LogLogic Microsoft Windows Server 2003 Log Configuration Guide

(1)

LogLogic



Microsoft Windows Server 2003



Log Configuration Guide

Document Release: October 2011 Part Number: LL600029-00ELS090002

(2)

Proprietary Information

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.

Trademarks

LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the

documentation.

LogLogic, Inc.

(3)

Preface

About This Guide . . . . 5

Technical Support . . . . 5

Documentation Support . . . 5

Conventions. . . 6

Chapter 1 – Configuring LogLogic’s Microsoft Windows Server 2003 Log Collection Introduction to Microsoft Windows Server 2003 . . . 7

Prerequisites . . . 7

Configuring Microsoft Windows Server 2003 for Operational Events . . . 8

Installing and Configuring Lasso Collector. . . 8

Enabling the LogLogic Appliance to Capture Log Data . . . 9

Automatically Identifying a Microsoft Windows Server 2003 Device . . . 9

Adding Microsoft Windows Server 2003 Device . . . 9

Verifying the Configuration . . . 11

Chapter 2 – How LogLogic Supports Microsoft Windows Server 2003 How LogLogic Captures Microsoft Windows Server 2003 Data . . . 12

LogLogic Real-Time Reports . . . 13

Chapter 3 – Troubleshooting and FAQ Troubleshooting . . . 15

Frequently Asked Questions . . . 16

Appendix A – Event Reference LogLogic Support for Microsoft Windows Server 2003 Events . . . 17

(4)

(5)

About This Guide

The LogLogic® Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft® Windows enables LogLogic Appliances to capture logs from machines running Microsoft Windows Server 2003.

Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft Windows Server 2003’s operations. For more information on creating reports and alerts, see the

LogLogic User Guide and LogLogic Online Help.

Technical Support

LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable,

experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support:

Telephone: Toll Free—1-800-957-LOGS Local—1-408-834-7480

EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: [email protected]

You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support.  When contacting Customer Support, be prepared to provide:

Your name, email address, phone number, and fax number Your company name and company address

Your machine type and release version

A description of the problem and the content of pertinent error messages (if any)

Documentation Support

Your feedback on LogLogic documentation is important to us. Send e-mail to

[email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.

(6)

LogLogic documentation uses the following conventions to highlight code and command-line elements:

A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs).

A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example:

username: system

home directory: home\app

A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: 

LogLogic_home_directory\upgrade\

(7)

Windows Server 2003 Log Collection

This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft Windows Server 2003 logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft Windows Server 2003 log data.

Introduction to Microsoft Windows Server 2003 . . . 7

Prerequisites . . . 7

Configuring Microsoft Windows Server 2003 for Operational Events . . . 8

Enabling the LogLogic Appliance to Capture Log Data . . . 9

Verifying the Configuration . . . 11

Introduction to Microsoft Windows Server 2003

Microsoft Windows Server 2003 operational events appear within the Windows Event Viewer and are located within the host machine’s Windows Event Log. The events are captured by Loglogic's Lasso Collector. The Lasso Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP.

The configuration procedures for Microsoft Windows Server 2003 and the LogLogic Appliance depend upon your environment and how the Lasso Collector is configured. For more information, see How LogLogic Captures Microsoft Windows Server 2003 Data on page 12 and the LogLogic Lasso

Collector Guide.

Prerequisites

Prior to configuring Microsoft Windows Server 2003 and the LogLogic Appliance, ensure that you meet the following prerequisites:

Microsoft Windows Server 2003 Server installed Administrative access on the Windows server Microsoft Windows Server 2003 Server French Microsoft Windows Server 2003 Server German

Note: Loglogic Universal Collector 2.2 or later is required for auto-detection of German Windows sources. See Adding Microsoft Windows Server 2003 Device on page 9 for manual configuration.

Lasso Collector Release 2.0 or later installed on the Windows server. For more information, see LogLogic Lasso Collector Guide.

LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft Windows Server 2003 support

(8)

Events

Microsoft Windows operational events are posted in the Windows Event Viewer. The events are located in the Windows System logs. These events can be captured by LogLogic Appliance using Lasso Collector. For more information about the Windows Event Viewer, see the Microsoft Windows Server 2003 Product Documentation.

Installing and Configuring Lasso Collector

Microsoft Windows Server 2003 logs are collected and transported using Lasso. Lasso is used to collect and transfer Windows Event logs to the LogLogic Appliance.

By default, the Lasso program directory is located at: C:\Program Files\Lasso

Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages:

C:\Program Files\Lasso\LassoRepository\Spool

You can change the host machine and event log identification information by editing the

hostlist.ini configuration file in Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and

(9)

The following sections describe how to enable the LogLogic Appliance to capture Microsoft Windows Server 2003 log data.

