Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » Tools   (RSS)

Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

I've written twice ( here and here ) about the relationship between the "old" event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the "new" security event IDs (4xxx-5xxx) in Vista and beyond. In short, EventID(WS03) + 4096 = EventID(WS08) Read More...
Posted Wednesday, June 10, 2009 4:09 PM by Eric Fitzgerald | 1 Comments
Filed under: , ,

WEvtUtil Scripting

If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you're missing out. The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn't suffer from any of the drawbacks Read More...
Posted Wednesday, July 16, 2008 9:13 AM by Eric Fitzgerald | 1 Comments
Filed under: ,

Windows Server 2008 Security Events Posted

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference. Check it out in the Knowledge Base . Even better, they documented all the events in spreadsheet format, and that's Read More...
Posted Wednesday, April 16, 2008 11:09 PM by Eric Fitzgerald | 0 Comments
Filed under: ,

Shameless Self-Promotion

There's one topic that I know is on everyone's mind- no, not American Idol - it's "What's new in Auditing in Windows Server 2008?" Well, funny that you brought that up. My friend Jesper Johanssen just wrote a new book, the Windows Server 2008 Security Read More...
Posted Wednesday, March 05, 2008 12:47 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

ACS Event Transformation Demystified

I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS. Transformation is performed on the agent Read More...
Posted Wednesday, February 27, 2008 5:43 PM by Eric Fitzgerald | 0 Comments
Filed under: , , ,

ACS Tidbits

Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of SystemCenter Operations Manager 2007 ). Two more of our partners, Enterprise Certified and NetPro , have released compliance solutions on top of ACS. Another Read More...
Posted Friday, February 01, 2008 5:04 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

List of Windows Server 2003 Events

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published " Security Event Descriptions ". This article was the "schema" so to speak, for the Windows NT 4.0 security event log events. Technically Windows events Read More...
Posted Friday, October 12, 2007 11:45 AM by Eric Fitzgerald | 1 Comments
Filed under: , ,

Help! Someone has deleted events from my Windows event log!

From time to time I hear this, and it usually turns out not to be the case. I'll begin with a little background. First, The eventlog service does not have (and never did have) any public or private API to delete individual events- there is a log clear Read More...
Posted Friday, August 10, 2007 3:59 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

Documentation on the Windows Vista and Windows Server 2008 Security Events

I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success Read More...
Posted Tuesday, July 31, 2007 2:36 PM by Eric Fitzgerald | 2 Comments
Filed under: , , ,

Where do I get my information on Windows auditing?

You might want to know where I go to get my information on audit events and so forth. Mostly I go to the source code or one of our developers. For continuity-of-employment reasons I won't be posting a link to that here ;-) We have some old specs and some Read More...
Posted Tuesday, February 06, 2007 2:12 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

What is up with Audit Collection Services?

A lot of you have been asking me to write about Audit Collection Services (ACS, which some of you might know as MACS). For those of you unfamiliar with ACS, it's a client-server application to collect, normalize and store large volumes of security event Read More...
Posted Wednesday, November 09, 2005 12:37 PM by Eric Fitzgerald | 1 Comments
Filed under:

Managed Code Developers: You no longer have an excuse!

One of my former teammates, Mark, designed and built a set of managed classes for generating audit from .NET applications (for example, consider a web service). His work is published in the latest issue of MSDN magazine. A lot of people aren't aware of Read More...
Posted Friday, September 30, 2005 10:51 AM by Eric Fitzgerald | 0 Comments
Filed under:

Yay! A fix for EventQuery

Those of us "in the know" :-) use eventquery.vbs to export events to a delimited file, and then use Excel to analyze the log- autofiltering rocks. Unfortunately if you have a large log, this doesn't work! Well, I finally used MSN Search to see if there Read More...
Posted Tuesday, September 27, 2005 5:17 PM by Eric Fitzgerald | 0 Comments
Filed under:
 
Page view tracker