RE: [logs] Monitoring Windows Security Events

From: Frank Heyne (
Date: Fri Oct 10 2003 - 01:19:54 PDT

  • Next message: Daniel Cid: "[logs] OS-HIDS available"

    > All insertion strings are
    > kept in their original format; we don't combine the event data with the
    > event message.
    Hello Eric,
    Are there plans to close the holes in the documentation of the Security 
    eventlog some day? 
    It would be nice to make some information available to developers as how 
    formating of a new Security event should be done. What I miss is:
    When you look in the Registry on a Windows XP or Windows 2003 machine, 
    you can find the value GuidMessageFile under 
    urity, which usually points to NtMarta.dll
    When you use the function ReadEventlogRecord to read a 565 Security event 
    of a Windows 2003 machine, you will see that it contains strings like 
    %{guid}  (where guid is some guid). Eventvwr is able to translate this 
    guid in some readable text, but nowhere in the MSDN documentation is 
    information available how to translate these %{guid} strings into 
    readable text. 
    Frank Heyne
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Fri Oct 10 2003 - 11:05:34 PDT