[logs] Reviewing Vista/2k3 log files from the same platform

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa@private)
Date: Sat Jan 06 2007 - 23:39:20 PST


So I was looking at a 2k3 log file.. and I did it on my test Vista 
laptop... and I know and understand that Vista has new event IDs... so 
I'm cool with that.. what I didn't realize is that apparently I can't 
use the Vista MS Event viewer to open up 2k3/XP log files and review 
what's going on... that even such events as 529 have lost information.

1.  Is my conclusion correct?
2.  What are the gurus of log viewing doing to be able to read logs from 
xp,2k3,Vista and ultimately Longhorn without firing up each platform?

When I'm doing a quick log file review... I just use what's native to 
the box.  Sorry for the stupid question... but what's a better way to do 
this?

Log Name:      
C:\Users\Susan.VISTATEST\AppData\Local\Temp\Temp1_LastNite_FWS_000.zip\1-6-07 
sec.evt
Source:        Security
Date:          1/5/2007 9:18:42 PM
Event ID:      529
Task Category: Logon/Logoff
Level:         Information
Keywords:      Classic,Audit Failure
User:          SYSTEM
Computer:      ROYAL
Description:
The description for Event ID 529 from source Security cannot be found. 
Either the component that raises this event is not installed on your 
local computer or the installation is corrupted. You can install or 
repair the component on the local computer.

If the event originated on another computer, the display information had 
to be saved with the event.

The following information was included with the event:

abc123
3
Advapi  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
ROYAL
ROYAL$
PREFERRED
(0x0,0x3E7)
1012
-
-
-

The substitution string for insert index (%1) could not be found

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
   <Provider Name="Security" />
   <EventID Qualifiers="0">529</EventID>
   <Level>0</Level>
   <Task>2</Task>
   <Keywords>0x90000000000000</Keywords>
   <TimeCreated SystemTime="2007-01-06T05:18:42.000Z" />
   <EventRecordID>5968</EventRecordID>
   
<Channel>C:\Users\Susan.VISTATEST\AppData\Local\Temp\Temp1_LastNite_FWS_000.zip\1-6-07 
sec.evt</Channel>
   <Computer>ROYAL</Computer>
   <Security UserID="S-1-5-18" />
 </System>
 <EventData>
   <Data>abc123</Data>
   <Data>
   </Data>
   <Data>3</Data>
   <Data>Advapi  </Data>
   <Data>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
   <Data>ROYAL</Data>
   <Data>ROYAL$</Data>
   <Data>PREFERRED</Data>
   <Data>(0x0,0x3E7)</Data>
   <Data>1012</Data>
   <Data>-</Data>
   <Data>-</Data>
   <Data>-</Data>
 </EventData>
</Event>
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Sun Jan 07 2007 - 16:26:27 PST