RE: [logs] Monitoring Windows Security Events

• Previous message: Daniele Muscetta: "RE: [logs] Monitoring Windows Security Events"
• In reply to: Eric Fitzgerald: "RE: [logs] Monitoring Windows Security Events"
• Next in thread: Safier, Adam *: "RE: [logs] Monitoring Windows Security Events"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> All insertion strings are
> kept in their original format; we don't combine the event data with the
> event message.

Hello Eric,

Are there plans to close the holes in the documentation of the Security 
eventlog some day? 

It would be nice to make some information available to developers as how 
formating of a new Security event should be done. What I miss is:

When you look in the Registry on a Windows XP or Windows 2003 machine, 
you can find the value GuidMessageFile under 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Sec
urity, which usually points to NtMarta.dll

When you use the function ReadEventlogRecord to read a 565 Security event 
of a Windows 2003 machine, you will see that it contains strings like 
%{guid}  (where guid is some guid). Eventvwr is able to translate this 
guid in some readable text, but nowhere in the MSDN documentation is 
information available how to translate these %{guid} strings into 
readable text. 

Frank Heyne

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Daniel Cid: "[logs] OS-HIDS available"
• Previous message: Daniele Muscetta: "RE: [logs] Monitoring Windows Security Events"
• In reply to: Eric Fitzgerald: "RE: [logs] Monitoring Windows Security Events"
• Next in thread: Safier, Adam *: "RE: [logs] Monitoring Windows Security Events"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 10 2003 - 11:05:34 PDT