Note: Please use Internet Explorer 6.0 or above to view this page

EventID Resource Kit for Sentry II

Windows Event Identifiers, or EventID's, are a required input to Sentry II Event Log Watches, which define the monitoring and alerting parameters on the servers, workstations and devices in your network. Use the information provided below to assist you in determining which EventID's to watch.

Table Of Contents

Types of Event Logs

What is an EventID?

Types of Events

Recommended Event Monitoring Practices

Application EventID List

Security EventID List

System EventID List

Microsoft Online Event Log Documentation

Types of Event Logs

Microsoft Windows writes to three, standard event logs,

· Application Event Log

· Security Event Log

· System Event Log

Windows 2000 Servers configured with Active Directory or just DNS provide the three event logs listed below,

· Directory Service Event Log

· Domain Name Server (DNS) Event Log

· File Replication Server Event Log

Return to Table of Contents

What is an EventID?

The EventID, or Event Identifier, is a number that Windows assigns to uniquely identify a particular action or process carried out by applications, the operating system or

other system services. It is associated with a text message that is intended to assist the system administrator in responding to the event and preventing future problems. This number, or series of numbers, is an input to Sentry II Event Log Watches.

A scan of your system’s current event logs, via the Event Viewer utility, can be used to confirm some of the EventID’s for events that Windows currently is auditing on your network. In the example below, refer to the column titled, ”Event”,

Identifying other EventID’s that do not appear in the current event logs requires documentation, which can be difficult to locate. Use the information provided below to assist you in your research of Windows EventID’s, for the purpose of configuring your Sentry II Event Log Watches.

Return to Table of Contents

Types of Events

Windows NT/2000 event logs contain five types of events,

Event Type	Meaning
Information	successful operation of an application, driver or service
Error	significant problem, such as loss of data or functionality
Warning	may indicate a possible future problem
Success Audit	an audited security access attempt that succeeds
Failure Audit	an audited security access attempt that fails

Return to Table of Contents

Use the table below as a general guide, when configuring your Sentry II Event Log Watches,

Event Categories	Recommended Monitoring
Account Logon Failures EventID’s: 529-537	· Immediate Notification Alert for any administrator account logon failure · Immediate Notification Alert for any logon failure during non-business hours · Daily Filter Viewing
Profile Changes EventID’s: 624-630	· Immediate Notification Alert · Daily Filter Viewing
Password Changes EventID’s: 627,628	· Notification alert for any administrator password change · Notification alert for password change during non-business hours · Daily Filter Viewing
All Error Events	· Daily Filter Viewing
User or Group Changes	· Immediate Notification Alert · Daily Filter Viewing
Audit Policy Changes	· Immediate Notification Alert · Daily Filter Viewing
Handle Duplication/Handle Closed	· Daily Filter Viewing of critical files
System Events	· Daily Filter Viewing
Application Errors and Warnings	· TBD by the application analyst

Return to Table of Contents

Application EventID List

Typically, our customers use Sentry II to monitor their Application Event Logs for errors and warnings.

Sample Application Events
EventID	Source	Description
1000	Userenv	Error: .NET Runtime Failed to load; address space not supported
1001	MsiInstaller	Warning: application error or hang; fault bucket (number or counter)
11706	MsiInstaller	Error: application error (error code and message)

Return to Table of Contents

Security EventID List

Some representative security events are listed in the table shown below. While security event monitoring needs may vary widely between organizations, use this list as a general guide.

