LogLogic Microsoft Windows Server 2000/2003 Log Configuration Guide

Transcription

1 LogLogic Microsoft Windows Server 2000/2003 Log Configuration Guide Document Release: September 2011 Part Number: LL ELS This manual supports LogLogic Microsoft Windows Server 2000/2003 Release 2.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2 2011 LogLogic, c. Proprietary formation Trademarks This document contains proprietary and confidential information of LogLogic, c. and its licensors. accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, c. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, c. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, c. 110 Rose Orchard Way, Ste 200 San Jose, CA Tel: Fax: U.S. Toll Free:

3 Contents Preface About This Guide Technical Support Documentation Support Conventions Chapter 1 Configuring LogLogic s Microsoft Windows Server 2000/2003 Log Collection troduction to Microsoft Windows Server 2000/ Prerequisites Configuring Microsoft Windows Server 2000/2003 for Operational s stalling and Configuring Lasso Collector Enabling the LogLogic Appliance to Capture Log Data Automatically Identifying a Microsoft Windows Server 2000/2003 Device Adding Microsoft Windows Server 2000/2003 Device Verifying the Configuration Chapter 2 How LogLogic Supports Microsoft Windows Server 2000/2003 How LogLogic Captures Microsoft Windows Server 2000/2003 Data LogLogic Real-Time Chapter 3 Troubleshooting and FAQ Troubleshooting Frequently Asked Questions Appendix A Reference LogLogic Support for Microsoft Windows Server 2000/2003 s Appendix B Logon s and Descriptions Microsoft Windows Server 2000/2003 Log Configuration Guide 3

4 4 Microsoft Windows Server 2000/2003 Log Configuration Guide

5 Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft Windows enables LogLogic Appliances to capture logs from machines running Microsoft Windows Server 2000/2003. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft Windows Server 2000/2003 s operations. For more information on creating reports and alerts, see the LogLogic Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free LOGS Local EMEA or APAC: + 44 (0) or +44 (0) [email protected] You can also visit the LogLogic Support website at: When contacting Customer Support, be prepared to provide: Your name, address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send to [email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. your message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Microsoft Windows Server 2000/2003 Log Configuration Guide 5

6 Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Microsoft Windows Server 2000/2003 Log Configuration Guide

7 Chapter 1 Configuring LogLogic s Microsoft Windows Server 2000/2003 Log Collection This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft Windows Server 2000/2003 logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft Windows Server 2000/2003 log data. troduction to Microsoft Windows Server 2000/ Prerequisites Configuring Microsoft Windows Server 2000/2003 for Operational s Enabling the LogLogic Appliance to Capture Log Data Verifying the Configuration troduction to Microsoft Windows Server 2000/2003 Microsoft Windows Server 2000/2003 operational events appear within the Windows Viewer and are located within the host machine s Windows Log. The events are captured by Loglogic's Lasso Collector. The Lasso Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP. The configuration procedures for Microsoft Windows Server 2000/2003 and the LogLogic Appliance depend upon your environment and how the Lasso Collector is configured. For more information, see How LogLogic Captures Microsoft Windows Server 2000/2003 Data on page 12 and the LogLogic Lasso Collector Guide. Prerequisites Prior to configuring Microsoft Windows Server 2000/2003 and the LogLogic Appliance, ensure that you meet the following prerequisites: Microsoft Windows Server 2000/2003 Server installed Administrative access on the Windows server Microsoft Windows Server 2000/2003 Server Note: For Windows support you will need to run LogLogic Appliance Release 5.1or later. Lasso Collector Release 2.0 or later installed on the Windows server. For more information, see LogLogic Lasso Collector Guide. LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft Windows Server 2000/2003 support Administrative access on LogLogic Appliance Microsoft Windows Server 2000/2003 Log Configuration Guide 7

8 Configuring Microsoft Windows Server 2000/2003 for Operational s Microsoft Windows operational events are posted in the Windows Viewer. The events are located in the Windows logs. These events can be captured by LogLogic Appliance using Lasso Collector. For more information about the Windows Viewer, see the Microsoft Windows Server 2000/2003 Product stalling and Configuring Lasso Collector Microsoft Windows Server 2000/2003 logs are collected and transported using Lasso. Lasso is used to collect and transfer Windows logs to the LogLogic Appliance. By default, the Lasso program directory is located at: C:\Program Files\Lasso Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages: C:\Program Files\Lasso\LassoRepository\Spool You can change the host machine and event log identification information by editing the hostlist.ini configuration file in Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and configuration procedures for Lasso, including information on the Lasso.ini and hostlist.ini files, see the LogLogic Lasso Collector Guide. 8 Microsoft Windows Server 2000/2003 Log Configuration Guide

9 Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Microsoft Windows Server 2000/2003 log data. Automatically Identifying a Microsoft Windows Server 2000/2003 Device With the auto-identification feature, the LogLogic Appliance recognizes Microsoft Windows Server 2000/2003 log messages by default. As the log messages come into the Appliance, they are automatically identified and a new Microsoft Windows Server 2000/2003 device type is added to the log source device list. Default values are used for certain properties, such as the device name. To enable auto-identification in the LogLogic Appliance: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Administration > Settings. The General tab appears. 3. For Auto-identify Log Sources, select Yes. 4. Click Update. Once the automatically identified device is added, you can edit its properties. IMPORTANT! Do not change the auto-identified Device and Host IP information. To edit an existing Microsoft Windows Server 2000/2003 device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select > Devices. The Devices tab appears. 3. Click on an existing Microsoft Windows Server 2000/2003 device in the list and click Modify Device. The Modify Device tab appears. 4. Edit the device fields as needed, then click Update Device. Adding Microsoft Windows Server 2000/2003 Device If you do not want to utilize the auto-identification feature, you can manually add a Microsoft Windows Server 2000/2003 device to the LogLogic Appliance before you redirect the logs. IMPORTANT! LogLogic highly recommends using the auto-identification feature for all supported devices. If you want to add devices manually, make sure that the Auto-identify Log Sources setting is not enabled on the LogLogic Appliance. If the auto-identification setting is enabled and you manually add devices, duplicate device entries might appear on the Appliance. Microsoft Windows Server 2000/2003 Log Configuration Guide 9

10 To add Microsoft Windows Server 2000/2003 as a new device 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. in the following information for the device: Name Name for the Microsoft Windows Server 2000/2003 device Description (optional) Description of the Microsoft Windows Server 2000/2003 device Device Select Microsoft Windows Server 2000/2003 from the drop-down menu Host IP IP address of the Microsoft Windows Server 2000/2003 appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Figure 1 Adding a Device to the LogLogic Appliance 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Microsoft Windows Server 2000/2003 machine, the LogLogic Appliance uses the device you just added if the hostname or IP match. 10 Microsoft Windows Server 2000/2003 Log Configuration Guide

11 Verifying the Configuration The section describes how to verify that the configuration changes made to Microsoft Windows Server 2000/2003 and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Microsoft Windows Server 2000/2003 device. If the device name (Microsoft Windows Server 2000/2003) appears in the list of devices (Figure 2), then the configuration is correct. Figure 2 Log Source Status Tab If the device does not appear in the Log Source Status tab, check the Microsoft Windows Server 2000/2003 logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft Windows Server 2000/2003 configuration, the Lasso configuration, and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Microsoft Windows Server 2000/2003 by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time on page 13. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 15 for more information. Microsoft Windows Server 2000/2003 Log Configuration Guide 11

12 Chapter 2 How LogLogic Supports Microsoft Windows Server 2000/2003 This chapter describes LogLogic's support for Microsoft Windows Server 2000/2003. LogLogic enables you to capture Microsoft Windows Server 2000/2003 log data to monitor Microsoft Windows Server 2000/2003 events. LogLogic supports Microsoft Windows Server 2000/2003 logs. How LogLogic Captures Microsoft Windows Server 2000/2003 Data LogLogic Real-Time How LogLogic Captures Microsoft Windows Server 2000/2003 Data LogLogic's Lasso Collector is used to collect logs stored in the Windows Log. The Windows Collector is an open source application developed by LogLogic to collect and forward Windows event logs in Syslog format to the LogLogic Appliance. If the Windows Collector is in Agent Mode, logs are collected and forwarded from the Windows system where it is installed. If the Windows Collector is in Collector Mode, logs are collected and forwarded from Windows systems other than the system where it is installed. The Windows Collector can also run in both modes at the same time. hybrid mode, the Collector captures and forwards messages from the Windows machine where it is installed and from other Windows systems it is configured to access. Regardless of the mode used, all collected logs are converted into text format by the collector and then forwarded to the LogLogic Appliance s Syslog Listener via UDP or TCP. Figure 3 Microsoft Windows Server 2000/2003 with Lasso Collector (in Agent Mode) and the LogLogic Appliance Once the data is captured and parsed, you can generate reports. addition, you can create alerts to notify you of issues on Microsoft Windows Server 2000/2003. For more information on creating reports and alerts, see the LogLogic Guide and LogLogic Online Help. 12 Microsoft Windows Server 2000/2003 Log Configuration Guide

13 LogLogic Real-Time LogLogic provides pre-configured Real-Time for Microsoft Windows Server 2000/2003 log data. The following Real-Time are available: All Unparsed s Displays data for all events retrieved from the Microsoft Windows Server 2000/2003 log for a specified time interval Permission Modification Displays events related to permission modifications performed on user and server objects Access Displays data access and changes done to data during a specified time interval Authentication Displays identity and access related events during a specified time interval Created/Deleted Displays user creation and deletion events Last Displays user specific details and used to track user activity during a specified time interval Windows s Displays Windows event information served during a specified time interval To access LMI 4 Real-Time : 1. the left navigation pane, click Real-Time. 2. Click Access Control. The following Real-Time are available: Permission Modification Access Authentication Created/Deleted Last Windows s 3. Click Logs. The following Real-Time are available: All Unparsed s Microsoft Windows Server 2000/2003 Log Configuration Guide 13

14 To access LMI 5 Real-Time : 1. the top navigation pane, click. 2. Click Access Control. The following Real-Time are available: Permission Modification Access Authentication Created/Deleted Last Windows s 3. ClickOperational. The following Real-Time are available: All Unparsed s You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic Guide and LogLogic Online Help. 14 Microsoft Windows Server 2000/2003 Log Configuration Guide

15 Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Microsoft Windows Server 2000/2003. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting Frequently Asked Questions Troubleshooting Is your version of Microsoft Windows Server 2000/2003 supported? For more information, see Prerequisites on page 7. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information. Are you running Lasso Collector 2.0 or later? If you are running an release prior to 2.0, you might require an upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Microsoft Windows Server 2000/2003. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Microsoft Windows Server 2000/2003 events are not appearing on the LogLogic Appliance... You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab. Make sure that you have properly installed and configured Lasso, and the no errors are present in Lasso s error log (LassoTrace.log). For more information, see the LogLogic Lasso Collector Guide. Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see Automatically Identifying a Microsoft Windows Server 2000/2003 Device on page 9 and Adding Microsoft Windows Server 2000/2003 Device on page 9. If events are not displaying on the LogLogic Appliance even after configuring Microsoft Windows Server 2000/2003 and Lasso correctly... Microsoft Windows Server 2000/2003 sends the logs, via UDP or TCP, in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Microsoft Windows Server 2000/2003 machine. For more information on supported protocols and ports, see the LogLogic Administration Guide. Microsoft Windows Server 2000/2003 Log Configuration Guide 15

16 Frequently Asked Questions How does the LogLogic appliance collect logs from Microsoft Windows Server 2000/2003? For log collection, Lasso Collector is required in order to read the.evt files from the Windows machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog server. For more information, see How LogLogic Captures Microsoft Windows Server 2000/2003 Data on page 12. What access permissions are required? To configure logging on Microsoft Windows Server 2000/2003, the Windows user must have administrative permissions. How do I configure logging on Microsoft Windows Server 2000/2003? Follow the procedures on Configuring Microsoft Windows Server 2000/2003 for Operational s on page 8. Also make sure that you have properly installed and configured Lasso. For more information, see stalling and Configuring Lasso Collector on page 8 and the LogLogic Lasso Collector Guide. 16 Microsoft Windows Server 2000/2003 Log Configuration Guide

17 Appendix A Reference This appendix lists the LogLogic-supported Microsoft Windows Server 2000/2003 events. The Microsoft Windows Server 2000/2003 event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Microsoft Windows Server 2000/2003 s The following list describes the contents of each of the columns in the tables below. Item # Item numbers with the suffix F show sample logs in. Microsoft Windows Server 2000/2003 event identifier. Defines if the Microsoft Windows Server 2000/2003 event is available through the LogLogic Report Engine or through the search capabilities. If the event is available through the Report Engine, then you can use LogLogic s Real-Time and Summary to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. (OS) where the event can be triggered. some instances, duplicate s exist for different OSs. Title/Comments Description of the event of events such as, Application, etc. of event such as audit, audit, etc. LogLogic-provided reports that the event appears in Sample Microsoft Windows Server 2000/2003 Server 2000/2003 log messages in text format Microsoft Windows Server 2000/2003 Log Configuration Guide 17

