 48547

14F 531 Agile Win2003 French

Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 6 08:50:26 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 1399 Mon Jul 06 08:50:18 2009 531 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte actuellement désactivé Nom de l'utilisateur : test Domaine :

B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1344 15 531 Agile Win2000 Logon Failure: Reason:

Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity

(24)

16 532 Agile Win2000 Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated byLogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

16F 532 Agile Win2003 French

Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 18 04:17:27 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 193700 Sat Jul 18 04:17:24 2009 532 Security SYSTEM User Failure Audit

B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le compte d'utilisateur mentionné est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 192727

17 532 Agile Win2003 Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:47:03 10.1.1.55

MSWinEventLog 0 security 2954 Wed Jul 05 16:47:02 2006 532 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The specified user account has expired User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:

W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2960 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1470 " 48561

18 533 Agile Win2000 Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity

(25)

19 533 Agile Win2003 Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:48:07 10.1.1.55

MSWinEventLog 0 security 2976 Wed Jul 05 16:48:06 2006 533 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: User not allowed to logon at this computer User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:

W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2996 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1472 " 48583

19F 533 Agile Win2003 French

Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 22 05:08:53 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 1371 Wed Jul 22 05:08:53 2009 533 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Utilisateur non autorisé à se connecter sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN Type de session : 2 Processus d'ouv. de session : User32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant :

B0324-FR2003$ Domaine appelant : DOMAIN ID de session de l'appelant : (0x0,0x3E7) ID de processus appelant : 308 Services en transit : - Adresse réseau source : 127.0.0.1 Port source : 0 1317

20 534 Agile Win2003 Logon Failure: Reason: The user has not been granted the requested

logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:28:08 10.1.1.55

(26)

20F 534 Agile Win2003 French

Logon Failure: Reason: The user has not been granted the requested

logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 22 04:39:40 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 913 Wed Jul 22 04:39:38 2009 534 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Il n'a pas été accordé à l'utilisateur le type de session demandé sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN Type de session : 2 Processus d'ouv. de session : User32 Package

d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN ID de session de l'appelant : (0x0,0x3E7) ID de processus appelant : 308 Services en transit : - Adresse réseau source : 127.0.0.1 Port source : 0 862 21 534 Agile Win2000 Logon Failure: Reason: The

user has not been granted the requested

logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

22 535 Agile Win2003 Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Sep 7 14:19:29 10.1.1.55 MSWinEventLog 0 security 67016 Thu Sep 07 14:19:28 2006 535 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The specified account's password has expired User Name: expire Domain: SQA Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name:

(27)

22F 535 Agile Win2003 French

Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 6 08:52:46 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 1422 Mon Jul 06 08:52:44 2009 535 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le mot de passe spécifié pour ce compte est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1366 23 535 Agile Win2000 Logon Failure: Reason: The

specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

24 536 Agile Win2003 Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity

(28)

24F 536 Agile Win2003 French

Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 16 10:37:58 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 177163 Thu Jul 16 10:37:21 2009 536 Security SYSTEM User Failure Audit

B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le composant NetLogon n'est pas actif Nom de l'utilisateur : Meng Kangjian Domaine : B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package

d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0

25 536 Agile Win2000 Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

26 537 Agile Win2003 Logon Failure: Reason: An error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Failure Audit User Access/ User Last Activity

(29)

26F 537 Agile Win2003 French

Logon Failure: Reason: An error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 17 08:07:50 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 196324 Fri Jul 17 08:07:50 2009 537 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Erreur lors de l'ouverture de session Nom de l'utilisateur : Domaine : Type d'ouverture de session : 3 Processus d'ouv. de session : Kerberos Package d'authentification : Kerberos Nom de station de travail : - Code du statut : 0xC0000133 Code du sous-statut : 0x0 Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : - Port source : - 195243

27 537 Agile Win2000 Logon Failure:

Reason: An unexpected error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

28 538 Agile Win2000 Description: User Logoff: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon/Logoff Success Audit User Access/ User Last Activity <13>Jul 5 11:04:08 10.1.1.55

