RE: [logs] Monitoring Windows Security Events

From: Eric Fitzgerald (ericf@private)
Date: Tue Oct 21 2003 - 15:37:43 PDT

  • Next message: Tina Bird: "Re: [logs] firewall logging and rulesets"

    Hi Frank,
    
    Sorry it took so long, but I didn't have time to follow up on this at
    the time you asked.
    
    GuidMessageFile is not currently used in XP or Windows Server 2003. I
    didn't check the Windows 2000 source. It will never be documented
    because it is not a supported feature for ISVs and customers (and in
    fact there is no code in Windows to actually read the registry value
    much less do anything with it). It still exists in the registry because
    no one ever pulled it out of the default hive; it's a non-issue moving
    forwards because we're replacing the Event Log service. I do not know
    the reason it was ever added.
    
    GUID-to-name translation is handled in the Event Viewer.  If the
    insertion string is stored in the form "%{guid}", then Event Viewer will
    attempt to look it up in AD, and if that fails, will display it in its
    raw form.
    
    As a side note, parsing an event log containing many GUIDs into text can
    be very expensive if the parser (for example, WMI) actually translates
    the GUIDs, since an LDAP query is required for each. We're aware of this
    and are working on a solution in an upcoming service pack.
    
    Thanks,
    
    Eric
    
    
    -----Original Message-----
    From: Frank Heyne [mailto:fh@private-dresden.de] 
    Sent: Friday, October 10, 2003 1:20 AM
    To: loganalysis@private
    Cc: Eric Fitzgerald
    Subject: RE: [logs] Monitoring Windows Security Events
    
    > All insertion strings are
    > kept in their original format; we don't combine the event data with 
    > the event message.
    
    Hello Eric,
    
    Are there plans to close the holes in the documentation of the Security
    eventlog some day? 
    
    It would be nice to make some information available to developers as how
    formating of a new Security event should be done. What I miss is:
    
    When you look in the Registry on a Windows XP or Windows 2003 machine,
    you can find the value GuidMessageFile under
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\S
    ec
    urity, which usually points to NtMarta.dll
    
    When you use the function ReadEventlogRecord to read a 565 Security
    event of a Windows 2003 machine, you will see that it contains strings
    like %{guid}  (where guid is some guid). Eventvwr is able to translate
    this guid in some readable text, but nowhere in the MSDN documentation
    is information available how to translate these %{guid} strings into
    readable text. 
    
    Frank Heyne
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 01:37:48 PDT