Automatically Identifying a Microsoft Windows Server 2003

Device

With the auto-identification feature, the LogLogic Appliance recognizes Microsoft Windows Server 2003 log messages by default. As the log messages come into the Appliance, they are automatically identified and a new Microsoft Windows Server 2003 device type is added to the log source device list. Default values are used for certain properties, such as the device name.

To enable auto-identification in the LogLogic Appliance:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Administration > System Settings. The General tab appears.

3. For Auto-identify Log Sources, select Yes.

4. Click Update.

Once the automatically identified device is added, you can edit its properties.

IMPORTANT! Do not change the auto-identified Device Type and Host IP information.

To edit an existing Microsoft Windows Server 2003 device:

2. From the navigation menu, select Management > Devices. The Devices tab appears.

3. Click on an existing Microsoft Windows Server 2003 device in the list and click Modify

Device.

The Modify Device tab appears.

4. Edit the device fields as needed, then click Update Device.

Adding Microsoft Windows Server 2003 Device

If you do not want to utilize the auto-identification feature, you can manually add a Microsoft Windows Server 2003 device to the LogLogic Appliance before you redirect the logs.

(10)

2. From the navigation menu, select Management > Devices. The Devices tab appears.

3. Click Add New.

The Add Device tab appears.

4. Type in the following information for the device:

 Name—Name for the Microsoft Windows Server 2003 device

 Description (optional)—Description of the Microsoft Windows Server 2003 device  Device Type—Select Microsoft Windows from the drop-down menu

 Host IP—IP address of the Microsoft Windows Server 2003 appliance  Enable Data Collection—Select the Yes radio button

 Refresh Device Name through DNS Lookups (optional)—Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign.

Figure 1 Adding a Device to the LogLogic Appliance

5. Click Add.

(11)

The section describes how to verify that the configuration changes made to Microsoft Windows Server 2003 and the LogLogic Appliance are applied correctly.

To verify the configuration:

2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears.

3. Locate the IP address for each Microsoft Windows Server 2003 device.

If the device name (Microsoft Windows Server 2003) appears in the list of devices (Figure 2), then the configuration is correct.

Figure 2 Log Source Status Tab

If the device does not appear in the Log Source Status tab, check the Microsoft Windows Server 2003 logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft Windows Server 2003 configuration, the Lasso configuration, and the LogLogic Appliance configuration.

(12)

Windows Server 2003

This chapter describes LogLogic's support for Microsoft Windows Server 2003. LogLogic enables you to capture Microsoft Windows Server 2003 log data to monitor Microsoft Windows Server 2003 events. LogLogic supports Microsoft Windows Server 2003 logs.

How LogLogic Captures Microsoft Windows Server 2003 Data . . . 12

LogLogic Real-Time Reports . . . 13

How LogLogic Captures Microsoft Windows Server 2003 Data

LogLogic's Lasso Collector is used to collect logs stored in the Windows Event Log. The Windows Event Collector is an open source application developed by LogLogic to collect and forward Windows event logs in Syslog format to the LogLogic Appliance. If the Windows Event Collector is in Agent Mode, logs are collected and forwarded from the Windows system where it is installed. If the Windows Event Collector is in Collector Mode, logs are collected and forwarded from Windows systems other than the system where it is installed.

The Windows Event Collector can also run in both modes at the same time. In hybrid mode, the Collector captures and forwards messages from the Windows machine where it is installed and from other Windows systems it is configured to access. Regardless of the mode used, all collected logs are converted into text format by the collector and then forwarded to the LogLogic

Appliance’s Syslog Listener via UDP or TCP.

Figure 3 Microsoft Windows Server 2003 with Lasso Collector (in Agent Mode) and the LogLogic Appliance

(13)

LogLogic provides pre-configured Real-Time Reports for Microsoft Windows Server 2003 log data. The following Real-Time Reports are available:

All Unparsed Events—Displays data for all events retrieved from the Microsoft Windows Server 2003 log for a specified time interval

Permission Modification—Displays events related to permission modifications performed on user and server objects

User Access—Displays data access and changes done to data during a specified time interval

User Authentication—Displays identity and access related events during a specified time interval

User Created/Deleted—Displays user creation and deletion events

User Last Activity—Displays user specific details and used to track user activity during a specified time interval

Windows Events—Displays Windows event information served during a specified time interval

To access LMI 4 Real-Time Reports:

1. In the left navigation pane, click Real-Time Reports.

2. Click Access Control.

The following Real-Time Reports are available:  Permission Modification

 User Access

 User Authentication  User Created/Deleted  User Last Activity  Windows Events

3. ClickEvent Logs.

(14)

2. Click Access Control.

The following Real-Time Reports are available:  Permission Modification

 User Access

 User Authentication  User Created/Deleted  User Last Activity  Windows Events

3. ClickOperational.

The following Real-Time Reports are available:  All Unparsed Events

(15)

This chapter contains troubleshooting regarding the configuration and/or use of log collection for Microsoft Windows Server 2003. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions.

