ReplacementStrings on EventLog entries Messages

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi All,

I need help with ReplacementStrings on EventLog messages.

The question is: How to replace things such %{SID} and %{GUID} inside
EventLogEntry.Message?

When the case is %{SID}, I solved by using SecurityIdentifier and
IdentityReference classes. But when the case is %{GUID}, few times I have
lucky with the DirectorySearcher class by converting the GUID to NativeGuid
format. However, almost times I have null results.

I think that this way is far from the correct way to deal with this problem.
But I don't know how.

Thanks in Advance

Washington Moreira
 
Hello,

As I understand, you want to log some messages in eventlog, but I am not
very clear about %{SID} and %{GUID} you mentioned. GUID or NativeGuid are
objects in System.DirectoryServices Namespace. Did you want to log them in
eventlog? Can you explain more on this?

Thanks,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Hi Luke Zhang,
Tks for your attention.

Example of %{SID} on Security Log Messages:
Target Account ID: %{S-1-5-21-3318669157-2336031042-2875015298-1604}

Example to what I think that would be a %{GUID} on Security Log Messages:

Properties:
---
%{bf967aad-0de6-11d0-a285-00aa003049e2}

So, how to replace these %{something} strings with the real object names?

Best Regards
Washington Moreira
 
Do you mean properties like "logon guid" in security event log? They are
not always with a actual value. If you want to find an object with a GUID.
You may search by ObjectGUID.

Regards,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Hi Luke,
To be more clear, please look the following example from Security Log -
Directory Service Access - Event ID 566
----------------------------------------------------------------------------------------------
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: %{bf967a9c-0de6-11d0-a285-00aa003049e2}
Object Name: %{4ca867ab-860a-43b6-a27b-ab1ecf631296}
Handle ID: -
Primary User Name: ALIENIII$
Primary Domain: LIFE
Primary Logon ID: (0x0,0xAAA)
Client User Name: someUser
Client Domain: someDomain
Client Logon ID: (0x0,0xBBBB)
Accesses: %Write Property
Properties:
%Write Property
%{bc0ac240-79a9-11d0-9020-00c04fc2d4cf}
%{bf9679c0-0de6-11d0-a285-00aa003049e2}
%{bf967a9c-0de6-11d0-a285-00aa003049e2}
Additional Info:
Additional Info2:
Access Mask: 0x2
----------------------------------------------------------------------------------------------
By checking the ReplacementStrings, " Object Name:
%{4ca867ab-860a-43b6-a27b-ab1ecf631296}", is in fact an objectGUID from
domain partition (an user in this case), but the others as "Object Type" and
"Properties" do not return anything, if searching with objectGUID on domain
partition or on the schema.

Today, by searching Google I saw that some strings can be schemaIDGUID and
not objectGUID. But how to know which is each case?
When searching should be did on domain by objectGUID or by schemaIDGUID on
schema?

Thanks in Advance
Washington Moreira
 
Normally, Object Type can be queried by schemaIDGUID, but I am not sure
about the Properties. Can you get some results by querying by schemaIDGUID?

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Hi Luke,

When %{GUID} refers to a Property Set, Extended-Rights or Validated Writes,
schemaIDGUID do not return anything. But for now, I think that if looking on
"CN=Extended-Rights,CN=Configuration,DC=domain,DC=com", the attribute
rightsGUID can answer this question.
For example %{bc0ac240-79a9-11d0-9020-00c04fc2d4cf} matches the rightsGUID
of Membership object under "CN=Extended-Rights" container.

More one place to search...:(

Thanks

Washington Moreira
 
Hello,

I found a previous post, in which Max provided some valueble suggestions.
You may take a look to see if it can help:

http://groups.google.com/group/microsoft.public.adsi.general/browse_thread/t
hread/3d3459a01c0965a4/d6c066b01e679686?lnk=st&q=%22Retrieve+Guids+from+attr
ibutes%2C+possible%22&rnum=1&hl=zh-CN#d6c066b01e679686

Regards,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

LogEntry ReplacementStrings 1
Nobody Knows about ReplacementStrings or is it just Google 5
creating EventLog code, is this code correct? 1
EventLog Class 1
how to capture error on Translate(typeof(NTAccount) 5
Access to EventLog on remote computer 4
How to use System.Diagnostics.EventLog ? 1
Writing to EventLog 2

Back
Top