18 Table 1 Microsoft Windows Server 2000/2003 s # Windows is starting up. formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:59: SYSTEM LOGLOGIC-SRV1 Windows is starting up. 25 1F 512 Windows is starting up. formation/ Last <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 7 Thu May 21 10:31: SYSTEM KKKKK-KNBMQ2EU3 Événements système Windows démarre Win2000 Windows NT is starting up. formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:59: SYSTEM LOGLOGIC-SRV1 Windows NT is starting up Windows is shutting down. All logon sessions will be terminated by this shutdown. formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:59: SYSTEM LOGLOGIC-SRV1 Windows is shutting down.all logon sessions will be terminated by this shutdown. 25 3F 513 Windows is shutting down. All logon sessions will be terminated by this shutdown. formation/ Last <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 6 Thu May 21 10:29: SECURITY Unknown N/A KKKKK-KNBMQ2EU3 Événements système Windows s'arrête. Toutes les sessions vont être fermées par cet arrêt Win2000 Windows NT is shutting down. All logon sessions will be terminated by this shutdown. formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:59: SYSTEM LOGLOGIC-SRV1 Windows NT is shutting down.all logon sessions will be terminated by this shutdown ternal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Number of audit messages discarded: %1 formation/ Last 18 Microsoft Windows Server 2000/2003 Log Configuration Guide

19 # 5F Les ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. audit Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59: Administrator LOGLABS-2003FRA Suivi détailléles ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Certains audits ont été perdus. Nombre de messages d'audit rejetés :% Win2000, The audit log was cleared Primary Name: %1 Primary Primary Logon : %3 Client Name: %4 Client Domain: %5 Client Logon : %6 formation/ Last <13>Jul 25 12:17: MSWinLog Fri Jul 21 14:32: SYSTEM BLR-WSMTEST-DC1 The audit log was cleared Primary Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon : (0x0,0x3E7) Client Name: dmsopann Client Domain: WIPRO Client Logon : (0x0,0x44A885) 1 6F 517 The audit log was cleared Primary Name: %1 Primary Primary Logon : %3 Client Name: %4 Client Domain: %5 Client Logon : %6 formation/ Last <13>Jul 7 05:25: MSWinLog Tue Jul 07 05:15: SYSTEM Well Known Group B0324-FR2003 Événements système Le journal d'audit a été effacé Utilisateur principal : SYSTEM Domaine principal : AUTORITE NT Id. de session principale : (0x0,0x3E7) Utilisateur client : Administrateur Domaine client : DOMAIN Id. de session client : (0x0,0x489A86) 1<13>Jul 6 05:37:34 MSWinLog Mon Jul 06 05:37: Administrateur B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/ Microsoft Windows Server 2000/2003 Log Configuration Guide 19

20 # The system time was changed. Process : %1 Process Name: %2 Primary Name: %3 Primary Domain: %4 Primary Logon : %5 Client Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 formation/ Last <13>Jun 12 14:54: MSWinLog Sun Jun 12 14:52: loglogic2 IAM3 The system time was changed. Process : 2128 Process Name: C:\WINDOWS\system32\rundll32.exe Primary Name: loglogic2 Primary Domain: SECTIS Primary Logon : (0x0,0xF15F58) Client Name: loglogic2 Client Domain: SECTIS Client Logon : (0x0,0xF15F58) Previous Time: 2:51:48 PM 6/12/2005 New Time: 2:52:47 PM 6/12/ F 520 The system time was changed. Process : %1 Process Name: %2 Primary Name: %3 Primary Domain: %4 Primary Logon : %5 Client Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 formation/ Last <13>Jul 6 05:37:34 MSWinLog Mon Jul 06 05:37: Administrateur B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/ Win2000 ful Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon/Logoff Last ful Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>Jul 5 11:04: MSWinLog 0 security 130 Wed Jul 05 10:54: qatest W2K3-LASSO Logon/ Logoff "ful Logon: Name: qatest Domain: SQA Logon : (0x0,0xD72AEE) Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Logon GU: {4fa5f915-b6cf-cc49-b484-b7b61551b7d0 } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 396 Transited Services: - Source Network Address: Source Port: 1133 " Microsoft Windows Server 2000/2003 Log Configuration Guide

21 # 9F 528 ful Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>May 21 10:24:28 kkkkk-knbmq2eu3 MSWinLog 1 40 Thu May 21 10:24: SERVICE LOCAL Well Known Group KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : SERVICE LOCAL Domaine : AUTORITE NT Id. de la session : (0x0,0x3E5) de session : 5 Processus de session : Advapi Package d'authentification : Negotiate Station de travail : GU d'ouv. de session : - Nom de l'utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : WORKGROUP Id. de session de l'appelant : (0x0,0x3E7) de processus appelant : 868 Services en transit : - Adresse réseau source : - Port source : Win2000 Logon : Reason: Unknown user name or bad password Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Logon : Reason: Unknown user name or bad password Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:23: MSWinLog 0 security 2566 Wed Jul 05 16:23: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: Unknown user name or bad password Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 724 Transited Services: - Source Network Address: Source Port: 1443 " Microsoft Windows Server 2000/2003 Log Configuration Guide 21

22 # 11F 529 Logon : Reason: Unknown user name or bad password Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 08:44:18 MSWinLog Mon Jul 06 08:44: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Nom d'utilisateur inconnu ou mot de passe incorrect Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Logon : Reason: logon time restriction violation Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:42: MSWinLog 0 security 2904 Wed Jul 05 16:42: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: logon time restriction violation Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 3444 Transited Services: - Source Network Address: Source Port: 1464 " F 530 Logon : Reason: logon time restriction violation Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 09:16:06 MSWinLog Mon Jul 06 09:16: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Violation de la limite de temps d'accès au compte Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Microsoft Windows Server 2000/2003 Log Configuration Guide

23 # Win2000 Logon : Reason: logon time restriction violation Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Logon : Reason: currently disabled Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:45: MSWinLog 0 security 2940 Wed Jul 05 16:45: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: currently disabled Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 3000 Transited Services: - Source Network Address: Source Port: 1468 " F 531 Logon : Reason: currently disabled Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 08:50:26 MSWinLog Mon Jul 06 08:50: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte actuellement désactivé Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Win2000 Logon : Reason: currently disabled Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last has not been fully validated byloglogic. Microsoft Windows Server 2000/2003 Log Configuration Guide 23

24 # Win2000 Logon : Reason: The specified user account has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last has not been fully validated byloglogic. 16F 532 Logon : Reason: The specified user account has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last <13>Jul 18 04:17:27 MSWinLog Sat Jul 18 04:17: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le compte d'utilisateur mentionné est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Logon : Reason: The specified user account has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:47: MSWinLog 0 security 2954 Wed Jul 05 16:47: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: The specified user account has expired Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2960 Transited Services: - Source Network Address: Source Port: 1470 " Win2000 Logon : Reason: not allowed to logon at this computer Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 24 Microsoft Windows Server 2000/2003 Log Configuration Guide

25 # Logon : Reason: not allowed to logon at this computer Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:48: MSWinLog 0 security 2976 Wed Jul 05 16:48: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: not allowed to logon at this computer Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2996 Transited Services: - Source Network Address: Source Port: 1472 " F 533 Logon : Reason: not allowed to logon at this computer Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 22 05:08:53 MSWinLog Wed Jul 22 05:08: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Utilisateur non autorisé à se connecter sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN de session : 2 Processus d'ouv. de session : 32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) de processus appelant : 308 Services en transit : - Adresse réseau source : Port source : Logon : Reason: The user has not been granted the requested logon type at this machine Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:28: MSWinLog 0 security 2741 Wed Jul 05 16:28: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: The user has not been granted the requested logon type at this machine Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2480 Transited Services: - Source Network Address: Source Port: 1447 " Microsoft Windows Server 2000/2003 Log Configuration Guide 25

26 # 20F 534 Logon : Reason: The user has not been granted the requested logon type at this machine Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 22 04:39:40 MSWinLog Wed Jul 22 04:39: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Il n'a pas été accordé à l'utilisateur le type de session demandé sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN de session : 2 Processus d'ouv. de session : 32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) de processus appelant : 308 Services en transit : - Adresse réseau source : Port source : Win2000 Logon : Reason: The user has not been granted the requested logon type at this machine Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Logon : Reason: The specified account's password has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Sep 7 14:19: MSWinLog 0 security Thu Sep 07 14:19: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: The specified account's password has expired Name: expire Domain: SQA Logon : 2 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 1344 Transited Services: - Source Network Address: Source Port: 0 " Microsoft Windows Server 2000/2003 Log Configuration Guide

27 # 22F 535 Logon : Reason: The specified account's password has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 08:52:46 MSWinLog Mon Jul 06 08:52: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le mot de passe spécifié pour ce compte est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Win2000 Logon : Reason: The specified account's password has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Logon : Reason: The NetLogon component is not active Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last Microsoft Windows Server 2000/2003 Log Configuration Guide 27

28 # 24F 536 Logon : Reason: The NetLogon component is not active Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 16 10:37:58 MSWinLog Thu Jul 16 10:37: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le composant NetLogon n'est pas actif Nom de l'utilisateur : Meng Kangjian Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Win2000 Logon : Reason: The NetLogon component is not active Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Logon : Reason: An error occurred during logon Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last 28 Microsoft Windows Server 2000/2003 Log Configuration Guide

29 # 26F 537 Logon : Reason: An error occurred during logon Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>Jul 17 08:07:50 MSWinLog Fri Jul 17 08:07: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Erreur lors de l'ouverture de session Nom de l'utilisateur : Domaine : d'ouverture de session : 3 Processus d'ouv. de session : Kerberos Package d'authentification : Kerberos Nom de station de travail : - Code du statut : 0xC Code du sous-statut : 0x0 Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : - Port source : Win2000 Logon : Reason: An unexpected error occurred during logon Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Win2000 Description: Logoff: Name: %1 Logon : %3 Logon : %4 Logon/Logoff Last <13>Jul 5 11:04: MSWinLog 0 security 1 Wed Jul 05 10:19: qatest W2K3-LASSO Logon/ Logoff " Logoff: Name: qatest Domain: SQA Logon : (0x0,0x2ABA3D) Logon : 5 " F 538 Win2000 Description: Logoff: Name: %1 Logon : %3 Logon : %4 Logon/Logoff Last <13>May 21 11:01:37 kkkkk-knbmq2eu3 MSWinLog Thu May 21 11:01: Administrateur KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de la session utilisateur : Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. de la session : (0x0,0x74297) de session : 7 19 Microsoft Windows Server 2000/2003 Log Configuration Guide 29

30 # Logon : Reason: locked out Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:34: MSWinLog 0 security 2803 Wed Jul 05 16:34: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: locked out Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2304 Transited Services: - Source Network Address: Source Port: 1455 " F 539 Logon : Reason: locked out Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 17 03:30:03 MSWinLog Fri Jul 17 03:30: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte verrouillé Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Win2000 Logon : Reason: locked out Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 30 Microsoft Windows Server 2000/2003 Log Configuration Guide

31 # ful Network Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>Jul 5 11:04: MSWinLog 0 security 3 Wed Jul 05 10:19: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "ful Network Logon: Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0xD30C93) Logon : 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GU: {e6b578ec-aae0-9e50-b248-c2004fb821e 8} Caller Name: - Caller Domain: - Caller Logon : - Caller Process : - Transited Services: - Source Network Address: Source Port: 0 " F 540 ful Network Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 15 Thu May 21 10:31: ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : Domaine : Id. de la session : (0x0,0xA565) de session : 3 Processus de session : NtLmSsp Package d'authentification : NTLM Nom de la station de travail : GU d'ouv. de session : - Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : - Port source : Win2000 ful Network Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon/Logoff Last Logon : Reason: Domain sid inconsistent Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Transited Services: %7 Last / Authenticat ion Microsoft Windows Server 2000/2003 Log Configuration Guide 31

32 # 33F Échec de l'ouverture de session audit Access / Authenticat ion/ Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59: Administrator LOGLABS-2003FRA Suivi détaillééchec de l'ouverture de session : Raison : S du domaine incohérent Nom d'utilisateur : %1 Domaine : %2 d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de station de travail : %6 Services en transit : % Win2000 Logon : Reason: Domain sid inconsistent Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Access / Last / Authenticat ion Logon : Reason: All sids were filtered out Name: %1 Logon : %3 Logon Process: %4 Authentication Package : %5 Workstation Name: %6 Access / Last / Authenticat ion 35F 549 Échec de l'ouverture de session audit Access / Authenticat ion/ Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59: Administrator LOGLABS-2003FRA Suivi détaillééchec de l'ouverture de session : Raison : Tous les S étaient épuisés Utilisateur : %1 Domaine : %2 d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de la station de travail : % Notification message that could indicate a possible denial-of-service attack. Logon / Logoff Access / Last 32 Microsoft Windows Server 2000/2003 Log Configuration Guide