Troubleshooting . . . 15

Frequently Asked Questions . . . 16

Troubleshooting

Is your version of Microsoft Windows Server 2003 supported?

For more information, see Prerequisites on page 7.

Is your LogLogic Appliance running Release 5.1 or later?

If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information.

Are you running Lasso Collector 2.0 or later?

If you are running an release prior to 2.0, you might require an upgrade. Contact LogLogic Support for more information.

Is the appropriate Log Source Package (LSP) installed properly?

Check to make sure that the LSP that is installed includes support for Microsoft Windows Server 2003. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package

Release Notes.

If Microsoft Windows Server 2003 events are not appearing on the LogLogic

Appliance...

You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab.

Make sure that you have properly installed and configured Lasso, and the no errors are present in Lasso’s error log (LassoTrace.log). For more information, see the

LogLogic Lasso Collector Guide.

Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see

Automatically Identifying a Microsoft Windows Server 2003 Device on page 9 and Adding Microsoft Windows Server 2003 Device on page 9.

If events are not displaying on the LogLogic Appliance even after

configuring Microsoft Windows Server 2003 and Lasso correctly...

(16)

How does the LogLogic appliance collect logs from Microsoft Windows

Server 2003?

For log collection, Lasso Collector is required in order to read the .evt files from the Windows machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog server. For more information, see How LogLogic Captures Microsoft Windows Server 2003 Data on page 12.

What access permissions are required?

To configure logging on Microsoft Windows Server 2003, the Windows user must have administrative permissions.

How do I configure logging on Microsoft Windows Server 2003?

(17)

This appendix lists the LogLogic-supported Microsoft Windows Server 2003 events. The Microsoft Windows Server 2003 event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic’s Syslog Listener.

LogLogic Support for Microsoft Windows Server 2003 Events

The following list describes the contents of each of the columns in the tables below.

Item # – Item numbers with the suffix “F” show sample logs in French. Item # – Item numbers with the suffix “G” show sample logs in German. Event ID – Microsoft Windows Server 2003 event identifier.

Agile Reports/Search – Defines if the Microsoft Windows Server 2003 event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic’s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by

performing a search for the log data.

Operating System – Operating System (OS) where the event can be triggered. In some instances, duplicate Event IDs exist for different OSs.

Title/Comments – Description of the event

Event Category – Category of events such as System, Application, etc. Event Type – Type of event such as Success audit, Failure audit, etc. Reports Appears In – LogLogic-provided reports that the event appears in

(18)

#

Event ID Agile Reports /Search Operating System

Title / Comments Event

Category

Event Type

Reports Appears In

Sample Log Message

1 512 Agile Win2003 Windows is starting up. Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 621 Fri Aug 04 12:59:22 2006 512 Security SYSTEM User Success Audit LOGLOGIC-SRV1 System Event Windows is starting up. 25 1F 512 Agile Win2003

French

Windows is starting up. Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 7 Thu May 21 10:31:06 2009 512 Security SYSTEM User Success Audit KKKKK-KNBMQ2EU3 Événements système Windows démarre. 1

1G 512 Agile Win2003 German

Windows is starting up. Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity <13>1 2011-05-10T11:25:41.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Tue May 10 11:25:41 2011 512 Security NT-AUTORITÄT\SYSTEM User Success Audit SRV-W2003-GERMA Systemereignis Windows wird gestartet. 2381

2 513 Agile Win2003 Windows is shutting down. All logon sessions will be terminated by this shutdown.

Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 621 Fri Aug 04 12:59:22 2006 513 Security SYSTEM User Success Audit LOGLOGIC-SRV1 System Windows is shutting down.All logon sessions will be terminated by this shutdown. 25

2F 513 Agile Win2003

French Windows is shutting down.All logon sessions will be terminated by this shutdown.

Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 6 Thu May 21 10:29:57 2009 513 SECURITY Unknown User N/A Success Audit

KKKKK-KNBMQ2EU3 Événements système Windows s'arrête. Toutes les sessions vont être fermées par cet arrêt. 0 2G 513 Agile Win2003

German

Windows is shutting down. All logon sessions will be terminated by this shutdown.

Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity <13>1 2011-05-06T09:23:25.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Fri May 06 09:23:25 2011 513 SECURITY User Success Audit SRV-W2003-GERMA Systemereignis Windows wird heruntergefahren. Alle Anmeldesitzungen werden durch den Vorgang des Herunterfahrens beendet. 2380

3 516 Agile Win2003 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Number of audit messages discarded: %1 Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity

(19)

5F 516 Agile Win2003 French

Les ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Security Success audit /Failure audit User Access / User Last Activity/ Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010516SecurityAdministrator UserSuccess AuditLOGLABS-2003FRA Suivi détailléLes ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Certains audits ont été perdus. Nombre de messages d'audit rejetés :%1 6 517 Agile Win2003 The audit log was cleared



Primary User Name: %1 Primary Domain: %2 Primary Logon ID: %3 Client User Name: %4 Client Domain: %5 Client Logon ID: %6

Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity <13>Jul 25 12:17:36 10.201.20.214 MSWinEventLog 0 Security 7727 Fri Jul 21 14:32:00 2006 517 Security SYSTEM User Success Audit BLR-WSMTEST-DC1 System Event The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E7) Client User Name: dmsopann Client Domain: WIPRO Client Logon ID: (0x0,0x44A885) 1 6F 517 Agile Win2003

French The audit log was cleared Primary User Name: %1 Primary Domain: %2 Primary Logon ID: %3 Client User Name: %4 Client Domain: %5 Client Logon ID: %6

Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity <13>Jul 7 05:25:53 10.8.0.39

MSWinEventLog 0 Security 1151 Tue Jul 07 05:15:00 2009 517 Security SYSTEM Well Known Group Success Audit B0324-FR2003 Événements système Le journal d'audit a été effacé Utilisateur principal : SYSTEM Domaine principal : AUTORITE NT Id. de session principale : (0x0,0x3E7) Utilisateur client :

Administrateur Domaine client : DOMAIN Id. de session client : (0x0,0x489A86) 1<13>Jul 6 05:37:34

(20)

6G 517 Agile Win2003

German The audit log was cleared Primary User Name: %1 Primary Domain: %2 Primary Logon ID: %3 Client User Name: %4 Client Domain: %5 Client Logon ID: %6

Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity <13>1 2011-05-16T13:40:56.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Mon May 16 13:40:56 2011 517 Security NT-AUTORITÄT\SYSTEM User Success Audit SRV-W2003-GERMA Systemereignis Das

Überwachungsprotokoll wurde gelöscht. Primärer Benutzername: SYSTEM Primäre Domäne: NT-AUTORITÄT Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: administrator Clientdomäne: LL

Clientanmeldekennung: (0x0,0x439BD) 1

7 520 Agile Win2003 The system time was changed.

Process ID: %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon ID: %5 Client User Name: %6 Client Domain: %7 Client Logon ID: %8 Previous Time: %10 %9 New Time: %12 %11 Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity <13>Jun 12 14:54:42 10.0.0.61 MSWinEventLog 0 Security 923 Sun Jun 12 14:52:47 2005 520 Security loglogic2 User Success Audit IAM3 System Event The system time was changed. Process ID: 2128 Process Name:

C:\WINDOWS\system32\rundll32.exe Primary User Name: loglogic2 Primary Domain: SECTIS Primary Logon ID: (0x0,0xF15F58) Client User Name: loglogic2 Client Domain: SECTIS Client Logon ID: (0x0,0xF15F58) Previous Time: 2:51:48 PM 6/12/2005 New Time: 2:52:47 PM 6/12/2005 829 7F 520 Agile Win2003

French

The system time was changed.

(21)

The system time was changed.

Process ID: %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon ID: %5 Client User Name: %6 Client Domain: %7 Client Logon ID: %8 Previous Time: %10 %9 New Time: %12 %11 Security Success audit /Failure audit/ Information/ Error User Access / User Last Activity <13>1 2011-05-10T11:26:40.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Tue May 10 11:26:40 2011 520 Security NT-AUTORITÄT\SYSTEM User Success Audit SRV-W2003-GERMA Systemereignis Die Systemzeit wurde geändert. Prozesskennung: 1452 Prozessname:

C:\Programme\VMware\VMware Tools\vmtoolsd.exe Primärer Benutzername: SRV-W2003-GERMA$ Primäre Benutzerdomäne: LL Primäre Benutzeranmeldekennung: (0x0,0x3E7) Clientbenutzername:

SRV-W2003-GERMA$ Clientdomäne: LL Clientanmeldekennung: (0x0,0x3E7) Alte Zeit: 11:26:40 10.05.2011 Neue Zeit: 11:26:40 10.05.2011 2492 8 528 Agile Win2003 Successful Logon:

User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Success Audit User Access / User Last Activity <13>Jul 5 11:04:09 10.1.1.55