MSWinEventLog 0 security 1 Wed Jul 05 10:19:11 2006 538 Security qatest User Success Audit W2K3-LASSO Logon/ Logoff "User Logoff: User Name: qatest Domain: SQA Logon ID: (0x0,0x2ABA3D) Logon Type: 5 " 45608

28F 538 Agile Win2000 French

Description: User Logoff: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon/Logoff Success Audit User Access/ User Last Activity <13>May 21 11:01:37 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 110 Thu May 21 11:01:37 2009 538 Security

Administrateur User Success Audit KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de la session utilisateur : Utilisateur : Administrateur Domaine :

(30)

29 539 Agile Win2003 Logon Failure:

Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 5 16:34:07 10.1.1.55

MSWinEventLog 0 security 2803 Wed Jul 05 16:34:06 2006 539 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Account locked out User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2304 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1455 " 48410

29F 539 Agile Win2003

French Logon Failure: Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Audit User Access/ User Last Activity <13>Jul 17 03:30:03 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 193000 Fri Jul 17 03:30:03 2009 539 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte verrouillé Nom de l'utilisateur : test Domaine : B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 0.8.0.45 Port source : 0 192031

30 539 Agile Win2000 Logon Failure:

Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Audit User Access/ User Last Activity

(31)

31 540 Agile Win2003 Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Success Audit User Access/ User Last Activity <13>Jul 5 11:04:08 10.1.1.55

MSWinEventLog 0 security 3 Wed Jul 05 10:19:59 2006 540 Security SYSTEM Well Known Group Success Audit

W2K3-LASSO Logon/Logoff "Successful Network Logon: User Name:

W2K3-LASSO$ Domain: SQA Logon ID: (0x0,0xD30C93) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID:

{e6b578ec-aae0-9e50-b248-c2004fb821e 8} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 " 45610

31F 540 Agile Win2003 French

Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Success Audit User Access/ User Last Activity <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 15 Thu May 21 10:31:14 2009 540 Security ANONYMOUS LOGON Well Known Group Success Audit

KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : Domaine : Id. de la session : (0x0,0xA565) Type de session : 3 Processus de session : NtLmSsp Package d'authentification : NTLM Nom de la station de travail : GUID d'ouv. de session : - Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : - Port source : - 9 32 540 Agile Win2000 Successful Network Logon:

User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon/Logoff Success Audit User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

33 548 Agile Win2003 Logon Failure: Reason: Domain sid inconsistent User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Transited Services: %7 Security Failure Audit User Access/ User Last Activity/ User Authenticat ion

(32)

33F Agile Win2003 French Échec de l'ouverture de session Security Success audit / Failure audit User Access / User Authenticat ion/ User Last Activity/ Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010548SecurityAdministrator UserSuccess AuditLOGLABS-2003FRA Suivi détailléÉchec de l'ouverture de session : Raison : SID du domaine incohérent Nom d'utilisateur : %1 Domaine : %2 Type d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de station de travail : %6 Services en transit : %7

34 548 Agile Win2000 Logon Failure: Reason: Domain sid inconsistent User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Security Failure Audit User Access / User Last Activity / User Authenticat ion

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

35 549 Agile Win2003 Logon Failure: Reason: All sids were filtered out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package : %5 Workstation Name: %6 Security Failure Audit User Access / User Last Activity/ User Authenticat ion

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 35F 549 Agile Win2003 French Échec de l'ouverture de session Security Success audit / Failure audit User Access / User Authenticat ion/ User Last Activity/ Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010549SecurityAdministrator UserFailure AuditLOGLABS-2003FRA Suivi détailléÉchec de l'ouverture de session : Raison : Tous les SID étaient épuisés Utilisateur : %1 Domaine : %2 Type d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de la station de travail : %6

36 550 Agile Win2003 Notification message that could indicate a possible denial-of-service attack. Security Logon / Logoff User Access / User Last Activity

(33)