33 # initiated logoff: Name: %1 Logon : %3 formation / Access <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:58: Unknown N/A LOGLOGIC-SRV1 Logon/Logoff initiated logoff: Name: Administrator Domain: LOGLOGIC-SRV1 Logon : (0x0,0x14d2b) 23 37F 551 initiated logoff: Name: %1 Logon : %3 formation/ Access <13>Jul 1 03:18:31 kkkkk-knbmq2eu3.foresta MSWinLog Wed Jul 01 03:18: Administrateur KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de session initiée par l'utilisateur : Utilisateur : Administrateur Domaine : FORESTA Id. d'ouv. de session : (0x0,0x260dd) Logon attempt using explicit credentials: Logged on user: Name: %1 Logon : %3 Logon GU: %4 whose credentials were used: Target Name: %5 Target Domain: %6 Target Logon GU: %7 Target Server Name: %8 Target Server fo: %9 Caller Process : %10 Source Network Address: %11 Source Port: %12 formation/ Last / Authenticat ion <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:30: SYSTEM LOGLOGIC-SRV1 Logon/Logoff Logon attempt using explicit credentials: Logged on user: Name: LOGLOGIC-SRV1$ Domain: WORKGROUP Logon : (0x0,0x3E7) Logon GU: - whose credentials were used: Target Name: Administrator Target Domain: LOGLOGIC-SRV1 Target Logon GU: - Target Server Name: localhost Target Server fo: localhost Caller Process : 568 Source Network Address: Source Port: F 552 Tentative d'ouverture de session en utilisant des informations d'identification explicites audit Access / Authenticat ion/ Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59: Administrator LOGLABS-2003FRA Suivi détaillétentative d'ouverture de session en utilisant des informations d'identification explicites : Utilisateur connecté : Nom d'utilisateur : %1 Domaine : %2 d'ouv. de session : %3 GU d'ouv. de session : %4 Utilisateur dont les informations d'identification ont été utilisées : Nom d'utilisateur cible : %5 Domaine cible : %6 GU d'ouv. de session cible : %7 Nom du serveur cible : %8 formations du serveur cible : %9 de processus appelant : %10 Adresse réseau source : %12 Port source : %13 Microsoft Windows Server 2000/2003 Log Configuration Guide 33

34 # Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Image File Name: %8 Primary Name: %9 Primary Domain: %10 Primary Logon : %11 Client Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Restricted Sid Count: %17 Access Mask: %18 Object Access Last <13>Jul 5 15:58: MSWinLog 0 security 2074 Wed Jul 05 15:58: qatest W2K3-LASSO Object Access "Object Open: Object Server: Object : Key Object Name: \REGISTRY\MACHINE\SYSTEM\Control Set001\Services\log\ Handle : 452 Operation : {0, } Process : 3280 Image File Name: C:\WINDOWS\system32\mmc.exe Primary Name: qatest Primary Domain: SQA Primary Logon : (0x0,0x668A8) Client Name: - Client Domain: - Client Logon : - Accesses: Set key value Privileges: - Restricted Sid Count: 0 Access Mask: 0x2 " F 560 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Image File Name: %8 Primary Name: %9 Primary Domain: %10 Primary Logon : %11 Client Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Restricted Sid Count: %17 Access Mask: %18 Object Access Last <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 12 Tue Jun 30 10:42: SYSTEM KKKKK-KNBMQ2EU3 Accès aux objets Objet ouvert Serveur de l'objet : de l'objet : Key Nom de l'objet : \REGISTRY\MACHINE\SYSTEM\Control Set001\Services\log\ Identificateur du handle : 204 Identificateur de l'opération : {0, } Id. du processus : 2404 Nom du fichier image : C:\Program Files\Snare\SnareCore.exe Utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA Id d'ouv. de session principale : (0x0,0x3E7) Utilisateur du client : - Domaine du client : - Id. d'ouv. de session client : - Accès : %%1538 %%4432 %%4433 %%4435 %%4436 Privilèges : - Nombre de S restreint : 0 Masque d'accès : 0x2001B Win2000 Object Open: Object Server: %1 Object : %2 Object Name: %3 New Handle : %4 Operation : {%5,%6} Process : %7 Primary Name: %8 Primary Domain: %9 Primary Logon : %10 Client Name: %11 Client Domain: %12 Client Logon : %13 Accesses %14 Privileges %15 Object Access Last 34 Microsoft Windows Server 2000/2003 Log Configuration Guide

35 # The handle to an object was closed. Object Access Special Multi-use Subcategor y Access / Last MSWinLog 0 0 Tue Jul Microsoft-Windows--ing Unknown hayward.loglabs08native.lab File The handle to an object was closed. Subject : : S Name: HAYWARD$ Domain: LOGLABS08NATIVE Logon : 0x3e7 Object: Object Server: Handle : 0x1c0 Process formation: Process : 0x7e8 Process Name: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe Win2000 Object Open for Delete: Object Server: %1 Object : %2 Object Name: %3 New Handle : %4 Operation : {%5,%6} Process : %7 Primary Name: %8 Primary Domain: %9 Primary Logon : %10 Client Name: %11 Client Domain: %12 Client Logon : %13 Accesses %14 Privileges %15 Object Access Last Object Open for Delete: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Primary Name: %8 Primary Domain: %9 Primary Logon : %10 Client Name: %11 Client Domain: %12 Client Logon : %13 Accesses: %14 Privileges: %15 Access Mask: %16 Object Access Last Microsoft Windows Server 2000/2003 Log Configuration Guide 35

36 # 43F 563 Objet ouvert pour suppression audit Access / Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59: Administrator LOGLABS-2003FRA Suivi détailléobjet ouvert pour suppression : Serveur d'objet : %1 d'objet : %2 Nom de l'objet : %3 Identificateur du handle : %4 Identificateur de l'opération : {%5,%6} Id. du processus : %7 Utilisateur principal : %8 Domaine principal : %9 Id d'ouv. de session principale : %10 Utilisateur client : %11 Domaine client : %12 Id. d'ouv. de session client : %13 Accès : %14 Privilèges : %15 Masque d'accès : % Win2000 Object Deleted: Object Server: %1 Handle : %2 Process : %3 Object Access Last Object Deleted: Object Server: %1 Handle : %2 Process : %3 Image File Name: %4 Object Access Last 45F 564 Object Deleted: Object Server: %1 Handle : %2 Process : %3 Image File Name: %4 Object Access Last <13>Jul 23 09:21:20 MSWinLog Thu Jul 23 09:21: Administrateur B0324-FR2003 Accès aux objets Objet supprimé : Serveur d'objet : Id. de handle : 1516 Id. de processus : 2544 Nom du fichier d'image : C:\WINDOWS\explorer.exe Microsoft Windows Server 2000/2003 Log Configuration Guide

37 # Win2000 Object Open: Object Server: %1 Object : %2 Object Name: %3 New Handle : %4 Operation : {%5,%6} Process : %7 Primary Name: %8 Primary Domain: %9 Primary Logon : %10 Client Name: %11 Client Domain: %12 Client Logon : %13 Accesses %14 Privileges %15 Properties:%16%17%18%19 %20%21%22%23%24%25 Directory Service Last Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Process Name: %8 Primary Name: %9 Primary Domain: %10 Primary Logon : %11 Client Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service Last <13>Jul 5 11:04: MSWinLog 0 security 132 Wed Jul 05 10:54: qatest W2K3-LASSO Directory Service Access "Object Open: Object Server: Manager Object : SAM_DOMAIN Object Name: DC=sqa,DC=loglogic,DC=com Handle : Operation : {0, } Process : 1424 Process Name: C:\WINDOWS\system32\lsass.exe Primary Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client Name: qatest Client Domain: SQA Client Logon : (0x0,0xD72AEE) Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters Create CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership Lists Privileges: - Properties: Access Mask: 0 " Microsoft Windows Server 2000/2003 Log Configuration Guide 37

38 # 47F 565 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Process Name: %8 Primary Name: %9 Primary Domain: %10 Primary Logon : %11 Client Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service Last <13>Jun 30 10:43:21 kkkkk-knbmq2eu3.foresta MSWinLog 4 34 Tue Jun 30 10:43: Unknown N/A KKKKK-KNBMQ2EU3 Accès Active Directory Manager Object Operation: Object Server: %1 Operation : %2 Object : %3 Object Name: %4 Handle : %5 Primary Name: %6 Primary Domain: %7 Primary Logon : %8 Client Name: %9 Client Domain: %10 Client Logon : %11 Accesses: %12 Properties: %13 Additional fo: %14 Additional fo2: %15 Access Mask: %16 Directory Service Last <13>Jul 5 11:09: MSWinLog 0 security 306 Wed Jul 05 11:09: SYSTEM Well Known Group W2K3-LASSO Directory Service Access "Object Operation: Object Server: DS Operation : Object Access Object : %{19195a5b-6da0-11d0-afd3-00c04fd930 c9} Object Name: %{0d f4a-4f11-acdb-5a70b025bc 6b} Handle : - Primary Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client Name: W2K3-LASSO$ Client Domain: SQA Client Logon : (0x0,0x59DBA) Accesses: Control Access Properties: Control Access Additional fo: Additional fo2: Access Mask: 0x100 " Microsoft Windows Server 2000/2003 Log Configuration Guide

39 # 48F 566 Object Operation: Object Server: %1 Operation : %2 Object : %3 Object Name: %4 Handle : %5 Primary Name: %6 Primary Domain: %7 Primary Logon : %8 Client Name: %9 Client Domain: %10 Client Logon : %11 Accesses: %12 Properties: %13 Additional fo: %14 Additional fo2: %15 Access Mask: %16 Directory Service Last <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 16 Tue Jun 30 10:42: SYSTEM KKKKK-KNBMQ2EU3 Accès Active Directory Opération d'objet : Serveur d'objet : DS d'opération : Object Access d'objet : %{f30e3bc2-9ff0-11d1-b f80367c 1} Nom d'objet : %{4e9f93a be3c-781ee698fa 35} de handle : - Nom d'utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA d'ouv de session principale : (0x0,0x3E7) Nom d'utilisateur client : KKKKK-KNBMQ2EU3$ Domaine client : FORESTA d'ouv de session client : (0x0,0x1813EA) Accès : %%7685 Propriétés : %%7685 %{771727b1-31b8-4cdf-ae62-4fe39fadf89 e} %{bf967a76-0de6-11d0-a285-00aa e2} %{f30e3bc2-9ff0-11d1-b f80367c 1} formations additionnelles : formations additionnelles 2 : Masque d'accès : 0x Win2000 Object Operation: Operation %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Primary Name: %7 Primary Domain: %8 Primary Logon : %9 Client Name: %10 Client Domain: %11 Client Logon : %12 Requested Accesses %13 Directory Service Last An attempt was made to access an object Object Access audit Access / Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:08: LOCAL SERVICEWell Known Group MACHINENAME Logon/Logoff Object Access Attempt: Object Server: Handle : 9780 Object : File Process : 904 Image File Name: C:\WINDOWS\system32\svchost.exe Accesses: WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipestance) Access Mask: 0x6 2 Microsoft Windows Server 2000/2003 Log Configuration Guide 39

40 # Special privileges assigned to new logon: Name: %1 Logon : %3 Privileges: %4 Privilege Use Last <13>Jul 5 11:04: MSWinLog 0 security 2 Wed Jul 05 10:19: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Special privileges assigned to new logon: Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0xD30C93) Privileges: SePrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeEnableDelegationPrivilege " Win2000, Special privileges assigned to new logon: Name: %1 Logon : %3 Assigned: %4 Privilege Use Last 52F 576 Special privileges assigned to new logon: Name: %1 Logon : %3 Assigned: %4 Privilege Use Last <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 5 Tue Jun 30 10:42: SYSTEM KKKKK-KNBMQ2EU3 Utilisation d'un privilège Privilèges spéciaux assignés à la nouvelle session : Utilisateur : KKKKK-KNBMQ2EU3$ Domaine : FORESTA Id. de la session : (0x0,0x18126D) Privilèges : SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeChangeNotifyPrivilege Win2000, Privileged Service Called. Privilege Use Last <13>Jul 5 15:58: MSWinLog 0 security 2054 Wed Jul 05 15:58: SYSTEM Well Known Group W2K3-LASSO Privilege Use "Privileged Service Called: Server: NT Local Authority / Authentication Service Service: LsaRegisterLogonProcess() Primary Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client Name: W2K3-LASSO$ Client Domain: SQA Client Logon : (0x0,0x3E7) Privileges: SeTcbPrivilege " Microsoft Windows Server 2000/2003 Log Configuration Guide

41 # 53F 577 Privileged Service Called. Privilege Use Last <13>Jun 30 10:43:21 kkkkk-knbmq2eu3.foresta MSWinLog 4 37 Tue Jun 30 10:43: SYSTEM KKKKK-KNBMQ2EU3 Utilisation d'un privilège Service privilégié appelé : Serveur : NT Local Authority / Authentication Service Service : LsaRegisterLogonProcess() Utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA Id. de session principale : (0x0,0x3E7) Utilisateur client : KKKKK-KNBMQ2EU3$ Domaine client : FORESTA Id. de la session cliente : (0x0,0x3E7) Privilèges : SeTcbPrivilege Win2000, Privileged object operation: Object Server: %1 Object Handle: %2 Process : %3 Primary Name: %4 Primary Domain: %5 Primary Logon : %6 Client Name: %7 Client Domain: %8 Client Logon : %9 Privileges: %10 Privilege Use Last 54F 578 Privileged object operation: Object Server: %1 Object Handle: %2 Process : %3 Primary Name: %4 Primary Domain: %5 Primary Logon : %6 Client Name: %7 Client Domain: %8 Client Logon : %9 Privileges: %10 Privilege Use Last <13>Jul 1 10:20: MSWinLog Wed Jul 01 09:51: Administrateur B0324-FR2003 Utilisation d'un privilège Opération sur objet privilégié : Serveur objet : Handle d'objet : 224 Id. de processus : 1084 Utilisateur principal : Administrateur Domaine principal : B0324-FR2003 Id. de session principale : (0x0,0xC08C) Utilisateur client : - Domaine client : - Id. de la session cliente : - Privilèges : SeTakeOwnershipPrivilege Win2000, A new process has been created. Detailed Tracking Last <13>Jul 5 15:57: MSWinLog 0 security 2050 Wed Jul 05 15:57: SYSTEM Well Known Group W2K3-LASSO Detailed Tracking "A new process has been created: New Process : 4040 Image File Name: C:\WINDOWS\system32\userinit.exe Creator Process : 1344 Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0x3E7) " Microsoft Windows Server 2000/2003 Log Configuration Guide 41