MSWinEventLog 0 security 130 Wed Jul 05 10:54:02 2006 528 Security qatest User Success Audit W2K3-LASSO Logon/ Logoff "Successful Logon: User Name: qatest Domain: SQA Logon ID: (0x0,0xD72AEE) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:

W2K3-LASSO Logon GUID:

{4fa5f915-b6cf-cc49-b484-b7b61551b7d0} Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID:

(22)

German Successful Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Success Audit User Access / User Last Activity <13>1 2011-05-10T11:25:41.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Tue May 10 11:25:41 2011 528 Security

NT-AUTORITÄT\SYSTEM User Success Audit SRV-W2003-GERMA An-/Abmeldung Erfolgreiche Anmeldung: Benutzername: SYSTEM Domäne: NT-AUTORITÄT Anmeldekennung: (0x0,0x3E7) Anmeldetyp: 0 Anmeldevorgang: -

Authentifizierungspaket: - Name der Arbeitsstation: - Anmelde-GUID: - Aufruferbenutzername: - Aufruferdomäne: - Aufruferanmeldekennung: - Aufruferprozesskennung: 4 Übertragene Dienste: - Quellnetzwerkadresse: - Quellport: - 2382

9 529 Agile Win2003 Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

Logon/Logoff Failure Audit User Access / User Last Activity

<13>Jul 5 16:23:52 10.1.1.55

MSWinEventLog 0 security 2566 Wed Jul 05 16:23:52 2006 529 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Unknown user name or bad password User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 724 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1443 " 48173

French

Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 6 08:44:18

(23)

Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>1 2011-05-16T13:55:29.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Mon May 16 13:55:29 2011 529 Security

NT-AUTORITÄT\SYSTEM User Failure Audit SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Unbekannter Benutzername oder falsches Kennwort Benutzername: administrator Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) Aufruferprozesskennung: 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 502

10 530 Agile Win2003 Logon Failure: Reason: Account logon time

restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 5 16:42:13 10.1.1.55

MSWinEventLog 0 security 2904 Wed Jul 05 16:42:12 2006 530 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Account logon time restriction violation User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:

W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3444 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1464 " 48511

Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 6 09:16:06

(24)

Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

NT-AUTORITÄT\SYSTEM User Failure Audit SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Außerhalb der Anmeldezeiten des Kontos

Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) Aufruferprozesskennung: 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 622

11 531 Agile Win2003 Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 5 16:45:06 10.1.1.55

MSWinEventLog 0 security 2940 Wed Jul 05 16:45:06 2006 531 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Account currently disabled User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 3000 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1468 " 48547

Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 6 08:50:26

(25)

Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

NT-AUTORITÄT\SYSTEM User Failure Audit SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Konto ist gegenwärtig deaktiviert Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32

Authentifizierungspaket: Negotiate Name der Arbeitsstation:

SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) Aufruferprozesskennung: 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 707 11F 532 Agile Win2003 French

Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6

<13>Jul 18 04:17:27

b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 193700 Sat Jul 18 04:17:24 2009 532 Security SYSTEM User Failure Audit

(26)

Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6

NT-AUTORITÄT\SYSTEM User Failure Audit SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Das angegebene Benutzerkonto ist abgelaufen Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) Aufruferprozesskennung: 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 790

12 532 Agile Win2003 Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 5 16:47:03 10.1.1.55

MSWinEventLog 0 security 2954 Wed Jul 05 16:47:02 2006 532 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The specified user account has expired User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:

13 533 Agile Win2003 Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 5 16:48:07 10.1.1.55

(27)

Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 22 05:08:53

b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 1371 Wed Jul 22 05:08:53 2009 533 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Utilisateur non autorisé à se connecter sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN Type de session : 2 Processus d'ouv. de session : User32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant :

B0324-FR2003$ Domaine appelant : DOMAIN ID de session de l'appelant : (0x0,0x3E7) ID de processus appelant : 308 Services en transit : - Adresse réseau source : 127.0.0.1 Port source : 0 1317

Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

NT-AUTORITÄT\SYSTEM User Failure Audit SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene

(28)

14 534 Agile Win2003 Logon Failure: Reason: The user has not been granted the requested

logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 5 16:28:08 10.1.1.55

MSWinEventLog 0 security 2741 Wed Jul 05 16:28:07 2006 534 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2480 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1447 " 48348

Logon Failure: Reason: The user has not been granted the requested

Source Port: %13

<13>Jul 22 04:39:40

b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 913 Wed Jul 22 04:39:38 2009 534 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Il n'a pas été accordé à l'utilisateur le type de session demandé sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN Type de session : 2 Processus d'ouv. de session : User32 Package

(29)