37 551 Agile Win2003 User initiated logoff: User Name: %1 Domain: %2 Logon ID: %3 Security Success audit / Failure audit / Information /Error User Access <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 619 Fri Aug 04 12:58:16 2006 551 Security Unknown User N/A Success Audit

LOGLOGIC-SRV1 Logon/Logoff User initiated logoff: User Name: Administrator Domain: LOGLOGIC-SRV1 Logon ID: (0x0,0x14d2b) 23

37F 551 Agile Win2003 French

User initiated logoff: User Name: %1 Domain: %2 Logon ID: %3 Security Success audit / Failure audit/ Information/ Error User Access <13>Jul 1 03:18:31 kkkkk-knbmq2eu3.forestA

MSWinEventLog 4 Security 3252 Wed Jul 01 03:18:31 2009 551 Security

Administrateur User Success Audit KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de session initiée par l'utilisateur : Utilisateur : Administrateur Domaine : FORESTA Id. d'ouv. de session : (0x0,0x260dd) 3228 38 552 Agile Win2003 Logon attempt using explicit

credentials: Logged on user: User Name: %1 Domain: %2 Logon ID: %3 Logon GUID: %4

User whose credentials were used:

Target User Name: %5 Target Domain: %6 Target Logon GUID: %7 Target Server Name: %8 Target Server Info: %9 Caller Process ID: %10 Source Network Address: %11 Source Port: %12 Security Success audit / Failure audit/ Information/ Error User Access/ User Last Activity/ User Authenticat ion <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 614 Fri Aug 04 12:30:37 2006 552 Security SYSTEM User Success Audit LOGLOGIC-SRV1 Logon/Logoff Logon attempt using explicit credentials: Logged on user: User Name: LOGLOGIC-SRV1$ Domain: WORKGROUP Logon ID: (0x0,0x3E7) Logon GUID: - User whose credentials were used: Target User Name: Administrator Target Domain: LOGLOGIC-SRV1 Target Logon GUID: - Target Server Name: localhost Target Server Info: localhost Caller Process ID: 568 Source Network Address: 127.0.0.1 Source Port: 0 18

38F 552 Win2003

French

(34)

39 560 Agile Win2003 Object Open: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon ID: %11 Client User Name: %12 Client Domain: %13 Client Logon ID: %14 Accesses: %15 Privileges: %16

Restricted Sid Count: %17 Access Mask: %18

Object Access Success Audit User Access/ User Last Activity <13>Jul 5 15:58:59 10.1.1.55

MSWinEventLog 0 security 2074 Wed Jul 05 15:58:58 2006 560 Security qatest User Success Audit W2K3-LASSO Object Access "Object Open: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\Control Set001\Services\Eventlog\Security Handle ID: 452 Operation ID:

{0,17577785} Process ID: 3280 Image File Name: C:\WINDOWS\system32\mmc.exe Primary User Name: qatest Primary Domain: SQA Primary Logon ID: (0x0,0x668A8) Client User Name: - Client Domain: - Client Logon ID: - Accesses: Set key value Privileges: - Restricted Sid Count: 0 Access Mask: 0x2 " 47681

39F 560 Agile Win2003

French Object Open: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon ID: %11 Client User Name: %12 Client Domain: %13 Client Logon ID: %14 Accesses: %15 Privileges: %16

Restricted Sid Count: %17 Access Mask: %18

Object Access Success Audit User Access/ User Last Activity <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.forestA

MSWinEventLog 4 Security 12 Tue Jun 30 10:42:33 2009 560 Security SYSTEM User Success Audit

KKKKK-KNBMQ2EU3 Accès aux objets Objet ouvert Serveur de l'objet : Security Type de l'objet : Key Nom de l'objet : \REGISTRY\MACHINE\SYSTEM\Control Set001\Services\Eventlog\Security Identificateur du handle : 204

Identificateur de l'opération : {0,1577787} Id. du processus : 2404 Nom du fichier image : C:\Program

Files\Snare\SnareCore.exe Utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA Id d'ouv. de session principale : (0x0,0x3E7) Utilisateur du client : - Domaine du client : - Id. d'ouv. de session client : - Accès : %%1538 %%4432 %%4433 %%4435 %%4436 Privilèges : - Nombre de SID restreint : 0 Masque d'accès : 0x2001B 11

40 560 Agile Win2000 Object Open: Object Server: %1 Object Type: %2 Object Name: %3 New Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses %14

Object Access Success Audit

User Access/ User Last Activity

(35)

41 562 Agile Win2003 The handle to an object was closed.