42 # 55F 592 A new process has been created. Detailed Tracking Last <13>May 21 09:39:35 kkkkk-knbmq2eu3 MSWinLog 0 2 Thu May 21 09:39: Administrateur KKKKK-KNBMQ2EU3 Suivi détaillé Un nouveau processus a été créé : Id. du nouveau processus : 948 Nom du fichier image : C:\WINDOWS\system32\cmd.exe Id. du processus créateur : 1536 Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. de la session : (0x0,0xB1AE) A process has exited: Process : %1 Image File Name: %2 Name: %3 Domain: %4 Logon : %5 Detailed Tracking Last <13>Jul 5 15:57: MSWinLog 0 security 2051 Wed Jul 05 15:57: SYSTEM Well Known Group W2K3-LASSO Detailed Tracking "A process has exited: Process : 4040 Image File Name: C:\WINDOWS\system32\userinit.exe Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0x3E7) " F 593 A process has exited: Process : %1 Image File Name: %2 Name: %3 Domain: %4 Logon : %5 Detailed Tracking Last <13>May 21 09:39:44 kkkkk-knbmq2eu3 MSWinLog 0 3 Thu May 21 09:39: Administrateur KKKKK-KNBMQ2EU3 Suivi détaillé Un processus est terminé : Id. du processus : 948 Nom du fichier image : C:\WINDOWS\system32\cmd.exe Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. d'ouv. de session : (0x0,0xB1AE) Win2000 A process has exited: Process : %1 Name: %2 Domain: %3 Logon : %4 Detailed Tracking Last Win2000, An attempt was made to duplicate a handle to an object Process Tracking Last <13>Aug 8 09:26: MSWinLog41768Wed Feb 14 02:12: Administrator ll-a155d4 Logon/LogoffA handle to an object has been duplicated Source Handle : 345 Source Process : 345 Target Handle : 3453 Target Process : Microsoft Windows Server 2000/2003 Log Configuration Guide

43 # direct access to an object has been obtained: Object : %1 Object Name: %2 Process : %3 Primary Name: %4 Primary Domain: %5 Primary Logon : %6 Client Name: %7 Client Domain: %8 Client Logon : %9 Accesses: %10 Access Mask: %11 Detailed Tracking Last 59F 595 Un accès indirect à un objet a été obtenu audit Access / Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59: Administrator LOGLABS-2003FRA Suivi détailléun accès indirect à un objet a été obtenu : d'objet : %1 Nom d'objet : %2 Id. de processus : %3 Utilisateur principal : %4 Domaine principal : %5 Id. de session principale : %6 Utilisateur client : %7 Domaine client : %8 Id. de la session cliente : %9 Accès : %10 Masque d'accès : % Win2000 direct access to an object has been obtained: Object : %1 Object Name: %2 Process : %3 Primary Name: %4 Primary Domain: %5 Primary Logon : %6 Client Name: %7 Client Domain: %8 Client Logon : %9 Accesses: %10 Detailed Tracking Last Microsoft Windows Server 2000/2003 Log Configuration Guide 43

44 # A process was assigned a primary token. Assigning Process formation: Process : %1 Image File Name: %2 Primary Name: %3 Primary Domain: %4 Primary Logon : %5 New Process formation: Process : %6 Image File Name: %7 Target Name: %8 Target Domain: %9 Target Logon : %10 formation/ Last <13>Aug 9 14:01: MSWinLog Tue Aug 08 14:26: SYSTEM LOGLOGIC-SRV1 Detailed Tracking A process was assigned a primary token. Assigning Process formation: Process : 840 Image File Name: C:\WINDOWS\system32\svchost.exe Primary Name: LOGLOGIC-SRV1$ Primary Domain: LOGLOGIC Primary Logon : (0x0,0x3E7) New Process formation: Process : 2824 Image File Name: C:\WINDOWS\system32\wbem\wmiprvse. exe Target Name: NETWORK SERVICE Target Domain: NT AUTHORITY Target Logon : (0x0,0x3E4) F 600 A process was assigned a primary token. Assigning Process formation: Process : %1 Image File Name: %2 Primary Name: %3 Primary Domain: %4 Primary Logon : %5 New Process formation: Process : %6 Image File Name: %7 Target Name: %8 Target Domain: %9 Target Logon : %10 formation/ Last <13>Jun 30 10:54:59 kkkkk-knbmq2eu3.foresta MSWinLog 4 90 Tue Jun 30 10:54: SYSTEM KKKKK-KNBMQ2EU3 Suivi détaillé Un jeton principal a été attribué à un processus. formations sur l'attribution de processus : Id. du processus : 392 Nom du fichier image : C:\WINDOWS\system32\winlogon.exe Nom d'utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA d'ouv de session principale : (0x0,0x3E7) formations de nouveau processus : de processus : 2692 Nom du fichier image : C:\WINDOWS\system32\logon.scr Nom d'utilisateur cible : Administrateur Domaine cible : FORESTA d'ouv de session : (0x0,0x260DD) Right Assigned: Right: %1 Assigned To: %2 Assigned By: Name: %3 Domain: %4 Logon : %5 Policy Change Last <13>Jul 6 16:22: MSWinLog 0 security Thu Jul 06 16:22: qatest W2K3-LASSO Policy Change " Right Assigned: Right: SeCreateGlobalPrivilege Assigned To: %{S } Assigned By: Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " Microsoft Windows Server 2000/2003 Log Configuration Guide

45 # 62F 608 Right Assigned: Right: %1 Assigned To: %2 Assigned By: Name: %3 Domain: %4 Logon : %5 Policy Change Last <13>Jun 30 08:30:37 kkkkk-knbmq2eu3 MSWinLog Tue Jun 30 08:30: Administrateur KKKKK-KNBMQ2EU3 Changement de stratégie Droit assigné à l'utilisateur : Droit assigné à l'utilisateur : SeAssignPrimaryTokenPrivilege Assigné à : %{S } Assigné par : Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. de la session : (0x0,0x13261) Win2000, Right Removed. Policy Change Last <13>Jul 6 16:22: MSWinLog 0 security Thu Jul 06 16:22: qatest W2K3-LASSO Policy Change " Right Removed: Right: SeCreateGlobalPrivilege Removed From: %{S } Removed By: Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " F 609 Right Removed. Policy Change Last <13>Jun 30 08:49:01 kkkkk-knbmq2eu3 MSWinLog 3 52 Tue Jun 30 08:48: SYSTEM KKKKK-KNBMQ2EU3 Changement de stratégie Droit de l'utilisateur supprimé : Droit de l'utilisateur : SetimePrivilege SeShutdownPrivilege SeProfileSingleProcessPrivilege SeChangeNotifyPrivilege SeUndockPrivilege Supprimé de : %{S } Supprimé par : Utilisateur : KKKKK-KNBMQ2EU3$ Domaine : WORKGROUP Id. de la session : (0x0,0x3E7) Win2000 New Trusted Domain: Domain Name: %1 Domain : %2 Established By: Name: %3 Domain: %4 Logon : %5 Policy Change Last Microsoft Windows Server 2000/2003 Log Configuration Guide 45

46 # New Trusted Domain: Domain Name: %1 Domain : %2 Established By: Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change Last <13>Jul 6 16:48: MSWinLog 0 security Thu Jul 06 16:48: qatest W2K3-LASSO Policy Change "New Trusted Domain: Domain Name: loglogic.sbs Domain : - Established By: Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) Trust : 3 Trust Direction: 3 Trust Attributes: 1 S Filtering: Disabled " F 610 New Trusted Domain: Domain Name: %1 Domain : %2 Established By: Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change Last <13>Jul 22 07:32:28 MSWinLog Wed Jul 22 07:32: Administrateur B0324-FR2003 Changement de stratégie Nouveau domaine approuvé : Nom du domaine : abc.com Id. du domaine : %{S } Établi par : Utilisateur : Administrateur Domaine : DOMAIN Id. de la session : (0x0,0x3EAB48) d'approbation : 2 Direction de l'approbation : 1 Attributs de l'approbation : 0 Filtrage S : %% Trusted Domain Removed: Domain Name: %1 Domain : %2 Removed By: Name: %3 Domain: %4 Logon : %5 Policy Change Last <13>Jul 6 16:59: MSWinLog 0 security Thu Jul 06 16:59: qatest W2K3-LASSO Policy Change "Trusted Domain Removed: Domain Name: loglogic.sbs Domain : - Removed By: Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " F 611 Trusted Domain Removed: Domain Name: %1 Domain : %2 Removed By: Name: %3 Domain: %4 Logon : %5 Policy Change Last <13>Jul 22 07:35:25 MSWinLog Wed Jul 22 07:35: Administrateur B0324-FR2003 Changement de stratégie Domaine approuvé supprimé : Nom du domaine : ABC Id. du domaine : %{S } Supprimé par : Utilisateur : Administrateur Domaine : DOMAIN Id. de la session : (0x0,0x3EAB48) Win2000 Removing Trusted Domain: Domain Name: %1 Domain : %2 Removed By: Name: %3 Domain: %4 Logon : %5 Policy Change Last 46 Microsoft Windows Server 2000/2003 Log Configuration Guide

47 # Win2000, Policy Change. Policy Change Last <13>Jul 5 15:57: MSWinLog 0 security 2049 Wed Jul 05 15:57: SYSTEM Well Known Group W2K3-LASSO Policy Change " Policy Change: New Policy: + + Logon/Logoff + + Object Access + + Privilege Use Policy Change Detailed Tracking + + Directory Service Access + + Logon Changed By: Name: W2K3-LASSO$ Domain Name: SQA Logon : (0x0,0x3E7) " F 612 Policy Change. Policy Change Last <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 3 8 Thu May 21 10:31: SYSTEM KKKKK-KNBMQ2EU3 Changement de stratégie Modification de la stratégie d'audit : Nouvelle stratégie : Succès Échec + - Ouvertures/Fermetures de session - - Accès aux objets - - Utilisation d'un privilège + + Gestion des comptes + + Changement de stratégie + + Système + + Suivi détaillé - - Accès Active Directory + - Connexion au compte Modifié par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom du domaine : WORKGROUP Id. de la session : (0x0,0x3E7) Win2000, Kerberos Policy Changed: Changed By: Name: %1 Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4. Policy Change Last <13>Jun 29 15:01: MSWinLog 0 security 170 Thu Jun 29 14:56: SYSTEM Well Known Group W2K3-LASSO Policy Change "Kerberos Policy Changed: Changed By: Name: W2K3-LASSO$ Domain Name: SQA Logon : (0x0,0x3E7) Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0xa09b (none); " 254 Microsoft Windows Server 2000/2003 Log Configuration Guide 47

48 # 69F 617 Kerberos Policy Changed: Changed By: Name: %1 Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4. Policy Change Last <13>Jun 30 09:27:33 kkkkk-knbmq2eu3.foresta MSWinLog Tue Jun 30 09:27: SYSTEM KKKKK-KNBMQ2EU3 Changement de stratégie Stratégie Kerberos modifiée : Modifiée par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine : FORESTA Id. d'ouv. de session : (0x0,0x3E7) Modifications effectuées : ('--' signifie aucune modification, sinon chaque modification est affichée sous la forme : <NomParamètre> : <nouvelle valeur> (<ancienne valeur>)) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0xa05b (none); Win2000, Encrypted Data Recovery Policy Changed: Changed By: Name: %1 Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4 Policy Change Last 70F 618 Encrypted Data Recovery Policy Changed: Changed By: Name: %1 Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4 Policy Change Last <13>Jun 26 04:33:24 kkkkk-knbmq2eu3 MSWinLog Fri Jun 26 04:33: SYSTEM KKKKK-KNBMQ2EU3 Changement de stratégie Stratégie de récupération de données cryptées modifiée : Modifiée par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine : WORKGROUP Id. d'ouv. de session : (0x0,0x3E7) Modifications effectuées : ('--' signifie aucune modification, sinon chaque modification est affichée sous la forme : <NomParamètre> : <nouvelle valeur> (<ancienne valeur>)) Win2000, Quality of Service Policy Changed Changed By. Policy Change Last 48 Microsoft Windows Server 2000/2003 Log Configuration Guide