Logon Failure: Reason: The user has not been granted the requested

Source Port: %13

NT-AUTORITÄT\SYSTEM User Failure Audit SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Dem Benutzer wurde der angeforderte Anmeldetyp an diesem Computer nicht gestattet. Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) Aufruferprozesskennung: 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 942

15 535 Agile Win2003 Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Sep 7 14:19:29 10.1.1.55 MSWinEventLog 0 security 67016 Thu Sep 07 14:19:28 2006 535 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The specified account's password has expired User Name: expire Domain: SQA Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name:

Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 6 08:52:46

(30)

Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

NT-AUTORITÄT\SYSTEM User Failure Audit SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene

Anmeldung: Grund: Das Kennwort des angegebenen Kontos ist abgelaufen Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) Aufruferprozesskennung: 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 1125

16 536 Agile Win2003 Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 16 10:37:58

b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 177163 Thu Jul 16 10:37:21 2009 536 Security SYSTEM User Failure Audit

(31)

17 537 Agile Win2003 Logon Failure: Reason: An error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14

Source Port: %15

Logon Failure: Reason: An error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14

Source Port: %15

<13>Jul 17 08:07:50

b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 196324 Fri Jul 17 08:07:50 2009 537 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Erreur lors de l'ouverture de session Nom de l'utilisateur : Domaine : Type d'ouverture de session : 3 Processus d'ouv. de session : Kerberos Package d'authentification : Kerberos Nom de station de travail : - Code du statut : 0xC0000133 Code du sous-statut : 0x0 Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : - Port source : - 195243 18 538 Agile Win2003

German

User Logoff Logon/Logoff Success Audit User Access / User Last Activity <13>1 2011-05-10T11:26:36.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Tue May 10 11:26:36 2011 538 Security

(32)

19 539 Agile Win2003 Logon Failure:

Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 5 16:34:07 10.1.1.55

MSWinEventLog 0 security 2803 Wed Jul 05 16:34:06 2006 539 Security SYSTEM Well Known Group Failure Audit W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Account locked out User Name: test Domain: SQA Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2304 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1455 " 48410

French Logon Failure: Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

<13>Jul 17 03:30:03

b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 193000 Fri Jul 17 03:30:03 2009 539 Security SYSTEM User Failure Audit B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte verrouillé Nom de l'utilisateur : test Domaine : B0324-MENGKJ Type de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : 0.8.0.45 Port source : 0 192031

German Logon Failure: Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12

Source Port: %13

(33)

20 540 Agile Win2003 Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Success Audit User Access / User Last Activity <13>Jul 5 11:04:08 10.1.1.55

MSWinEventLog 0 security 3 Wed Jul 05 10:19:59 2006 540 Security SYSTEM Well Known Group Success Audit

W2K3-LASSO Logon/Logoff "Successful Network Logon: User Name:

W2K3-LASSO$ Domain: SQA Logon ID: (0x0,0xD30C93) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID:

{e6b578ec-aae0-9e50-b248-c2004fb821e 8} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 " 45610

Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Success Audit User Access / User Last Activity <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinEventLog 1 Security 15 Thu May 21 10:31:14 2009 540 Security ANONYMOUS LOGON Well Known Group Success Audit

KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : Domaine : Id. de la session : (0x0,0xA565) Type de session : 3 Processus de session : NtLmSsp Package d'authentification : NTLM Nom de la station de travail : GUID d'ouv. de session : - Nom de l'utilisateur appelant : - Domaine appelant : - ID de session de l'appelant : - ID de processus appelant : - Services en transit : - Adresse réseau source : - Port source : - 9 20G 540 Agile Win2003

German

Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Success Audit User Access / User Last Activity <13>1 2011-05-10T11:25:57.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Tue May 10 11:25:57 2011 540 Security

NT-AUTORITÄT\ANONYMOUS-ANMELD UNG User Success Audit

(34)

21 548 Agile Win2003 Logon Failure: Reason: Domain sid inconsistent User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Transited Services: %7

Security Failure Audit User Access / User Last Activity/User Authentication

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 33F Agile Win2003 French Échec de l'ouverture de session Security Success audit /Failure audit User Access / User Authentication / User Last Activity / Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010548SecurityAdministrator UserSuccess AuditLOGLABS-2003FRA Suivi détailléÉchec de l'ouverture de session : Raison : SID du domaine incohérent Nom d'utilisateur : %1 Domaine : %2 Type d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de station de travail : %6 Services en transit : %7

34 549 Agile Win2003 Logon Failure: Reason: All sids were filtered out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package : %5 Workstation Name: %6

Security Failure Audit User Access / User Last Activity / User Authentication

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 35F 549 Agile Win2003 French Échec de l'ouverture de session Security Success audit /Failure audit User Access / User Authentication / User Last Activity / Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010549SecurityAdministrator UserFailure AuditLOGLABS-2003FRA Suivi détailléÉchec de l'ouverture de session : Raison : Tous les SID étaient épuisés Utilisateur : %1 Domaine : %2 Type d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de la station de travail : %6

