Engagent


Note: Please use Internet Explorer 6.0 or above to view this page

EventID Resource Kit for Sentry II


Windows Event Identifiers, or EventID's, are a required input to Sentry II Event Log Watches, which define the monitoring and alerting parameters on the servers, workstations and devices in your network. Use the information provided below to assist you in determining which EventID's to watch.††

Table Of Contents

Types of Event Logs

What is an EventID?

Types of Events

Recommended Event Monitoring Practices

Application EventID List

Security EventID List

System EventID List

Microsoft Online Event Log Documentation 

 

 

Types of Event Logs 

Microsoft Windows writes to three, standard event logs,

          Application Event Log

          Security Event Log

          System Event Log

 

Windows 2000 Servers configured with Active Directory or just DNS provide the three event logs listed below,

          Directory Service Event Log

          Domain Name Server (DNS) Event Log

          File Replication Server Event Log


Return to Table of Contents


What is an EventID?

The EventID, or Event Identifier, is a number that Windows assigns to uniquely identify a particular action or process carried out by applications, the operating system or other system services. It is associated with a text message that is intended to assist the system administrator in responding to the event and preventing future problems. This number, or series of numbers, is an input to Sentry II Event Log Watches. 


A scan of your systemís current event logs, via the Event Viewer utility, can be used to confirm some of the EventIDís for events that Windows currently is auditing on your network. In the example below, refer to the  column titled, ĒEventĒ,



Identifying other EventIDís that do not appear in the current event logs requires documentation, which can be difficult to locate. Use the information provided below to assist you in your research of Windows EventIDís, for the purpose of configuring your Sentry II Event Log Watches.

Return to Table of Contents

 


 

Types of Events

Windows NT/2000 event logs contain five types of events,

 

Event Type

Meaning

Information

successful operation of an application, driver or service

Error

significant problem, such as loss of data or functionality

Warning

may indicate a possible future problem

Success Audit

an audited security access attempt that succeeds

Failure Audit

an audited security access attempt that fails

  Return to Table of Contents

 


 

Recommended Event Monitoring Practices

Use the table below as a general guide, when configuring your Sentry II Event Log Watches,

 

Event Categories

Recommended Monitoring

Account Logon Failures

EventIDís: 529-537

    Immediate Notification Alert for any administrator account logon failure

    Immediate Notification Alert for any logon failure during non-business hours

    Daily Filter Viewing

Profile Changes

EventIDís: 624-630

    Immediate Notification Alert

    Daily Filter Viewing

Password Changes

EventIDís: 627,628

    Notification alert for any administrator password change

    Notification alert for password change during non-business hours

    Daily Filter Viewing

All Error Events

    Daily Filter Viewing

User or Group Changes

    Immediate Notification Alert

    Daily Filter Viewing

Audit Policy Changes

    Immediate Notification Alert

    Daily Filter Viewing

Handle Duplication/Handle Closed

    Daily Filter Viewing of critical files

System Events

    Daily Filter Viewing

  Application Errors and Warnings

    TBD by the application analyst

Return to Table of Contents  

 


 

Application EventID List

 Typically, our customers use Sentry II to monitor their Application Event Logs for errors and warnings.

 

Sample Application Events

EventID

Source

Description

1000

Userenv

Error: .NET Runtime Failed to load; address space not supported

1001

MsiInstaller

Warning: application error or hang; fault bucket (number or counter)

11706

MsiInstaller

Error: application error (error code and message)

  Return to Table of Contents

 


 

Security EventID List

Some representative security events are listed in the table shown below.  While security event monitoring needs may vary widely between organizations, use this list as a general guide.