49 # Trusted Domain formation Modified: Domain Name: %1 Domain : %2 Modified By: Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change Last <13>Jul 7 14:11: MSWinLog 0 security Thu Jul 06 16:59: qatest W2K3-LASSO Policy Change "Trusted Domain formation Modified: Domain Name: - Domain : - Modified By: Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) Trust : - Trust Direction: 1 Trust Attributes: - S Filtering: - " F 620 Trusted Domain formation Modified: Domain Name: %1 Domain : %2 Modified By: Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change Last <13>Jul 22 08:07:47 MSWinLog Wed Jul 22 08:07: Administrateur B0324-FR2003 Changement de stratégie formations sur le domaine approuvé modifiées : Nom de domaine : - Id. de domaine : %{S } Modifié par : Utilisateur : Administrateur Domaine : DOMAIN Id. d'ouv. de session : (0x0,0x3EAB48) d'approbation : - Direction de l'approbation : 3 Attributs de l'approbation : - Filtrage S: Win2000 Trusted Domain formation Modified: Domain Name: %1 Domain : %2 Modified By: Name: %3 Domain: %4 Logon : %5 Policy Change Last Access Granted: Access Granted: %4 Modified: %5 Assigned By: Name: %1 Logon : %3 formation/ Last 74F 621 Access Granted: Access Granted: %4 Modified: %5 Assigned By: Name: %1 Logon : %3 formation/ Last <13>Jul 1 10:20: MSWinLog Wed Jul 01 10:18: Administrateur B0324-FR2003 Changement de stratégie Accès sécurité système accordé : Accès accordé : SeServiceLogonRight Compte modifié : %{S } Attribué par : Utilisateur : Administrateur Domaine : B0324-FR2003 d'ouv. de session : (0x0,0xAFD9) 7740 Microsoft Windows Server 2000/2003 Log Configuration Guide 49

50 # Access Removed: Access Removed: %4 Modified: %5 Removed By: Name: %1 Logon : %3 formation/ Last 75F 622 Access Removed: Access Removed: %4 Modified: %5 Removed By: Name: %1 Logon : %3 formation/ Last <13>Jul 1 09:58:39 b0324-fr2003 MSWinLog 4 61 Wed Jul 01 09:58: Administrateur B0324-FR2003 Changement de stratégie Accès de sécurité système supprimé : Accès supprimé : SeNetworkLogonRight Compte modifié : %{S-1-1-0} Supprimé par : Utilisateur : Administrateur Domaine : B0324-FR2003 Id. d'ouv. de session : (0x0,0xAFD9) Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 Control: %22 Parameters: %23 Sid History: %24 Logon Hours: %25 Last <13>Jul 5 12:15: MSWinLog 0 security 698 Wed Jul 05 12:15: qatest W2K3-LASSO " Created: New Name: test New Domain: SQA New : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges - Attributes: Sam Name: test Display Name: hg ghf. gf Principal Name: [email protected] Home Directory: - Home Drive: - Script Path: - Profile Path: - Workstations: - Password Last Set: <never> Expires: <never> Primary Group : 513 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x15 Control: Parameters: - Sid History: - Logon Hours: <value not set> " Microsoft Windows Server 2000/2003 Log Configuration Guide

51 # 76F 624 Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 Control: %22 Parameters: %23 Sid History: %24 Logon Hours: %25 Last <13>May 21 09:47:06 kkkkk-knbmq2eu3 MSWinLog 2 17 Thu May 21 09:47: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur créé : Nom du nouveau compte : loglogic Nouveau domaine : KKKKK-KNBMQ2EU3 Id. du nouveau compte : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) Privilèges : - Attributs : Nom du compte SAM : loglogic Nom affiché : %%1793 Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : %%1794 Le compte expire le : %%1794 de groupe principal : 513 Délégué autorisé : - Précédente valeur UAC : 0x Nouvelle valeur UAC : 0x Contrôle du compte utilisateur (UAC) : - Paramètres utilisateurs : %%1793 Historique S : - Heures d'ouverture de session : %% Win2000 Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Last Win2000 Change. Last Win2000, Enabled: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Last <13>Jul 5 11:04: MSWinLog 0 security 166 Wed Jul 05 11:00: qatest W2K3-LASSO " Enabled: Target Name: test Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " Microsoft Windows Server 2000/2003 Log Configuration Guide 51

52 # 79F 626 Enabled: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Last <13>Jul 5 11:04: MSWinLog 0 security 166 Wed Jul 05 11:00: qatest W2K3-LASSO " Enabled: Target Name: test Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " Win2000, Change Password Attempt: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 5 12:28: MSWinLog 0 security 826 Wed Jul 05 12:28: SYSTEM Well Known Group W2K3-LASSO "Change Password Attempt: Target Name: test Target Domain: SQA Target : %{S } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - " F 627 Change Password Attempt: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jun 26 03:42:34 kkkkk-knbmq2eu3 MSWinLog 2 63 Fri Jun 26 03:42: SYSTEM KKKKK-KNBMQ2EU3 Gestion des comptes Tentative de changement de mot de passe : Nom du compte cible : test Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : WORKGROUP Id. de la session appelante : (0x0,0x3E7) Privilèges : Win2000, password set: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Last <13>Jul 5 12:15: MSWinLog 0 security 702 Wed Jul 05 12:15: qatest W2K3-LASSO " password set: Target Name: test Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " Microsoft Windows Server 2000/2003 Log Configuration Guide

53 # 81F 628 password set: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Last <13>May 21 09:47:07 kkkkk-knbmq2eu3 MSWinLog 2 20 Thu May 21 09:47: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Établissement d'un mot de passe de compte d'utilisateur : Nom du compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) Win2000, Disabled: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 formation/ Last <13>Aug 9 18:11: MSWinLog Tue Aug 08 13:01: Unknown N/A LOGLOGIC-SRV1 Disabled: Target Name: AAA$ Target Domain: LOGLOGIC Target : %{S } Caller Name: administrator Caller Domain: LOGLOGIC Caller Logon : (0x0,0xC25B9) F 629 Disabled: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 formation/ Last <13>Jun 26 03:36:33 kkkkk-knbmq2eu3 MSWinLog 2 43 Fri Jun 26 03:36: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur désactivé : Nom du compte cible : test Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x100D3) Win2000, Deleted. Last <13>Jul 5 12:14: MSWinLog 0 security 693 Wed Jul 05 12:14: qatest W2K3-LASSO " Deleted: Target Name: test Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " Microsoft Windows Server 2000/2003 Log Configuration Guide 53

54 # 83F 630 Deleted. Last <13>May 21 09:51:28 kkkkk-knbmq2eu3 MSWinLog 2 30 Thu May 21 09:51: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur supprimé : Nom du compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) Privilèges : Enabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:01: MSWinLog 0 security 41 Thu Jun 29 14:54: ANONYMOUS LOGON Well Known Group W2K3-LASSO " Enabled Global Group Created: New Name: Domain Computers New Domain: SQA New : %{S } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Attributes: Sam Name: Domain Computers Sid History: - " F 631 Enabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 22 Tue Jun 30 09:20: ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée créé : Nouveau nom de compte : Ordinateurs du domaine Nouveau domaine : FORESTA Id. du nouveau compte : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs : Nom du compte SAM : Ordinateurs du domaine Historique S : Microsoft Windows Server 2000/2003 Log Configuration Guide

55 # Win2000 Enabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Win2000, Enabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:01: MSWinLog 0 security 79 Thu Jun 29 14:54: ANONYMOUS LOGON Well Known Group W2K3-LASSO " Enabled Global Group Member Added: Member Name: - Member : %{S } Target Name: Domain Admins Target Domain: SQA Target : %{S } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - " F 632 Enabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>May 21 09:47:06 kkkkk-knbmq2eu3 MSWinLog 2 16 Thu May 21 09:47: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe global de sécurité activée ajouté : Nom du membre : - Id. du membre : %{S } Nom de compte cible : Aucun Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - 9 Microsoft Windows Server 2000/2003 Log Configuration Guide 55

56 # Win2000, Enabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:30: MSWinLog 0 security 466 Thu Jun 29 15:30: qatest W2K3-LASSO " Enabled Global Group Member Removed: Member Name: CN=tester,CN=s,DC=sqa,DC=loglogi c,dc=com Member : %{S } Target Name: test123 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 633 Enabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>May 21 09:42:29 kkkkk-knbmq2eu3 MSWinLog 2 11 Thu May 21 09:42: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe global de sécurité activée supprimé : Nom du membre : - Id. du membre : %{S } Nom de compte cible : Aucun Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB1AE) Privilèges : Win2000, Enabled Global Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jun 29 15:35: MSWinLog 0 security 497 Thu Jun 29 15:35: qatest W2K3-LASSO " Enabled Global Group Deleted: Target Name: test123 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " Microsoft Windows Server 2000/2003 Log Configuration Guide

57 # 88F 634 Enabled Global Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 2 08:06:49 MSWinLog Thu Jul 02 08:06: Administrateur B0324-FR2003 Gestion des comptes Groupe global de sécurité activée supprimé : Nom de compte cible : qdsfqd Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Enabled Local Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:01: MSWinLog 0 security 20 Thu Jun 29 14:54: SYSTEM Well Known Group W2K3-LASSO " Enabled Local Group Created: New Name: Print Operators New Domain: Builtin New : %{S } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Attributes: Sam Name: Print Operators Sid History: - " F 635 Enabled Local Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 25 09:24:48 kkkkk-knbmq2eu3 MSWinLog 2 85 Thu Jun 25 09:24: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée créé : Nom du nouveau compte : qsdsqd Nouveau domaine : KKKKK-KNBMQ2EU3 Id. du nouveau compte : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : - Attributs : Nom du compte SAM : qsdsqd Historique S : Win2000 Enabled Local Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Microsoft Windows Server 2000/2003 Log Configuration Guide 57

58 # Win2000, Enabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 5 11:07: MSWinLog 0 security 300 Wed Jul 05 11:07: qatest W2K3-LASSO " Enabled Local Group Member Added: Member Name: CN=testt,CN=s,DC=sqa,DC=loglogic,DC=com Member : %{S } Target Name: s Target Domain: Builtin Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 636 Enabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>May 21 09:49:36 kkkkk-knbmq2eu3 MSWinLog 2 24 Thu May 21 09:49: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe local de sécurité activée ajouté : Nom du membre : - Id. du membre : %{S } Nom de compte cible : Administrateurs Domaine cible : Builtin Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : Win2000, Enabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 5 15:44: MSWinLog 0 security 1949 Wed Jul 05 15:44: qatest W2K3-LASSO " Enabled Local Group Member Removed: Member Name: CN=hg ghf. gf,cn=s,dc=sqa,dc=loglogic,dc=c om Member : %{S } Target Name: Administrators Target Domain: Builtin Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x668A8) Privileges: - " Microsoft Windows Server 2000/2003 Log Configuration Guide

59 # 92F 637 Enabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>May 21 09:50:00 kkkkk-knbmq2eu3 MSWinLog 2 25 Thu May 21 09:49: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe local de sécurité activée supprimé : Nom du membre : - Id. du membre : %{S } Nom de compte cible : Utilisateurs Domaine cible : Builtin Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : Win2000, Enabled Local Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7. Last <13>Jun 29 16:10: MSWinLog 0 security 799 Thu Jun 29 16:09: qatest W2K3-LASSO " Enabled Local Group Deleted: Target Name: test Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 638 Enabled Local Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7. Last <13>Jun 25 09:24:56 kkkkk-knbmq2eu3 MSWinLog 2 87 Thu Jun 25 09:24: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Groupe local de sécurité activée supprimé : Nom de compte cible : qsdsqd Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : Enabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 5 11:07: MSWinLog 0 security 299 Wed Jul 05 11:07: qatest W2K3-LASSO " Enabled Local Group Changed: Target Name: s Target Domain: Builtin Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: - Sid History: - " Microsoft Windows Server 2000/2003 Log Configuration Guide 59

60 # 94F 639 Enabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 25 09:24:48 kkkkk-knbmq2eu3 MSWinLog 2 86 Thu Jun 25 09:24: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Groupe local de sécurité activée modifié : Nom de compte cible : qsdsqd Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : Win2000 Enabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Win2000, General Database Change. Last 96F 640 Modification de la base de données des comptes généraux audit Access / Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59: Administrator LOGLABS-2003FRA Suivi détaillémodification de la base de données des comptes généraux : de modification : %1 d'objet : %2 Nom d'objet : %3 Id. de l'objet : %4 Utilisateur appelant : %5 Domaine appelant : %6 Id. de la session appelante : %7 60 Microsoft Windows Server 2000/2003 Log Configuration Guide

61 # Enabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:01: MSWinLog 0 security 42 Thu Jun 29 14:54: ANONYMOUS LOGON Well Known Group W2K3-LASSO " Enabled Global Group Changed: Target Name: Domain Computers Target Domain: SQA Target : %{S } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Sam Name: - Sid History: - " F 641 Enabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 23 Tue Jun 30 09:20: ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée modifié : Nom de compte cible : Ordinateurs du domaine Domaine cible : FORESTA Id. de compte cible : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : Win2000 Enabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Microsoft Windows Server 2000/2003 Log Configuration Guide 61

