Windows server 2003 events.

S

Sandip Shahane

Hi all,
I am looking for a list of new Windows audit log events
that I can nmonitor for networking / system security.
Where can i get a list of all such events.

Thanks in advance,
Sandip Shahane.
 
S

Stephen Cartwright [MSFT]

Well you could enable options in Admin Tools > Local Security Settings >
Audit Policy

You may need to adjust the event logs to suit [size, retention times for
example] depending on the numbers of events you get based on what you
decided to enable and if auditing sucess and/or failures.
 
I

IBTerry [MSFT]

Are you looking for a list of audit events rather than how to enable
auditing? If so you can use the following site...it is specific to Win2003.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/support/EE_winnetsvr.asp

Example: If you are looking for all Win2003 events w/ source of SECURITY
then enter SECURITY in the source dialouge box on this page and click GO.

This will generate the following.

ID Message
520 The system time was changed.
Process ID: %1
Process Name: %2
Primary User Name: %3
P...
528 Successful Logon:
User Name: %1
Domain: %2
Logon ID: %3
Logon Type: %4
Logon Pro...
540 Successful Network Logon:
User Name: %1
Domain: %2
Logon ID: %3
Logon Type: %4
L...
551 User initiated logoff:
User Name: %1
Domain: %2
Logon ID: %3

552 Logon attempt using explicit credentials:
Logged on user:
User Name: %1
Domain: %2
L...
560 Object Open:
Object Server: %1
Object Type: %2
Object Name: %3
Handle ID: %4
Ope...
562 Handle Closed:
Object Server: %1
Handle ID: %2
Process ID: %3
Image File Name: %...
567 Object Access Attempt:
Object Server: %1
Handle ID: %2
Object Type: %3
Process I...
592 A new process has been created:
New Process ID: %1
Image File Name: %2
Creator Proces...
593 A process has exited:
Process ID: %1
Image File Name: %2
User Name: %3
Domain: %...
596 Backup of data protection master key.
Key Identifier: %1
Recovery Server: %2
Recover...
597 Recovery of data protection master key.
Key Identifier: %1
Recovery Reason: %3
Recov...
599 Unprotection of auditable protected data.
Data Description: %2
Key Identifier: %1
Pr...
600 A process was assigned a primary token.
Assigning Process Information:
Process ID: %1
Im...
612 Audit Policy Change:
New Policy:
Success Failure
%3 %4 Logon/Logoff
%5 %6...
621 System Security Access Granted:
Access Granted: %4
Account Modified: %5
Assigned By:<...
622 System Security Access Removed:
Access Removed: %4
Account Modified: %5
Removed By:
627 Change Password Attempt:
Target Account Name: %1
Target Domain: %2
Target Account ID:...
637 Security Enabled Local Group Member Removed:
Member Name: %1
Member ID: %2
Target Acc...
644 User Account Locked Out:
Target Account Name: %1
Target Account ID: %3
Caller Machine...
673 Service Ticket Request:
User Name: %1
User Domain: %2
Service Name: %3
Service ID: %...
675 Pre-authentication failed:
User Name: %1
User ID: %2
Service Name: %3
Pre-Authentica...
680 Logon attempt by: %1
Logon account: %2
Source Workstation: %3
Error Code: %4

682 Session reconnected to winstation:
User Name: %1
Domain: %2
Logon ID: %3
Session...
683 Session disconnected from winstation:
User Name: %1
Domain: %2
Logon ID: %3
Sess...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

connectionpoint in C# 3
XP SP2 developer impact. 2
Unexplained 540 Events in Security log on W2K workstation in a dom 0
537 errors due to manual services being started 0
Security log in Event Viewer shows Failure Audits from other pcs???? 6
Event Viewer stopped logging security audit 1
Sucsss Audit - have I been hacked ? 6
Access denied for non-admins to remotely access app and sys logs 1

Top