[logs] Re: Reviewing Vista/2k3 log files from the same platform

• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "[logs] [Fwd: Tripwire Product Update - DST Is Changing]"
• In reply to: Eric Fitzgerald: "[logs] Re: Reviewing Vista/2k3 log files from the same platform"
• Next in thread: Safier, Adam *: "[logs] LOGGING DATA EXTRACTS PUTS SOME AGENCIES IN A BIND"
• Next in thread: Frank Heyne: "[logs] Re: Reviewing Vista/2k3 log files from the same platform"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That's still not quite my point....and granted, perhaps I wasn't 
supposed to be able to do what I was doing...but nonetheless I did it. 
.... pre Vista for basic admin "what's nailing my server" I can/do look 
at the 2k3 security log file in a XP event viewer.   If Vista is my 
desktop of choice (and it's not ....quite yet...) while the events for 
"success" from a 2k3 box are readable, the "failures" are not.  That 
surprised me is all.

Because the event logs (which don't get me wrong I LOVE the new stuff) 
have the new XML values I was just surprised that my quick and dirty log 
view that shouldn't have worked before....but more often than not did... 
now really doesn't.




Eric Fitzgerald wrote:
> Hey Tina!
>
>   
>> For years one of my *favorite* parts of Microsoft logging is that
>> event IDs *have* remained consistent across versions of the operating
>> systems...
>> What's the plan for heterogeneous Windows
>>     
> environments?
>
>
> We almost always kept the same event ID's from version to version
> pre-Vista.  The problem was that the tools didn't do well correlating
> events or finding a subset of events with a similar characteristic so
> we'd either split an event ID into two, or combine two into one,
> depending on which problem was being complain^h^h^h emphasized more at
> the time.
>
> However we did a whole bunch of event cleanup in Vista and the resulting
> events were different enough from their pre-Vista equivalents to break
> automation.  So we had to renumber, to save you.  But I knew that folks
> like you on this list would want to leverage your pre-Vista knowledge
> instead of memorizing 300-odd new events.
>
> So here is my New Years' gift to all of you.
>
> For almost all security log events, EventId(Vista) = EventId(PreVista) +
> 4096
>
> You can do it in your head- add 4000, add 100, subtract 4.  528 -->
> 4624, etc.
>
> Best regards,
> Eric
>
>   

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "[logs] [Fwd: Tripwire Product Update - DST Is Changing]"
• In reply to: Eric Fitzgerald: "[logs] Re: Reviewing Vista/2k3 log files from the same platform"
• Next in thread: Safier, Adam *: "[logs] LOGGING DATA EXTRACTS PUTS SOME AGENCIES IN A BIND"
• Next in thread: Frank Heyne: "[logs] Re: Reviewing Vista/2k3 log files from the same platform"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Wed Jan 17 2007 - 11:25:20 PST