36 550 Agile Win2003 Notification message that could indicate a possible denial-of-service attack. Security Logon / Logoff User Access / User Last Activity

(35)

37 551 Agile Win2003 User initiated logoff: User Name: %1 Domain: %2 Logon ID: %3 Security Success audit /Failure audit / Information / Error

User Access <13>Aug 8 09:26:00 10.116.28.102 MSWinEventLog 0 Security 619 Fri Aug 04 12:58:16 2006 551 Security Unknown User N/A Success Audit

LOGLOGIC-SRV1 Logon/Logoff User initiated logoff: User Name: Administrator Domain: LOGLOGIC-SRV1 Logon ID: (0x0,0x14d2b) 23

User initiated logoff: User Name: %1 Domain: %2 Logon ID: %3 Security Success audit /Failure audit/ Information/ Error

User Access <13>Jul 1 03:18:31 kkkkk-knbmq2eu3.forestA

MSWinEventLog 4 Security 3252 Wed Jul 01 03:18:31 2009 551 Security

Administrateur User Success Audit KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de session initiée par l'utilisateur : Utilisateur : Administrateur Domaine : FORESTA Id. d'ouv. de session : (0x0,0x260dd) 3228 37G 551 Agile Win2003

German

User initiated logoff: User Name: %1 Domain: %2 Logon ID: %3 Security Success audit /Failure audit/ Information/ Error User Access <13>1 2011-05-16T13:54:25.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Mon May 16 13:54:25 2011 551 Security LL\Administrator User Success Audit SRV-W2003-GERMA An-/Abmeldung Benutzerinitiierte Abmeldung: Benutzername: administrator Domäne: LL Anmeldekennung: (0x0,0x2194f8) 423

38 552 Agile Win2003 Logon attempt using explicit credentials: Logged on user: User Name: %1 Domain: %2 Logon ID: %3 Logon GUID: %4

User whose credentials were used:

(36)

38F 552 Win2003 French

Tentative d'ouverture de session en utilisant des informations d'identification explicites Security Success audit /Failure audit User Access / User Authentication / User Last Activity / Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010552SecurityAdministrator UserFailure AuditLOGLABS-2003FRA Suivi détailléTentative d'ouverture de session en utilisant des informations d'identification explicites : Utilisateur connecté : Nom d'utilisateur : %1 Domaine : %2 ID d'ouv. de session : %3 GUID d'ouv. de session : %4 Utilisateur dont les informations d'identification ont été utilisées : Nom d'utilisateur cible : %5 Domaine cible : %6 GUID d'ouv. de session cible : %7 Nom du serveur cible : %8 Informations du serveur cible : %9 ID de processus appelant : %10 Adresse réseau source : %12 Port source : %13

38G 552 Win2003

German

Logon attempt using explicit credentials Security Success audit /Failure audit User Access / User Authentication / User Last Activity / Windows Events <13>1 2011-05-16T12:54:43.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Mon May 16 12:54:43 2011 552 Security

NT-AUTORITÄT\SYSTEM User Success Audit SRV-W2003-GERMA An-/Abmeldung Anmeldeversuch unter Verwendung expliziter

Anmeldeinformationen: Angemeldeter Benutzer: Benutzername:

SRV-W2003-GERMA$ Domäne: LL Anmeldekennung: (0x0,0x3E7) Anmelde-GUID: - Benutzer, dessen Anmeldeinformationen verwendet wurden: Zielbenutzerame: administrator Zieldomäne: LL

(37)

39 560 Agile Win2003 Object Open: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon ID: %11 Client User Name: %12 Client Domain: %13 Client Logon ID: %14 Accesses: %15 Privileges: %16

Restricted Sid Count: %17 Access Mask: %18

Object Access Success Audit

User Access / User Last Activity

<13>Jul 5 15:58:59 10.1.1.55

MSWinEventLog 0 security 2074 Wed Jul 05 15:58:58 2006 560 Security qatest User Success Audit W2K3-LASSO Object Access "Object Open: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlS et001\Services\Eventlog\Security Handle ID: 452 Operation ID: {0,17577785} Process ID: 3280 Image File Name: C:\WINDOWS\system32\mmc.exe Primary User Name: qatest Primary Domain: SQA Primary Logon ID: (0x0,0x668A8) Client User Name: - Client Domain: - Client Logon ID: - Accesses: Set key value Privileges: - Restricted Sid Count: 0 Access Mask: 0x2 " 47681

French Object Open: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon ID: %11 Client User Name: %12 Client Domain: %13 Client Logon ID: %14 Accesses: %15 Privileges: %16

