In all due respects to a few folks who said that this is normal, that
you can't properly look at the event of one platform on the event viewer
of another...
An event on 2k3 on a XP event viewer looks like this:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/6/2007
Time: 7:32:15 AM
User: NT AUTHORITY\SYSTEM
Computer: ROYAL
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: PREFERRED
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: ROYAL
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
On Vista it no longer provides a useful context, yet Success appeared to
maintain some semblance of information that could be read.
Thanks for the suggestions on the logparser tool. I think we'll need it.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> So I was looking at a 2k3 log file.. and I did it on my test Vista
> laptop... and I know and understand that Vista has new event IDs... so
> I'm cool with that.. what I didn't realize is that apparently I can't
> use the Vista MS Event viewer to open up 2k3/XP log files and review
> what's going on... that even such events as 529 have lost information.
>
> 1. Is my conclusion correct?
> 2. What are the gurus of log viewing doing to be able to read logs from
> xp,2k3,Vista and ultimately Longhorn without firing up each platform?
>
> When I'm doing a quick log file review... I just use what's native to
> the box. Sorry for the stupid question... but what's a better way to do
> this?
>
> Log Name:
> C:\Users\Susan.VISTATEST\AppData\Local\Temp\Temp1_LastNite_FWS_000.zip\1-6-07
> sec.evt
> Source: Security
> Date: 1/5/2007 9:18:42 PM
> Event ID: 529
> Task Category: Logon/Logoff
> Level: Information
> Keywords: Classic,Audit Failure
> User: SYSTEM
> Computer: ROYAL
> Description:
> The description for Event ID 529 from source Security cannot be found.
> Either the component that raises this event is not installed on your
> local computer or the installation is corrupted. You can install or
> repair the component on the local computer.
>
> If the event originated on another computer, the display information had
> to be saved with the event.
>
> The following information was included with the event:
>
> abc123
> 3
> Advapi MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> ROYAL
> ROYAL$
> PREFERRED
> (0x0,0x3E7)
> 1012
> -
> -
> -
>
> The substitution string for insert index (%1) could not be found
>
> Event Xml:
> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> <System>
> <Provider Name="Security" />
> <EventID Qualifiers="0">529</EventID>
> <Level>0</Level>
> <Task>2</Task>
> <Keywords>0x90000000000000</Keywords>
> <TimeCreated SystemTime="2007-01-06T05:18:42.000Z" />
> <EventRecordID>5968</EventRecordID>
>
> <Channel>C:\Users\Susan.VISTATEST\AppData\Local\Temp\Temp1_LastNite_FWS_000.zip\1-6-07
> sec.evt</Channel>
> <Computer>ROYAL</Computer>
> <Security UserID="S-1-5-18" />
> </System>
> <EventData>
> <Data>abc123</Data>
> <Data>
> </Data>
> <Data>3</Data>
> <Data>Advapi </Data>
> <Data>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
> <Data>ROYAL</Data>
> <Data>ROYAL$</Data>
> <Data>PREFERRED</Data>
> <Data>(0x0,0x3E7)</Data>
> <Data>1012</Data>
> <Data>-</Data>
> <Data>-</Data>
> <Data>-</Data>
> </EventData>
> </Event>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
>
>
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Jan 15 2007 - 10:02:03 PST