62 # Changed: Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 Control: %23 Parameters: %24 Sid History: %25 Logon Hours: %26 Last <13>Jul 5 11:04: MSWinLog 0 security 165 Wed Jul 05 11:00: qatest W2K3-LASSO " Changed: Target Name: testt Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: - Display Name: - Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - Workstations: - Password Last Set: - Expires: - Primary Group : - AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x10 Control: Parameters: - Sid History: - Logon Hours: - " F 642 Changed: Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 Control: %23 Parameters: %24 Sid History: %25 Logon Hours: %26 Last <13>May 21 09:47:07 kkkkk-knbmq2eu3 MSWinLog 2 19 Thu May 21 09:47: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur modifié : Nom de compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - Attributs modifiés : Nom du compte SAM : loglogic Nom affiché : loglogic Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : 21/05/ :47:06 Le compte expire le : %%1794 de groupe principal : 513 Délégué autorisé : - Précédente valeur UAC : 0x Nouvelle valeur UAC : 0x Contrôle du compte utilisateur (UAC) : - Paramètres utilisateurs : - Historique S : - Heures d'ouverture de session : %% Microsoft Windows Server 2000/2003 Log Configuration Guide

63 # Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last Domain Policy Changed: %1 modified Domain Name: %2 Domain : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Min. Password Age: %8 Max. Password Age: %9 Force Logoff: %10 Lockout Threshold: %11 Lockout Observation Window: %12 Lockout Duration: %13 Password Properties: %14 Min. Password Length: %15 Password History Length: %16 Machine Quota: %17 Mixed Domain Mode: %18 Domain Behavior Version: %19 OEM formation: %20 Last <13>Jul 5 12:27: MSWinLog 0 security 816 Wed Jul 05 12:27: SYSTEM Well Known Group W2K3-LASSO "Domain Policy Changed: Lockout Policy modified Domain Name: SQA Domain : %{S } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Min. Password Age: - Max. Password Age: - Force Logoff: - Lockout Threshold: 5 Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: - Machine Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM formation: - " Microsoft Windows Server 2000/2003 Log Configuration Guide 63

64 # 101F 643 Domain Policy Changed: %1 modified Domain Name: %2 Domain : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Min. Password Age: %8 Max. Password Age: %9 Force Logoff: %10 Lockout Threshold: %11 Lockout Observation Window: %12 Lockout Duration: %13 Password Properties: %14 Min. Password Length: %15 Password History Length: %16 Machine Quota: %17 Mixed Domain Mode: %18 Domain Behavior Version: %19 OEM formation: %20 Last <13>Jun 30 09:27:33 kkkkk-knbmq2eu3.foresta MSWinLog Tue Jun 30 09:27: SYSTEM KKKKK-KNBMQ2EU3 Gestion des comptes Stratégie de domaine modifiée : Stratégie de mot de passe modifié Domaine : FORESTA Id. de domaine : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de la session appelante : (0x0,0x3E7) Privilèges : - Attributs modifiés : Âge minimal du mot de passe : Âge maximal du mot de passe : - Fermeture de session forcée : - Seuil de verrouillage : - Fenêtre d'observation du verrouillage : - Durée du verrouillage : - Propriétés du mot de passe : 1 Longueur minimale du mot de passe : 7 Longueur de l'historique de mot de passe : 24 Quota de comptes ordinateurs : - Mode domaine mixte : - Version de comportement du domaine : - formations OEM : Win2000 Domain Policy Changed: %1 modified Domain : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Win2000, Locked Out: Target Name: %1 Target : %3 Caller Machine Name: %2 Caller Name: %4 Caller Logon : %6 Last <13>Jul 5 12:28: MSWinLog 0 security 833 Wed Jul 05 12:28: SYSTEM Well Known Group W2K3-LASSO " Locked Out: Target Name: test Target : %{S } Caller Machine Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) " Microsoft Windows Server 2000/2003 Log Configuration Guide

65 # 103F 644 Locked Out: Target Name: %1 Target : %3 Caller Machine Name: %2 Caller Name: %4 Caller Logon : %6 Last <13>Jul 17 03:29:48 MSWinLog Fri Jul 17 03:29: SYSTEM B0324-FR2003 Gestion des comptes Compte d'utilisateur verrouillé : Nom du compte cible : test du compte cible : %{S } Nom de l'ordinateur appelant : B0324-MENGKJ Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) Computer Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 Control: %22 Parameters: %23 Sid History: %24 Logon Hours: %25 DNS Host Name: %26 Service Principal Names: %27 Last <13>Jun 29 15:01: MSWinLog 0 security 33 Thu Jun 29 14:54: ANONYMOUS LOGON Well Known Group W2K3-LASSO "Computer Created: New Name: W2K3-LASSO$ New Domain: SQA New : %{S } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges - Attributes: Sam Name: W2K3-LASSO$ Display Name: <value not set> Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> Workstations: <value not set> Password Last Set: <never> Expires: <never> Primary Group : 516 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x105 Control: Parameters: <value changed, but not displayed> Sid History: -Logon Hours:- DNS Host Name:- Service Principal Names: -" 0 Microsoft Windows Server 2000/2003 Log Configuration Guide 65

66 # 104F 645 Computer Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 Control: %22 Parameters: %23 Sid History: %24 Logon Hours: %25 DNS Host Name: %26 Service Principal Names: %27 Last <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 14 Tue Jun 30 09:20: ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'ordinateur créé : Nom du nouveau compte : KKKKK-KNBMQ2EU3$ Nouveau domaine : FORESTA Id. du nouveau compte : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs : Nom du compte SAM : KKKKK-KNBMQ2EU3$ Nom affiché : %%1793 Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : %%1794 Le compte expire le : %%1794 de groupe principal : 516 Délégué autorisé : - Précédente valeur UAC : 0x0 Nouvelle valeur UAC : 0x105 Contrôle du compte utilisateur (UAC) : %%2080 %%2082 %%2088 Paramètres utilisateurs : %%1792 Historique S : - Heures d'ouverture de session : %% Win2000 Computer Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Last 66 Microsoft Windows Server 2000/2003 Log Configuration Guide

67 # Win2000, Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last <13>Jun 29 15:01: MSWinLog 0 security 35 Thu Jun 29 14:54: ANONYMOUS LOGON Well Known Group W2K3-LASSO "Computer Changed: - Target Name: W2K3-LASSO$ Target Domain: SQA Target : %{S } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Sam Name: - Display Name: - Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - Workstations: - Password Last Set: - Expires: - Primary Group : - AllowedToDelegateTo: - Old UAC Value: 0x105 New UAC Value: 0x2100 Control: Parameters: - Sid History: - Logon Hours: - DNS Host Name: - Service Principal Names: - " F 646 Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 16 Tue Jun 30 09:20: ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'ordinateur modifié : - Nom de compte cible : KKKKK-KNBMQ2EU3$ Domaine cible : FORESTA Id. de compte cible : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs modifiés : Nom du compte SAM : - Nom affiché : - Nom principal utilisateur : - Répertoire de base : - Lecteur de base : - Chemin d'accès au script : - Chemin d'accès au profil : - Stations de travail utilisateur : - Dernière modification du mot de passe le : - Le compte expire le : - de groupe principal : - Délégué autorisé : - Précédente valeur UAC : 0x105 Nouvelle valeur UAC : 0x2100 Contrôle du compte utilisateur (UAC) : %%2048 %%2050 %%2093 Paramètres utilisateurs : - Historique S : - Heures d'ouverture de session : - Nom d'hôte DNS : - Noms principaux d 15 Microsoft Windows Server 2000/2003 Log Configuration Guide 67

68 # Win2000, Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 Control: %23 Parameters: %24 Sid History: %25 Logon Hours: %26 DNS Host Name: %27 Service Principal Names: %28 Last <13>Jun 29 15:01: MSWinLog 0 security 35 Thu Jun 29 14:54: ANONYMOUS LOGON Well Known Group W2K3-LASSO "Computer Changed: - Target Name: W2K3-LASSO$ Target Domain: SQA Target : %{S } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Sam Name: - Display Name: - Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - Workstations: - Password Last Set: - Expires: - Primary Group : - AllowedToDelegateTo: - Old UAC Value: 0x105 New UAC Value: 0x2100 Control: Parameters: - Sid History: - Logon Hours: - DNS Host Name: - Service Principal Names: - " Win2000, Computer Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 7 10:46: MSWinLog 0 security Thu Jul 06 15:52: qatest W2K3-LASSO "Computer Deleted: Target Name: TEST$ Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x151CB1A) Privileges: - " F 647 Computer Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 2 08:28:33 MSWinLog Thu Jul 02 08:28: Administrateur B0324-FR2003 Gestion des comptes Compte d'ordinateur supprimé : Nom du compte cible : QSDFQDS$ Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de la session appelante : (0x0,0x36824) Privilèges : Microsoft Windows Server 2000/2003 Log Configuration Guide

69 # Win2000 Disabled Local Group Created: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Disabled Local Group Created: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:41: MSWinLog 0 security 535 Thu Jun 29 15:41: qatest W2K3-LASSO " Disabled Local Group Created: Target Name: testing Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: testing Sid History: - " F 648 Disabled Local Group Created: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 08:15:32 MSWinLog Thu Jul 02 08:15: Administrateur B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée créé : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs : Nom du compte SAM : dfgdfqdfdqsfdqsfqsfdsqf Historique S : Disabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:42: MSWinLog 0 security 536 Thu Jun 29 15:42: qatest W2K3-LASSO " Disabled Local Group Changed: Target Name: testing1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: testing1 Sid History: - " 620 Microsoft Windows Server 2000/2003 Log Configuration Guide 69

70 # 111F 649 Disabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 08:15:49 MSWinLog Thu Jul 02 08:15: Administrateur B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée modifié : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : Win2000 Disabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Win2000, Disabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:43: MSWinLog 0 security 539 Thu Jun 29 15:43: qatest W2K3-LASSO " Disabled Local Group Member Added: Member Name: CN=tester,CN=s,DC=sqa,DC=loglogi c,dc=com Member : %{S } Target Name: testing1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " Microsoft Windows Server 2000/2003 Log Configuration Guide

71 # 113F 650 Disabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 08:15:49 MSWinLog Thu Jul 02 08:15: Administrateur B0324-FR2003 Gestion des comptes Membre du groupe local de sécurité désactivée ajouté : Nom du membre : CN=DnsAdmins,CN=s,DC=domain,D C=symbio-group,DC=com Id. du membre : %{S } Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Win2000, Disabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:44: MSWinLog 0 security 542 Thu Jun 29 15:44: qatest W2K3-LASSO " Disabled Local Group Member Removed: Member Name: CN=tester,CN=s,DC=sqa,DC=loglogi c,dc=com Member : %{S } Target Name: testing1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 651 Disabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 08:16:00 MSWinLog Thu Jul 02 08:15: Administrateur B0324-FR2003 Gestion des comptes Membre du groupe local de sécurité désactivée supprimé : Nom du membre : CN=DnsAdmins,CN=s,DC=domain,D C=symbio-group,DC=com Id. du membre : %{S } Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Microsoft Windows Server 2000/2003 Log Configuration Guide 71

72 # Win2000, Disabled Local Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jun 29 15:45: MSWinLog 0 security 545 Thu Jun 29 15:45: qatest W2K3-LASSO " Disabled Local Group Deleted: Target Name: testing1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 652 Disabled Local Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 2 08:16:00 MSWinLog Thu Jul 02 08:15: Administrateur B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée supprimé : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Disabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:46: MSWinLog 0 security 558 Thu Jun 29 15:46: qatest W2K3-LASSO " Disabled Global Group Created: New Name: test New Domain: SQA New : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: test Sid History: - " Microsoft Windows Server 2000/2003 Log Configuration Guide

73 # 116F 653 Disabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 04:18:33 MSWinLog Thu Jul 02 04:18: Administrateur B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée créé : Nouveau nom de compte : test group Nouveau domaine : DOMAIN Id. du nouveau compte : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x66246) Privilèges : - Attributs : Nom du compte SAM : test group Historique S : Win2000 Disabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Disabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:47: MSWinLog 0 security 563 Thu Jun 29 15:47: qatest W2K3-LASSO " Disabled Global Group Changed: Target Name: test1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: test1 Sid History: - " 647 Microsoft Windows Server 2000/2003 Log Configuration Guide 73

74 # 118F 654 Disabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 08:09:15 MSWinLog Thu Jul 02 08:09: Administrateur B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée modifié : Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : Win2000 Disabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Win2000, Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:48: MSWinLog 0 security 567 Thu Jun 29 15:48: qatest W2K3-LASSO " Disabled Global Group Member Added: Member Name: CN=tester,CN=s,DC=sqa,DC=loglogi c,dc=com Member : %{S } Target Name: test1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " Microsoft Windows Server 2000/2003 Log Configuration Guide

75 # 120F 655 Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 08:09:15 MSWinLog Thu Jul 02 08:09: Administrateur B0324-FR2003 Gestion des comptes Membre du groupe global de sécurité désactivée ajouté : Nom du membre : CN=Administrateurs de l'entreprise,cn=s,dc=domain,dc=sy mbio-group,dc=com Id. du membre : %{S } Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Win2000, Disabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:56: MSWinLog 0 security 581 Thu Jun 29 15:56: qatest W2K3-LASSO " Disabled Global Group Member Removed: Member Name: CN=tester,CN=s,DC=sqa,DC=loglogi c,dc=com Member : %{S } Target Name: test1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 656 Disabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 08:09:31 MSWinLog Thu Jul 02 08:09: Administrateur B0324-FR2003 Gestion des comptes Membre du groupe global de sécurité désactivée supprimé : Nom du membre : CN=Administrateurs de l'entreprise,cn=s,dc=domain,dc=sy mbio-group,dc=com Id. du membre : %{S } Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Microsoft Windows Server 2000/2003 Log Configuration Guide 75