Sample Security Events
EventID	Type	Description
512	Success Audit	NT starts
513	Success Audit	NT is shut down
514	Success Audit	Authentication Package is loaded by the LSA (Local Security Authority)
515	Success Audit	A trusted logon process has registered with the LSA
516	Success Audit	Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
517	Success Audit	Security log is cleared
518	Success Audit	SAM has loaded a notification package
528	Success Audit	Successful logon
529	Failure Audit	Logon failure: unknown username or password
530	Failure Audit	Logon failure: account logon time restriction violation
531	Failure Audit	Logon failure: account currently disabled
532	Failure Audit	Logon failure: the specified user account has expired
533	Failure Audit	Logon failure: user not allowed to logon at this computer
534	Failure Audit	Logon failure: the user has not been granted the requested logon type at this machine
535	Failure Audit	Logon failure: the specified account's password has expired
536	Failure Audit	Logon failure: the Net-logon component is not active
537	Failure Audit	Logon failure: An unexpected error occurred during logon
538	Success Audit	User logoff
539	Failure Audit	Logon failure: Account locked out
540	Success Audit	Successful network logon
560	Success Audit	Object access success audit event
561	Success Audit	Handle allocated
562	Success Audit	Handle closed
563	Success Audit	Object opened for delete
564	Success Audit	Object deleted
576	Success Audit	Special privileges assigned to new logon
577	Success Audit	Privilege service called
578	Success Audit	Privilege object operation
592	Success Audit	A new process has been created
593	Success Audit	A process has been exited
594	Success Audit	A handle to an object has been obtained
595	Success Audit	Indirect access to an object has been obtained
608	Success Audit	User right assigned. The event message lists the assigned rights
609	Success Audit	User right removed. The event message lists the removed rights
610	Success Audit	New domain trust created
611	Success Audit	Trust relationship removed
612	Success Audit	The audit policy has been changed. The event message describes the new policy
624	Success Audit	New user account created. The event message lists the new account name and SID
625	Success Audit	User account changed. The event message lists the affected user account
626	Success Audit	User account enabled (from disabled state). The event message lists the affected user account
627	Success Audit	Attempt to change password. The event message lists the affected user
628	Success Audit	User account password set. The event message lists the affected user
629	Success Audit	Account disabled. The event message lists the affected user
630	Success Audit	Account deleted. The event message lists the affected user
631	Success Audit	Global group created. The event message lists the group
632	Success Audit	New member added to global group. The event message lists the affected group, as well as the name of the added account
633	Success Audit	Member removed from global group. The event message lists the affected group, as well as the name of the removed account
634	Success Audit	Global group deleted. The event message lists the affected group
635	Success Audit	Local group created. The event message lists the affected group
636	Success Audit	New member added to local group. The event message lists the affected group, as well as the name of the added account
637	Success Audit	Member removed from local group. The event message lists the affected group, as well as the name of the removed account
638	Success Audit	Local group deleted. The event message lists the affected group
639	Success Audit	Local group changed. The event lists the affected group
640	Success Audit	General account database change. The event lists the change that was made
641	Success Audit	Global group changed. The event message lists the affected group
642	Success Audit	User account changed. The event lists the affected account
643	Success Audit	Domain policy changed. The event lists the affected domain
644	Success Audit	User account locked out. This event is logged when an account is locked out due to repeated logon failures.

Return to Table of Contents

System EventID List

Typically, our customers use Sentry II to monitor their System Event Logs for errors only.

Sample System Events
EventID	Source	Description
115	SMTPSVC	Error: the service could not bind instance (instance number)
2506	Server	Error: invalid value in server's registry key; ignored; processing continued
7000	Service Control Manager	Error: service or device failed to start

Return to Table of Contents

Microsoft Online Event Log Documentation

An online list of Windows events associated with the three, standard Windows event logs can be found at the web site listed below. The link does not expand as the hierarchy is navigated, so it is necessary to traverse the hierarchy by mouse-clicking each level. To facilitate this, you might want to print out a copy of the hierarchy first, for easy reference.

Once you have reached Event Log/ in the hierarchy, select any of the three event logs to view a list of events by description. Select the description that most closely matches your criteria. After each selection, a detail screen displays the associated EventID along with an explanation of the event, (see example, below). In some cases, it might be necessary to read the details of several events before finding the one that is most appropriate to your situation.

http://msdn.microsoft.com/library

Windows Development/

Windows 2000/

Windows 2000 General/

Resource Kit/

Error and Event Messages/

Windows 2000 Error and Event Messages Help/

Event Log/

Application Event Log

Security Event Log

System Event Log

The example below was excerpted from the online documentation of the Security Event Log,