 

Sample Security Events

EventID

Type

Description

512

Success Audit

NT starts

513

Success Audit

NT is shut down

514

Success Audit

Authentication Package is loaded by the LSA (Local Security Authority)

515

Success Audit

A trusted logon process has registered with the LSA

516

Success Audit

Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits

517

Success Audit

Security log is cleared

518

Success Audit

SAM has loaded a notification package

528

Success Audit

Successful logon

529

Failure Audit

Logon failure: unknown username or password

530

Failure Audit

Logon failure: account logon time restriction violation

531

Failure Audit

Logon failure: account currently disabled

532

Failure Audit

Logon failure: the specified user account has expired

533

Failure Audit

Logon failure: user not allowed to logon at this computer

534

Failure Audit

Logon failure: the user has not been granted the requested logon type at this machine

535

Failure Audit

Logon failure: the specified account's password has expired

536

Failure Audit

Logon failure: the Net-logon component is not active

537

Failure Audit

Logon failure: An unexpected error occurred during logon

538

Success Audit

User logoff

539

Failure Audit

Logon failure: Account locked out

540

Success Audit

Successful network logon

560

Success Audit

Object access success audit event

561

Success Audit

Handle allocated

562

Success Audit

Handle closed

563

Success Audit

Object opened for delete

564

Success Audit

Object deleted

576

Success Audit

Special privileges assigned to new logon

577

Success Audit

Privilege service called

578

Success Audit

Privilege object operation

592

Success Audit

A new process has been created

593

Success Audit

A process has been exited

594

Success Audit

A handle to an object has been obtained

595

Success Audit

Indirect access to an object has been obtained

608

Success Audit

User right assigned. The event message lists the assigned rights

609

Success Audit

User right removed. The event message lists the removed rights

610

Success Audit

New domain trust created

611

Success Audit

Trust relationship removed

612

Success Audit

The audit policy has been changed. The event message describes the new policy

624

Success Audit

New user account created. The event message lists the new account name and SID

625

Success Audit

User account changed. The event message lists the affected user account

626

Success Audit

User account enabled (from disabled state). The event message lists the affected user account

627

Success Audit

Attempt to change password. The event message lists the affected user

628

Success Audit

User account password set. The event message lists the affected user

629

Success Audit

Account disabled. The event message lists the affected user

630

Success Audit

Account deleted. The event message lists the affected user

631

Success Audit

Global group created. The event message lists the group

632

Success Audit

New member added to global group. The event message lists the affected group, as well as the name of the added account

633

Success Audit

Member removed from global group. The event message lists the affected group, as well as the name of the removed account

634

Success Audit

Global group deleted. The event message lists the affected group

635

Success Audit

Local group created. The event message lists the affected group

636

Success Audit

New member added to local group. The event message lists the affected group, as well as the name of the added account

637

Success Audit

Member removed from local group. The event message lists the affected group, as well as the name of the removed account

638

Success Audit

Local group deleted. The event message lists the affected group

639

Success Audit

Local group changed. The event lists the affected group

640

Success Audit

General account database change. The event lists the change that was made

641

Success Audit

Global group changed. The event message lists the affected group

642

Success Audit

User account changed. The event lists the affected account

643

Success Audit

Domain policy changed. The event lists the affected domain

644

Success Audit

User account locked out. This event is logged when an account is locked out due to repeated logon failures.

  Return to Table of Contents

 


 

System EventID List

Typically, our customers use Sentry II to monitor their System Event Logs for errors only.

 

Sample System Events

EventID

Source

Description

115

SMTPSVC

Error: the service could not bind instance (instance number)

2506

Server

Error: invalid value in server's registry key; ignored; processing continued

7000

Service Control Manager

Error: service or device failed to start

  Return to Table of Contents

 


 

Microsoft Online Event Log Documentation

http://www.microsoft.com/technet/support/ee/ee_advanced.aspx

Return to Table of Contents

 

 

 

Monitor, Manage and Consolidate your Event Logs

Query Multiple Event Logs in Real Time

Security White Paper

Limit Concurrent Logons

HIPAA Compliance



Engagent ģ
17455 68th Ave. N.E.
Suite 103
Kenmore, WA 98028-3528
Toll-free: (877) 820-7980
Fax: (425) 485-8804

                              
 

© 2002-3 Engagent