Object Access Success Audit User Access / User Last Activity <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.forestA

MSWinEventLog 4 Security 12 Tue Jun 30 10:42:33 2009 560 Security SYSTEM User Success Audit KKKKK-KNBMQ2EU3 Accès aux objets Objet ouvert Serveur de l'objet : Security Type de l'objet : Key Nom de l'objet :

\REGISTRY\MACHINE\SYSTEM\ControlS et001\Services\Eventlog\Security Identificateur du handle : 204 Identificateur de l'opération : {0,1577787} Id. du processus : 2404 Nom du fichier image : C:\Program Files\Snare\SnareCore.exe Utilisateur principal :

(38)

German Object Open: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon ID: %11 Client User Name: %12 Client Domain: %13 Client Logon ID: %14 Accesses: %15 Privileges: %16

Object Access Success Audit User Access / User Last Activity <13>1 2011-05-16T13:37:08.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Mon May 16 13:37:08 2011 560 Security

NT-AUTORITÄT\SYSTEM User Success Audit SRV-W2003-GERMA Objektzugriff Geöffnetes Objekt: Objektserver: Security Objekttyp: Key Objektname: \REGISTRY\MACHINE\SYSTEM\ControlS et001\Services\Eventlog\Security Handlekennung: 1612 Vorgangskennung: {0,1397050} Prozesskennung: 592 Abbilddateiname: C:\WINDOWS\system32\services.exe Primärer Benutzername: SRV-W2003-GERMA$ Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: - Clientdomäne: - Clientanmeldekennung: - Zugriffe: READ_CONTROL Schlüsselwert abfragen Schlüsselwert festlegen Unterschlüssel auflisten Änderungen an Schlüssel benachrichtigen Rechte: - Beschränkte SID-Anzahl: 0 Zugriffsmaske: 0x2001B 3102 40 562 Agile Win2003 The handle to an object was

closed.

Object Access Special Multi-use Subcategory

MSWinEventLog 0 Security 0 Tue Jul 21 8 59 57 2010 4658

Microsoft-Windows-Security-Auditing Unknown Success

hayward.Loglabs08Native.lab File System The handle to an object was closed. Subject : Security ID: S-1-5-18 Account Name: HAYWARD$ Account Domain: LOGLABS08NATIVE Logon ID: 0x3e7 Object: Object Server: Security Handle ID: 0x1c0 Process Information: Process ID: 0x7e8 Process Name: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 51813549

40G 562 Agile Win2003 German

The handle to an object was closed.

Object Access Special Multi-use Subcategory User Access / User Last Activity <13>1 2011-05-16T13:18:56.000+02:00 192.168.56.132 MSWinEventLog 0 Security 0 Mon May 16 13:18:56 2011 562 Security

NT-AUTORITÄT\SYSTEM User Success Audit SRV-W2003-GERMA Objektzugriff Geschlossenes Handle: Objektserver: Security Account Manager Handlekennung: 653312

(39)

41 563 Agile Win2003 Object Open for Delete: Object Server: %1 Object Type: %2 Object Name: %3 Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses: %14 Privileges: %15 Access Mask: %16

Objet ouvert pour suppression Security Success audit / Failure audit User Access / User Last Activity / Windows Events <13>Mar 1 17:00:38 loglabs-2003FRa.loglabs.lab MSWinEventLog0Security35Mon Mar 01 16:59:55 2010563SecurityAdministrator UserSuccess AuditLOGLABS-2003FRA Suivi détailléObjet ouvert pour suppression : Serveur d'objet : %1 Type d'objet : %2 Nom de l'objet : %3 Identificateur du handle : %4 Identificateur de l'opération : {%5,%6} Id. du processus : %7 Utilisateur principal : %8 Domaine principal : %9 Id d'ouv. de session principale : %10 Utilisateur client : %11 Domaine client : %12 Id. d'ouv. de session client : %13 Accès : %14 Privilèges : %15 Masque d'accès : %16 17

44 564 Agile Win2003 Object Deleted: Object Server: %1 Handle ID: %2 Process ID: %3 Image File Name: %4

The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 44F 564 Agile Win2003 French Object Deleted: Object Server: %1 Handle ID: %2 Process ID: %3 Image File Name: %4

Object Access Success Audit User Access / User Last Activity <13>Jul 23 09:21:20 b0324-fr2003.domain.symbio-group.com MSWinEventLog 4 Security 8498 Thu Jul 23 09:21:14 2009 564 Security

Administrateur User Success Audit B0324-FR2003 Accès aux objets Objet supprimé : Serveur d'objet : Security Id. de handle : 1516 Id. de processus : 2544 Nom du fichier d'image :