76 # Win2000, Disabled Global Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jun 29 15:58: MSWinLog 0 security 605 Thu Jun 29 15:58: qatest W2K3-LASSO " Disabled Global Group Deleted: Target Name: test1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 657 Disabled Global Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 2 08:09:39 MSWinLog Thu Jul 02 08:09: Administrateur B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée supprimé : Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Enabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 7 11:52: MSWinLog Fri Jul 07 11:47: administrator SUPPORT-SBS " Enabled Universal Group Created: New Name: univ658 New Domain: SUPPORT New : %{S } Caller Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x ) Privileges: - Attributes: Sam Name: univ658 Sid History: - " Microsoft Windows Server 2000/2003 Log Configuration Guide

77 # 123F 658 Enabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 6 05:22:47 MSWinLog Mon Jul 06 05:22: Administrateur B0324-FR2003 Gestion des comptes Groupe universel de sécurité activée créé : Nom du nouveau compte : qfdqqdfdsq Nouveau domaine : DOMAIN Id. du nouveau compte : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : - Attributs : Nom du compte SAM : qfdqqdfdsq Historique S : Win2000 Enabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Win2000 Enabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Enabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 7 12:03: MSWinLog Fri Jul 07 12:03: administrator SUPPORT-SBS " Enabled Universal Group Changed: Target Name: univ658 Target Domain: SUPPORT Target : %{S } Caller Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x ) Privileges: - Changed Attributes: Sam Name: - Sid History: - " Microsoft Windows Server 2000/2003 Log Configuration Guide 77

78 # 126F 659 Enabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 30 09:51:22 kkkkk-knbmq2eu3.foresta MSWinLog Tue Jun 30 09:50: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Groupe universel de sécurité activée modifié : Nom de compte cible : Administrateurs du schéma Domaine cible : FORESTA Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x260DD) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : Win2000, Enabled Universal Group Member Added. Last 127F 660 Enabled Universal Group Member Added. Last <13>Jul 6 05:23:41 MSWinLog Mon Jul 06 05:23: Administrateur B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité activée ajouté : Nom du membre : CN=Administrateur,CN=s,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S } Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : Microsoft Windows Server 2000/2003 Log Configuration Guide

79 # Win2000, Enabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 11 11:25: MSWinLog Tue Jul 11 11:25: administrator SUPPORT-SBS " Enabled Universal Group Member Removed: Member Name: CN=test628,CN=s,DC=support,DC=l ocal Member : %{S } Target Name: tesater Target Domain: SUPPORT Target : %{S } Caller Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x ) Privileges: - " F 661 Enabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 6 05:24:04 MSWinLog Mon Jul 06 05:24: Administrateur B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité activée supprimé : Nom du membre : CN=Administrateur,CN=s,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S } Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : Win2000, Enabled Universal Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 7 12:04: MSWinLog Fri Jul 07 12:04: administrator SUPPORT-SBS " Enabled Universal Group Deleted: Target Name: univ658 Target Domain: SUPPORT Target : %{S } Caller Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x ) Privileges: - " Microsoft Windows Server 2000/2003 Log Configuration Guide 79

80 # 129F 662 Enabled Universal Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 6 05:24:19 MSWinLog Mon Jul 06 05:24: Administrateur B0324-FR2003 Gestion des comptes Groupe universel de sécurité activée supprimé : Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : Win2000 Disabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Disabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 16:03: MSWinLog 0 security 721 Thu Jun 29 16:03: qatest W2K3-LASSO " Disabled Universal Group Created: New Name: test New Domain: SQA New : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: test Sid History: - " F 663 Disabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 05:21:59 MSWinLog Thu Jul 02 05:21: Administrateur B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée créé : Nom du nouveau compte : test un Nouveau domaine : DOMAIN Id. du nouveau compte : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs : Nom du compte SAM : test un Historique S : Microsoft Windows Server 2000/2003 Log Configuration Guide

81 # Disabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 16:03: MSWinLog 0 security 722 Thu Jun 29 16:03: qatest W2K3-LASSO " Disabled Universal Group Changed: Target Name: test1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: test1 Sid History: - " F 664 Disabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 05:23:16 MSWinLog Thu Jul 02 05:23: Administrateur B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée modifié : Nom de compte cible : test un Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : Win2000 Disabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Microsoft Windows Server 2000/2003 Log Configuration Guide 81

82 # Win2000, Disabled Universal Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 16:05: MSWinLog 0 security 776 Thu Jun 29 16:05: qatest W2K3-LASSO " Disabled Universal Group Member Added: Member Name: cn=testt,cn=s,dc=sqa,dc=loglogic, DC=com Member : %{S } Target Name: test1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 665 Disabled Universal Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 05:24:02 MSWinLog Thu Jul 02 05:24: Administrateur B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité désactivée ajouté : Nom du membre : CN=Administrateur,CN=s,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S } Nom de compte cible : test un Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Win2000, Disabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 16:05: MSWinLog 0 security 778 Thu Jun 29 16:05: qatest W2K3-LASSO " Disabled Universal Group Member Removed: Member Name: CN=testt,CN=s,DC=sqa,DC=loglogic,DC=com Member : %{S } Target Name: test1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " Microsoft Windows Server 2000/2003 Log Configuration Guide

83 # 135F 666 Disabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 05:24:49 MSWinLog Thu Jul 02 05:24: Administrateur B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité désactivée supprimé : Nom du membre : CN=Administrateur,CN=s,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S } Nom de compte cible : test un Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Win2000, Disabled Universal Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jun 29 16:06: MSWinLog 0 security 779 Thu Jun 29 16:06: qatest W2K3-LASSO " Disabled Universal Group Deleted: Target Name: test1 Target Domain: SQA Target : %{S } Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 667 Disabled Universal Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 2 08:02:00 MSWinLog Thu Jul 02 08:02: Administrateur B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée supprimé : Nom de compte cible : test un Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Microsoft Windows Server 2000/2003 Log Configuration Guide 83

84 # Win2000, Group Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last <13>Jul 7 12:06: MSWinLog Fri Jul 07 12:06: administrator SUPPORT-SBS "Group Changed: Enabled Local Group Changed to Disabled Local Group. Target Name: newlocal635 Target Domain: SUPPORT Target : %{S } Caller Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x ) Privileges: - " F 668 Group Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last <13>Jun 30 09:51:22 kkkkk-knbmq2eu3.foresta MSWinLog Tue Jun 30 09:50: Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes de groupe modifié : Le groupe global activé par la sécurité est changé en groupe universel activé par la sécurité. Nom de compte cible : Administrateurs du schéma Domaine cible : FORESTA Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x260DD) Privilèges : Add S History: Source Name: %1 Source : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 SidList: %10 Last 84 Microsoft Windows Server 2000/2003 Log Configuration Guide

85 # 138F 669 Add S History: Source Name: %1 Source : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 SidList: %10 Last <13>Aug 4 10:22:22 b0324-fr2.abc.com MSWinLog Tue Aug 04 10:21: Administrateur B0324-FR2 Gestion des comptes Ajout d'un historique S : Nom de compte source : xyz.com\dev Id. de compte source : %{S } Nom de compte cible : dev Domaine cible : ABC Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : ABC Id. de session de l'appelant : (0x0,0x1A388) Privilèges : - Liste S : Win2000 Add S History: Source Name: %1 Source : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last Win2000, Add S History: Source Name: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last 140F 670 Add S History: Source Name: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last <13>Aug 4 10:22:22 b0324-fr2.abc.com MSWinLog Tue Aug 04 10:21: Administrateur B0324-FR2 Gestion des comptes Ajout d'un historique S : Nom de compte source : xyz.com\dev Nom de compte cible : dev Domaine cible : ABC Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : ABC Id. de session de l'appelant : (0x0,0x1A388) Privilèges : Microsoft Windows Server 2000/2003 Log Configuration Guide 85

86 # Unlocked: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 formation/ Last <13>Jun 12 15:21: MSWinLog Sun Jun 12 15:18: Administrator IAM3 Unlocked: Target Name: loglogic2 Target Domain: SECTIS Target : %{S } Caller Name: Administrator Caller Domain: SECTIS Caller Logon : (0x0,0x170D3) F 671 Unlocked: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 formation/ Last <13>Jul 22 09:01:28 MSWinLog Wed Jul 22 09:01: Administrateur B0324-FR2003 Gestion des comptes Compte d'utilisateur désactivé : Nom du compte cible : test Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de la session appelante : (0x0,0x3EAB48) Authentication Ticket Request: Name: %1 Supplied Realm Name: %2 : %3 Service Name: %4 Service : %5 Ticket Options: %6 Result Code: %7 Ticket Encryption : %8 Pre-Authentication : %9 Client Address: %10 Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13 formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 13:00: SYSTEM LOGLOGIC-SRV1 Logon Authentication Ticket Request: Name: LOGLOGIC-SRV1$ Supplied Realm Name: LOGLOGIC.COM : %{S } Service Name: krbtgt Service : %{S } Ticket Options: 0x Result Code: - Ticket Encryption : 0x17 Pre-Authentication : 2 Client Address: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Microsoft Windows Server 2000/2003 Log Configuration Guide

87 # 142F 672 Authentication Ticket Request: Name: %1 Supplied Realm Name: %2 : %3 Service Name: %4 Service : %5 Ticket Options: %6 Result Code: %7 Ticket Encryption : %8 Pre-Authentication : %9 Client Address: %10 Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13 formation/ Last <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 1 80 Tue Jun 30 09:20: SYSTEM KKKKK-KNBMQ2EU3 Connexion de compte Requête de ticket d'authentification : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine Kerberos fourni : FORESTA Id. de l'utilisateur : %{S } Nom du service : krbtgt Id. du service : %{S } Options du ticket : 0x Code de résultat : - de cryptage du ticket : 0x17 de pré-authentification : 2 Adresse du client : Nom de l'émetteur du certificat : Numéro de série du certificat : Empreinte digitale du certificat : Win2000 Authentication Ticket Granted: Name: %1 Supplied Realm Name: %2 : %3 Service Name: %4 Service : %5 Ticket Options: %6 Ticket Encryption : %7 Pre-Authentication : %8 Client Address: %9 formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 13:00: SYSTEM LOGLOGIC-SRV1 Logon Authentication Ticket Granted: Name: LOGLOGIC-SRV1$ Supplied Realm Name: LOGLOGIC.COM : %{S } Service Name: krbtgt Service : %{S } Ticket Options: 0x Ticket Encryption : 0x17 Pre-Authentication : 2 Client Address: Service Ticket Request: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Code: %8 Logon GU: %9 Transited Services: %10 formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 13:00: SYSTEM LOGLOGIC-SRV1 Logon Service Ticket Request: Name: [email protected] Domain: LOGLOGIC.COM Service Name: LOGLOGIC-SRV1$ Service : %{S } Ticket Options: 0x Ticket Encryption : 0x17 Client Address: Code: - Logon GU: {74ebb9ef-d2d7-8d9a-b16c-91ff35b9f49a} Transited Services: Microsoft Windows Server 2000/2003 Log Configuration Guide 87

88 # 144F 673 Service Ticket Request: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Code: %8 Logon GU: %9 Transited Services: %10 formation/ Last <13>Jun 30 09:21:02 kkkkk-knbmq2eu3.foresta MSWinLog 1 91 Tue Jun 30 09:21: SYSTEM KKKKK-KNBMQ2EU3 Connexion de compte Accord de la demande de ticket : Utilisateur : kkkkk-knbmq2eu3$@foresta Domaine de l'utilisateur : FORESTA Nom du service : KKKKK-KNBMQ2EU3$ Identificateur du service : %{S } Options du ticket : 0x de cryptage du ticket : 0x17 Adresse du client : Code d'échec : - GU d'ouv. de session : {93f0a bd05-008e-2d3b54075ba e} Services en transit : Win2000 Service Ticket Granted: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 13:00: SYSTEM LOGLOGIC-SRV1 Logon Service Ticket Granted: Name: [email protected] Domain: LOGLOGIC.COM Service Name: LOGLOGIC-SRV1$ Service : %{S } Ticket Options: 0x Ticket Encryption : 0x17 Client Address: Code: - Logon GU: {74ebb9ef-d2d7-8d9a-b16c-91ff35b9f49a} Transited Services: Service Ticket Renewed: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 formation/ Last <13>Aug 9 14:01: MSWinLog Sat Aug 05 04:16: SYSTEM LOGLOGIC-SRV1 Logon Service Ticket Renewed: Name: [email protected] Domain: BLR-LOGLOGIC.COM Service Name: krbtgt Service : %{S } Ticket Options: 0x2 Ticket Encryption : 0x17 Client Address: Microsoft Windows Server 2000/2003 Log Configuration Guide

