Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Browse by Tags

Tagged Content List
  • Blog Post: XPath to generate a list of NTLM authentications on Windows Vista or Later

    Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry about that. I am working on a different project now but I am still in close touch with the auditing team and I'll try to do better. Anyway a question that I hear regularly is, "how do I find all the...
  • Blog Post: Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

    I've written twice ( here and here ) about the relationship between the "old" event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the "new" security event IDs (4xxx-5xxx) in Vista and beyond. In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03...
  • Blog Post: WEvtUtil Scripting

    If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you're missing out. The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn't suffer from any of the drawbacks around getting field delimiting correct. The...
  • Blog Post: Windows Server 2008 Security Events Posted

    Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference. Check it out in the Knowledge Base . Even better, they documented all the events in spreadsheet format, and that's propagating to the Microsoft Download...
  • Blog Post: Shameless Self-Promotion

    There's one topic that I know is on everyone's mind- no, not American Idol - it's "What's new in Auditing in Windows Server 2008?" Well, funny that you brought that up. My friend Jesper Johanssen just wrote a new book, the Windows Server 2008 Security Resource Kit , and he invited me to write a chapter...
  • Blog Post: ACS Event Transformation Demystified

    I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS. Transformation is performed on the agent (using instructions provided at connect...
  • Blog Post: ACS Tidbits

    Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of SystemCenter Operations Manager 2007 ). Two more of our partners, Enterprise Certified and NetPro , have released compliance solutions on top of ACS. Another of our partners with ACS-based compliance...
  • Blog Post: List of Windows Server 2003 Events

    So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published " Security Event Descriptions ". This article was the "schema" so to speak, for the Windows NT 4.0 security event log events. Technically Windows events are not schematized until Windows Vista; or put...
  • Blog Post: Help! Someone has deleted events from my Windows event log!

    From time to time I hear this, and it usually turns out not to be the case. I'll begin with a little background. First, The eventlog service does not have (and never did have) any public or private API to delete individual events- there is a log clear API but nothing else. The eventlog team thought...
  • Blog Post: Documentation on the Windows Vista and Windows Server 2008 Security Events

    I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success events [528, 540] and 10 failure events [529-537...
  • Blog Post: Where do I get my information on Windows auditing?

    You might want to know where I go to get my information on audit events and so forth. Mostly I go to the source code or one of our developers. For continuity-of-employment reasons I won't be posting a link to that here ;-) We have some old specs and some new specs but sometimes the code doesn't function...
  • Blog Post: Default ACLs on Windows Event Logs

    A question I get asked frequently: what are the default ACLs on Windows event logs? Here's the answer, straight from the source code with only a little formatting help from me, and in more detail than you probably care to know. Windows 2000: Application Event Log and custom event...
  • Blog Post: What is up with Audit Collection Services?

    A lot of you have been asking me to write about Audit Collection Services (ACS, which some of you might know as MACS). For those of you unfamiliar with ACS, it's a client-server application to collect, normalize and store large volumes of security event log data from large numbers of machines, and...
  • Blog Post: Managed Code Developers: You no longer have an excuse!

    One of my former teammates, Mark, designed and built a set of managed classes for generating audit from .NET applications (for example, consider a web service). His work is published in the latest issue of MSDN magazine. A lot of people aren't aware of this, but in Windows Server 2003 we added an...
  • Blog Post: Yay! A fix for EventQuery

    Those of us "in the know" :-) use eventquery.vbs to export events to a delimited file, and then use Excel to analyze the log- autofiltering rocks. Unfortunately if you have a large log, this doesn't work! Well, I finally used MSN Search to see if there was a KB article on this, and I found this post...
Page 1 of 1 (15 items)