Object Access Special Multi-use Subcategor y User Access / User Last Activity

MSWinEventLog 0 Security 0 Tue Jul 21 8 59 57 2010 4658

Microsoft-Windows-Security-Auditing Unknown Success

hayward.Loglabs08Native.lab File System The handle to an object was closed. Subject : Security ID: S-1-5-18 Account Name: HAYWARD$ Account Domain: LOGLABS08NATIVE Logon ID: 0x3e7 Object: Object Server: Security Handle ID: 0x1c0 Process Information: Process ID: 0x7e8 Process Name: C:\Program Files\VMware\VMware

Tools\vmtoolsd.exe 51813549 42 563 Agile Win2000 Object Open for Delete:

Object Server: %1 Object Type: %2 Object Name: %3 New Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses %14 Privileges %15

Object Access Success Audit

User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

43 563 Agile Win2003 Object Open for Delete: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses: %14 Privileges: %15 Access Mask: %16

Object Access Success Audit

User Access/ User Last Activity

(36)

43F 563 Agile Win2003 French

Objet ouvert pour suppression Security Success audit/ Failure audit User Access / User Last Activity/ Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010563SecurityAdministrator UserSuccess AuditLOGLABS-2003FRA Suivi détailléObjet ouvert pour suppression : Serveur d'objet : %1 Type d'objet : %2 Nom de l'objet : %3 Identificateur du handle : %4 Identificateur de l'opération : {%5,%6} Id. du processus : %7 Utilisateur principal : %8 Domaine principal : %9 Id d'ouv. de session principale : %10 Utilisateur client : %11 Domaine client : %12 Id. d'ouv. de session client : %13 Accès : %14 Privilèges : %15 Masque d'accès : %16 17

44 564 Agile Win2000 Object Deleted: Object Server: %1 Handle ID: %2 Process ID: %3

Object Access Success Audit

User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

45 564 Agile Win2003 Object Deleted: Object Server: %1 Handle ID: %2 Process ID: %3 Image File Name: %4

Object Access Success Audit

User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

45F 564 Agile Win2003

French Object Deleted: Object Server: %1 Handle ID: %2 Process ID: %3 Image File Name: %4

Object Access Success Audit User Access/ User Last Activity <13>Jul 23 09:21:20 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 8498 Thu Jul 23 09:21:14 2009 564 Security

Administrateur User Success Audit B0324-FR2003 Accès aux objets Objet supprimé : Serveur d'objet : Security Id. de handle : 1516 Id. de processus : 2544 Nom du fichier d'image :

(37)

46 565 Agile Win2000 Object Open: Object Server: %1 Object Type: %2 Object Name: %3 New Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses %14 Privileges %15 Properties:%16%17%18%19 %20%21%22%23%24%25 Directory Service Success Audit User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

47 565 Agile Win2003 Object Open: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Process Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon ID: %11 Client User Name: %12 Client Domain: %13 Client Logon ID: %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service Success Audit User Access/ User Last Activity <13>Jul 5 11:04:09 10.1.1.55

(38)

47F 565 Agile Win2003

French Object Open: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Process Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon ID: %11 Client User Name: %12 Client Domain: %13 Client Logon ID: %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service Success Audit User Access/ User Last Activity <13>Jun 30 10:43:21 kkkkk-knbmq2eu3.forestA

MSWinEventLog 4 Security 34 Tue Jun 30 10:43:14 2009 565 Security Unknown User N/A Success Audit