89 # 146F 674 Service Ticket Renewed: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 formation/ Last <13>Jun 30 10:06:59 kkkkk-knbmq2eu3.foresta MSWinLog Tue Jun 30 10:06: SYSTEM KKKKK-KNBMQ2EU3 Connexion de compte Ticket de service renouvelé : Nom utilisateur : Administrateur@FORESTA Domaine utilisateur : FORESTA Nom du service : krbtgt Id. du service : %{S } Options du ticket : 0x2 de cryptage du ticket : 0x17 Adresse du client : Win2000 Ticket Granted Renewed: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 formation/ Last <13>Aug 9 14:01: MSWinLog Sat Aug 05 04:16: SYSTEM LOGLOGIC-SRV1 Logon Ticket Granted Renewed: Name: [email protected] Domain: BLR-LOGLOGIC.COM Service Name: krbtgt Service : %{S } Ticket Options: 0x2 Ticket Encryption : 0x17 Client Address: Win2000, Pre-authentication failed. Logon Last <13>Jul 5 16:23: MSWinLog 0 security 2565 Wed Jul 05 16:23: SYSTEM Well Known Group W2K3-LASSO Logon Pre-authentication failed: Name: test : %{S } Service Name: krbtgt/sqa Pre-Authentication : 0x2 Code: 0x18 Client Address: F 675 Pre-authentication failed. Logon Last <13>Jul 22 04:36:29 MSWinLog Wed Jul 22 04:36: SYSTEM B0324-FR2003 Connexion de compte Échec de la pré-authentification : Utilisateur : test Id. de l'utilisateur : %{S } Nom du service : krbtgt/ DOMAIN de pré-authentification : 0x2 Code d'échec : 0x18 Adresse du client : Microsoft Windows Server 2000/2003 Log Configuration Guide 89

90 # Win2000, An account was mapped for logon Logon Authenticat ion/ Last <13>Jul 25 12:23: MSWinLog Tue Jul 25 12:05: SYSTEM BBC-WSMTEST-DC1 Logon/Logoff Mapped for Logon by: NTLM1 Client Name: SQA Mapped Name:abc Win2000 An account could not be mapped for logon Logon Authenticat ion/ Last <13>Jul 25 12:23: MSWinLog Tue Jul 25 12:05: SYSTEM BBC-WSMTEST-DC1 Logon/Logoff The name:abc could not be mapped for logon by: NTLM Logon attempt by: %1 Logon account: %2 Source Workstation: %3 Code: %4 formation/ Last / Authenticat ion <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:20: Unknown N/A LOGLOGIC-SRV1 Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Logon account: Administrator Source Workstation: LOGLOGIC-SRV1 Code: 0x F 680 Used for Logon by: %1 Name: %2 Workstation: %3 formation/ Last / Authenticat ion <13>May 21 09:43:08 kkkkk-knbmq2eu3 MSWinLog 1 14 Thu May 21 09:43: Administrateur KKKKK-KNBMQ2EU3 Connexion de compte Tentative d'ouverture de session par : MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Compte d'ouverture de session : Administrateur Station de travail source : KKKKK-KNBMQ2EU3 Code erreur : 0x Win2000 Used for Logon by: %1 Name: %2 Workstation: %3 formation/ Last / Authenticat ion <13>May 21 09:43:08 kkkkk-knbmq2eu3 MSWinLog 1 14 Thu May 21 09:43: Administrateur KKKKK-KNBMQ2EU3 Connexion de compte Tentative d'ouverture de session par : MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Compte d'ouverture de session : Administrateur Station de travail source : KKKKK-KNBMQ2EU3 Code erreur : 0x Microsoft Windows Server 2000/2003 Log Configuration Guide

91 # Win2000, The logon to account: %2 by: %1 from workstation: %3 failed. The error code was: %4 audit Last / Authenticat ion <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:20: Unknown N/A LOGLOGIC-SRV1 Logon The logon to account: Administrator by: MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 from Workstation: LOGLOGIC-SRV1 failed. The error code was: 0x Win2000, Session reconnected to winstation: Name: %1 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 formation/ Last <13>Jul 25 12:20: MSWinLog Thu Jun 22 10:44: SYSTEM BLR-WIPTEST-DC1 Logon/Logoff Session reconnected to winstation: Name: dmsopann Domain: WIPRO Logon : (0x0,0x5EEA9) Session Name: RDP-Tcp#2 Client Name: BLR-TEST-RMS01 Client Address: F 682 Session reconnected to winstation: Name: %1 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 formation/ Last <13>Jul 22 10:06:58 MSWinLog Wed Jul 22 10:06: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Session reconnectée à la station Windows : Utilisateur : Administrateur Domaine : DOMAIN Id. de session : (0x0,0x45E43C) Nom de session : RDP-Tcp#7 Nom de client : B0324-MENGKJ Adresse de client : Win2000, Session disconnected from winstation: Name: %1 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 formation/ Last <13>Jul 25 12:20: MSWinLog Wed Jun 21 14:29: SYSTEM BLR-WIPTEST-DC1 Logon/Logoff Session disconnected from winstation: Name: dmsopann Domain: WIPRO Logon : (0x0,0x5EEA9) Session Name: RDP-Tcp#1 Client Name: BLR-TEST-RMS04 Client Address: F 683 Session disconnected from winstation: Name: %1 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 formation/ Last <13>Jul 22 09:58:49 MSWinLog Wed Jul 22 09:58: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Session déconnectée de la station Windows : Utilisateur : Administrateur Domaine : DOMAIN Id. de session : (0x0,0x45E43C) Nom de session : RDP-Tcp#4 Nom de client : B0324-MENGKJ Adresse de client : Microsoft Windows Server 2000/2003 Log Configuration Guide 91

92 # Set ACLs of members in administrators groups: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 13:14: ANONYMOUS LOGON Well Known Group LOGLOGIC-SRV1 Set ACLs of members in administrators groups: Target Name: Domain Admins Target Domain: DC=loglogic,DC=com Target : %{S } Caller Name: LOGLOGIC-SRV1$ Caller Domain: LOGLOGIC Caller Logon : (0x0,0x3E7) Privileges: F 684 Set ACLs of members in administrators groups: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 formation/ Last <13>Jul 2 04:17:46 MSWinLog Thu Jul 02 04:17: ANONYMOUS LOGON Well Known Group B0324-FR2003 Gestion des comptes Définir les listes ACL des membres des groupes administrateurs : Nom du compte destination : Administrateurs du schéma Domaine destination : DC=domain,DC=symbio-group,DC=com Id. du compte destination : %{S } Utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN Id. d'ouv. de session de l'appelant : (0x0,0x3E7) Privilèges : The name of an account was changed Authenticat ion/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:08: LOCAL SERVICEWell Known Group MACHINENAME Logon/Logoff Name Changed: Old Name:SQA New Name:SQA_NEW Target Domain:test Target : testac Caller Name: admin Caller Domain:test Caller Logon :test Privileges:test Microsoft Windows Server 2000/2003 Log Configuration Guide

93 # 157F 685 The name of an account was changed Authenticat ion/ Last <13>Jul 17 04:25:57 MSWinLog Fri Jul 17 04:25: Administrateur B0324-FR2003 Gestion des comptes Nom du compte modifié : Ancien nom de compte : test Nouveau nom de compte : test1 Domaine cible : DOMAIN Identificateur du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x3EEA5) Privilèges : Trusted Forest formation Entry Added: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Added by : Client Name: %11 Client Domain: %12 Client Logon : %13 Last 158F 769 Trusted Forest formation Entry Added: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Added by : Client Name: %11 Client Domain: %12 Client Logon : %13 Last <13>Jul 22 07:37:13 MSWinLog Wed Jul 22 07:37: Administrateur B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été ajoutée : Racine de la forêt : abc.com S de la racine de la forêt : %{S } Id. de l'opération : {0, } d'entrée : 0 dicateurs : 0 Nom du niveau le plus élevé : abc.com Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) 2010 Microsoft Windows Server 2000/2003 Log Configuration Guide 93

94 # Trusted Forest formation Entry Removed: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client Name: %11 Client Domain: %12 Client Logon : %13 formation/ Last 159F 770 Trusted Forest formation Entry Removed: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client Name: %11 Client Domain: %12 Client Logon : %13 formation/ Last <13>Jul 23 05:06:09 MSWinLog Thu Jul 23 05:06: Administrateur B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été supprimée : Racine de la forêt : abc.com S de la racine de la forêt : %{S } Id. de l'opération : {0, } d'entrée : 1 dicateurs : 0 Nom du niveau le plus élevé : xzy.abc.com Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) Trusted Forest formation Entry Modified: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client Name: %11 Client Domain: %12 Client Logon : %13 formation/ Last 94 Microsoft Windows Server 2000/2003 Log Configuration Guide

95 # 160F 771 Trusted Forest formation Entry Modified: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client Name: %11 Client Domain: %12 Client Logon : %13 formation/ Last <13>Jul 22 07:39:51 MSWinLog Wed Jul 22 07:39: Administrateur B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été modifiée : Racine de la forêt : abc.com S de la racine de la forêt : %{S } Id. de l'opération : {0, } d'entrée : 0 dicateurs : 2 Nom du niveau le plus élevé : - Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) Per user auditing policy set for user. Policy Change Last 161F 807 Per user auditing policy set for user. Policy Change Last <13>Jul 23 08:46:53 MSWinLog Thu Jul 23 08:46: SYSTEM B0324-FR2003 Changement de stratégie Stratégie d'audit par utilisateur définie pour l'utilisateur : Utilisateur cible : %{S } Id de stratégie : (0x0,0x53E953) Paramètres de catégorie : Système : 0x0 Ouverture de session : 0x0 Accès de l'objet 0x2 Utilisation d'un privilège : 0x0 Suivi détaillé : 0x0 Modification de stratégie : 0x0 Gestion de compte : 0x0 Accès DS : 0x0 Ouverture de session du compte : 0x Win2000, Windows is unable to load or access an object, registry or file. Application formation/ Last Microsoft Windows Server 2000/2003 Log Configuration Guide 95

96 # The session setup from the computer %1 failed to authenticate. The following error occurred: %2 Directory Service formation/ Last <13>Aug 8 10: 53: MSWinLog 0 Directory Service 2507 Tue Aug 08 10: 53: ADS loglogic N/A formation M2-0W55 None The session setup from the computer %1 failed to authenticate. The following error occurred: % F 5805 The session setup from the computer %1 failed to authenticate. The following error occurred: %2 Directory Service formation/ Last <13>Jul 22 08:15:53 MSWinLog Wed Jul 22 08:15: NETLOGON Unknown N/A B0324-FR2003 None 0000: c0 90 b L'installation de la session à partir de l'ordinateur LOGLOGIC-LVROFF n'a pas pu être authentifiée. L'erreur suivante s'est produite : %% Win2000, The log service was started. formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 17:34: Log Unknown N/A formation MACHINENAME None The log service was started F 6005 The log service was started. formation/ Last <13>May 21 10:31:17 kkkkk-knbmq2eu3 MSWinLog 1 4 Thu May 21 10:31: Log Unknown N/A formation KKKKK-KNBMQ2EU3 None 0000: e : d : f : 6f : e : 6f : : : : e e : : : 6c : : e : f : : 6f : : a0: 2e a8: f b0: d 00 2e b8: c0: d c8: d0: Le service d'enregistrement d'événement a démarré Microsoft Windows Server 2000/2003 Log Configuration Guide

97 # Win2000, The log service was stopped. formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 17:34: Log Unknown N/A formation MACHINENAME None The log service was stopped F 6006 The log service was stopped. formation/ Last <13>May 21 10:31:17 kkkkk-knbmq2eu3 MSWinLog 1 2 Thu May 21 10:29: Log Unknown N/A formation KKKKK-KNBMQ2EU3 None 0000: e : d : f : 6f : e : 6f : : : : e e : : : 6c : : e : f : : 6f : : a0: 2e a8: f b0: d 00 2e b8: c0: d c8: d0: Le service d'enregistrement d'événement a été arrêté Win2000, The previous system shutdown at %1 on %2 was unexpected. formation/ Last <13>Aug 9 18:10: MSWinLog Wed Aug 09 15:21: Log Unknown N/A LOGLOGIC-SRV1 None 0000: d Ö : 0f b 00 d Ø 0010: d Ö : b 00 d Ø The previous system shutdown at 3:20:43 PM on 8/9/2006 was unexpected F 6008 The previous system shutdown at %1 on %2 was unexpected. formation/ Last <13>Jul 6 08:05:21 MSWinLog Mon Jul 06 08:04: Log Unknown N/A B0324-FR2003 None 0000: d : ab : d : ab L'arrêt système précédant à 08:01:18 le 06/07/2009 n'était pas prévu. 0 Microsoft Windows Server 2000/2003 Log Configuration Guide 97

98 Appendix B Logon s and Descriptions Table 2 Logon s and Descriptions Logon Logon Title Description 1 teractive A user logged on to this computer at the console. 2 Network A user or computer logged on to this computer from the network. 3 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention. 4 Service A service was started by the Service Control Manager. 5 Unlock This workstation was unlocked. 6 NetworkCleartext A user logged on to a network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). 7 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections. 8 Remoteteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection. 9 Cachedteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. 98 Microsoft Windows Server 2000/2003 Log Configuration Guide