sequrity eventLog

[Tony Johansson]

Hi!

Can somebody tell anything that I can do so the system writes an entry in
the sequrity event log.
I mean I just want to do something so as a result the system writes an entry
in the sequrity event log.

So when I use the event viewer for event log sequrity I want to be able to
see that a new entry has been written in that log..

//Tony

 

[Konrad Neitzel]

Hi Tony!

Can somebody tell anything that I can do so the system writes an entry
in
the sequrity event log.
I mean I just want to do something so as a result the system writes an
entry
in the sequrity event log.

So when I use the event viewer for event log sequrity I want to be
able to
see that a new entry has been written in that log..

You can write to the security log in the same way as you can write to
the application log. But why do you want to do that? Normaly you should
not do that at all.
And you need special permissions for that (in our company, even the
administrators cannot write to the security log because it is forbidden
by a policy).

If you just want to make something, that the system writes a message
there: Authorate to the system. Either successfull or unsuccessfull.
Both should be recorded in there. (So one exampel could be starting a
process under some other user account.)

Konrad

 

[Tony Johansson]

Hi Tony!




You can write to the security log in the same way as you can write to the
application log. But why do you want to do that? Normaly you should not do
that at all.
And you need special permissions for that (in our company, even the
administrators cannot write to the security log because it is forbidden by
a policy).

If you just want to make something, that the system writes a message
there: Authorate to the system. Either successfull or unsuccessfull. Both
should be recorded in there. (So one exampel could be starting a process
under some other user account.)

Konrad

No you as a user can't never ever write to the sequrity event log only the
system is allowed to do so.
I don't userstand what you mean ? So what can I do so as a result the system
writes an entry to the sequrity event log.

//Tony

//Tony

 

[Tony Johansson]

Hi Tony!




You can write to the security log in the same way as you can write to the
application log. But why do you want to do that? Normaly you should not do
that at all.
And you need special permissions for that (in our company, even the
administrators cannot write to the security log because it is forbidden by
a policy).

If you just want to make something, that the system writes a message
there: Authorate to the system. Either successfull or unsuccessfull. Both
should be recorded in there. (So one exampel could be starting a process
under some other user account.)

Konrad

When I changed the local security for validating login events the
system wrote entries to the sequrity event.

//Tony

 

[Konrad Neitzel]

Hi Tony!

"Konrad Neitzel" <[email protected]> skrev i meddelandet

No you as a user can't never ever write to the sequrity event log only
the system is allowed to do so.

That is simply wrong. The user just needs SeAuditPrivilege. Then he can
write to the Security log. By default, only Local System and Network
Service have these rights.
(And normally Administrators don't have that right. And regarding
Securoty Log we enforce some more security things, but I simply said it
wrong. Sorry if I confused you with that. I hope the details given now
removes any confusion.)

I don't userstand what you mean ? So what can I do so as a result the
system writes an entry to the sequrity event log.

I simply meant, that authentication events are stored inside the
security log (e.g. Logon and Logoff events).

But maybe I got you wrong and you wanted more information about audit
events?
You can enable auditing and apply audit flags to files / folders so you
get messages about access / failes access and so on.
(secpol.msc is not part of Home Editions of Windows in case you want to
play around.)

With kind regards,

Konrad

 

[Tony Johansson]

Hi Tony!



That is simply wrong. The user just needs SeAuditPrivilege. Then he can
write to the Security log. By default, only Local System and Network
Service have these rights.
(And normally Administrators don't have that right. And regarding Securoty
Log we enforce some more security things, but I simply said it wrong.
Sorry if I confused you with that. I hope the details given now removes
any confusion.)


I simply meant, that authentication events are stored inside the security
log (e.g. Logon and Logoff events).

But maybe I got you wrong and you wanted more information about audit
events?
You can enable auditing and apply audit flags to files / folders so you
get messages about access / failes access and so on.
(secpol.msc is not part of Home Editions of Windows in case you want to
play around.)

With kind regards,

Konrad

Note Konrad not all OS support writing to sequrity event log. When I say not
support I really mean never whatever you try to do.
As in my case using XP I can never write to this log.
Hope this was clearer to you now when I said it's not possible to write to
the sequrity event log.

//Tony

 

[Konrad Neitzel]

Hi Tony!

Note Konrad not all OS support writing to sequrity event log. When I
say not support I really mean never whatever you try to do.
As in my case using XP I can never write to this log.
Hope this was clearer to you now when I said it's not possible to
write to the sequrity event log.

OK, I was wrong in 2 important points. I simply spend a lot of time
diving into it now.
1st point: Only the Local Security Authority (LSA) is allowed to write
to the Security Event Log. This is even hardcoded into the OS so this
will not change by setting rights on the ACL.
2nd point: If you want to write an event to the security log, you can
use a new set of functions that was introduced in Windows 2003 (also
available for windows server 2000 when you install the Authorization
Manager Runtime). It's the Authz.dll containing the functions
AuthzInstallSecurityEventSource, AuthzRegisterSecurityEventSource,
AuthzReportSecurityEvent, ...)

Sorry if I confused anybody, but till today I really thought that
writing to the security log should be possible if you have the correct
set of rights.

With kind regards,

Konrad