RE: [logs] Monitoring Windows Security Events

• Previous message: Chris Brenton: "Re: [logs] firewall logging and rulesets"
• Maybe in reply to: Brian Anon: "[logs] Monitoring Windows Security Events"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Frank,

Sorry it took so long, but I didn't have time to follow up on this at
the time you asked.

GuidMessageFile is not currently used in XP or Windows Server 2003. I
didn't check the Windows 2000 source. It will never be documented
because it is not a supported feature for ISVs and customers (and in
fact there is no code in Windows to actually read the registry value
much less do anything with it). It still exists in the registry because
no one ever pulled it out of the default hive; it's a non-issue moving
forwards because we're replacing the Event Log service. I do not know
the reason it was ever added.

GUID-to-name translation is handled in the Event Viewer.  If the
insertion string is stored in the form "%{guid}", then Event Viewer will
attempt to look it up in AD, and if that fails, will display it in its
raw form.

As a side note, parsing an event log containing many GUIDs into text can
be very expensive if the parser (for example, WMI) actually translates
the GUIDs, since an LDAP query is required for each. We're aware of this
and are working on a solution in an upcoming service pack.

Thanks,

Eric


-----Original Message-----
From: Frank Heyne [mailto:fh@private-dresden.de] 
Sent: Friday, October 10, 2003 1:20 AM
To: loganalysis@private
Cc: Eric Fitzgerald
Subject: RE: [logs] Monitoring Windows Security Events

> All insertion strings are
> kept in their original format; we don't combine the event data with 
> the event message.

Hello Eric,

Are there plans to close the holes in the documentation of the Security
eventlog some day? 

It would be nice to make some information available to developers as how
formating of a new Security event should be done. What I miss is:

When you look in the Registry on a Windows XP or Windows 2003 machine,
you can find the value GuidMessageFile under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\S
ec
urity, which usually points to NtMarta.dll

When you use the function ReadEventlogRecord to read a 565 Security
event of a Windows 2003 machine, you will see that it contains strings
like %{guid}  (where guid is some guid). Eventvwr is able to translate
this guid in some readable text, but nowhere in the MSDN documentation
is information available how to translate these %{guid} strings into
readable text. 

Frank Heyne


_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Tina Bird: "Re: [logs] firewall logging and rulesets"
• Previous message: Chris Brenton: "Re: [logs] firewall logging and rulesets"
• Maybe in reply to: Brian Anon: "[logs] Monitoring Windows Security Events"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 01:37:48 PDT