KKKKK-KNBMQ2EU3 Accès Active Directory Security Account Manager 30

48 566 Agile Win2003 Object Operation: Object Server: %1 Operation Type: %2 Object Type: %3 Object Name: %4 Handle ID: %5 Primary User Name: %6 Primary Domain: %7 Primary Logon ID: %8 Client User Name: %9 Client Domain: %10 Client Logon ID: %11 Accesses: %12 Properties: %13 Additional Info: %14 Additional Info2: %15 Access Mask: %16 Directory Service Success Audit User Access/ User Last Activity <13>Jul 5 11:09:53 10.1.1.55

MSWinEventLog 0 security 306 Wed Jul 05 11:09:53 2006 566 Security SYSTEM Well Known Group Success Audit W2K3-LASSO Directory Service Access "Object Operation: Object Server: DS Operation Type: Object Access Object Type:

%{19195a5b-6da0-11d0-afd3-00c04fd930 c9} Object Name:

%{0d374542-7f4a-4f11-acdb-5a70b025bc 6b} Handle ID: - Primary User Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon ID: (0x0,0x3E7) Client User Name: W2K3-LASSO$ Client Domain: SQA Client Logon ID:

(39)

48F 566 Agile Win2003

French Object Operation: Object Server: %1 Operation Type: %2 Object Type: %3 Object Name: %4 Handle ID: %5 Primary User Name: %6 Primary Domain: %7 Primary Logon ID: %8 Client User Name: %9 Client Domain: %10 Client Logon ID: %11 Accesses: %12 Properties: %13 Additional Info: %14 Additional Info2: %15 Access Mask: %16 Directory Service Success Audit User Access/ User Last Activity <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.forestA

MSWinEventLog 4 Security 16 Tue Jun 30 10:42:33 2009 566 Security SYSTEM User Success Audit

KKKKK-KNBMQ2EU3 Accès Active Directory Opération d'objet : Serveur d'objet : DS Type d'opération : Object Access Type d'objet :

%{f30e3bc2-9ff0-11d1-b603-0000f80367c 1} Nom d'objet :

%{4e9f93a1-5253-4632-be3c-781ee698fa 35} ID de handle : - Nom d'utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA ID d'ouv de session principale : (0x0,0x3E7) Nom d'utilisateur client :

KKKKK-KNBMQ2EU3$ Domaine client : FORESTA ID d'ouv de session client : (0x0,0x1813EA) Accès : %%7685 Propriétés : %%7685 %{771727b1-31b8-4cdf-ae62-4fe39fadf89 e} %{bf967a76-0de6-11d0-a285-00aa00304 9e2} %{f30e3bc2-9ff0-11d1-b603-0000f80367c 1} Informations additionnelles : Informations additionnelles 2 : Masque d'accès : 0x20 15

49 566 Agile Win2000 Object Operation: Operation Type %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Primary User Name: %7 Primary Domain: %8 Primary Logon ID: %9 Client User Name: %10 Client Domain: %11 Client Logon ID: %12 Requested Accesses %13 Directory Service Success Audit User Access/ User Last Activity

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

50 567 Agile Win2003 An attempt was made to access an object

References

Related documents

Buddhism has always maintained a skeptical attitude toward reality and appearances, something obviously at odds with the wholehearted celebration of nature that characterizes

RIS must be installed on a Windows 2000/2003- based server that has access to Active Directory, for example, a domain controller or a server that is a member of a domain with access

For more information, see How LogLogic Captures Microsoft Windows Server 2003 Data on page 12 and the LogLogic Lasso..

This version of the operating system introduced a new User Account Control (UAC) security configuration that causes problems with ShoreWare Director access for Microsoft

If you are opening a message that has not been scanned by the most current virus signature database, Microsoft Exchange Server sends the message to ESET Mail Security to be

If you are opening a message that has not been scanned by the most current virus signature database, Microsoft Exchange Server sends the message to ESET Mail Security to be

ESET Mail Security 4 for Microsoft Exchange Server (EMSX) is an integrated solution protecting user mailboxes from various types of malware content (most often they are