LogLogic Microsoft Windows Server 2000/2003 Log Configuration Guide

Transcription

1 LogLogic Microsoft Windows Server 2000/2003 Log Configuration Guide Document Release: September 2011 Part Number: LL ELS This manual supports LogLogic Microsoft Windows Server 2000/2003 Release 2.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2 2011 LogLogic, c. Proprietary formation Trademarks This document contains proprietary and confidential information of LogLogic, c. and its licensors. accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, c. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, c. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, c. 110 Rose Orchard Way, Ste 200 San Jose, CA Tel: Fax: U.S. Toll Free:

3 Contents Preface About This Guide Technical Support Documentation Support Conventions Chapter 1 Configuring LogLogic s Microsoft Windows Server 2000/2003 Log Collection troduction to Microsoft Windows Server 2000/ Prerequisites Configuring Microsoft Windows Server 2000/2003 for Operational s stalling and Configuring Lasso Collector Enabling the LogLogic Appliance to Capture Log Data Automatically Identifying a Microsoft Windows Server 2000/2003 Device Adding Microsoft Windows Server 2000/2003 Device Verifying the Configuration Chapter 2 How LogLogic Supports Microsoft Windows Server 2000/2003 How LogLogic Captures Microsoft Windows Server 2000/2003 Data LogLogic Real-Time Chapter 3 Troubleshooting and FAQ Troubleshooting Frequently Asked Questions Appendix A Reference LogLogic Support for Microsoft Windows Server 2000/2003 s Appendix B Logon s and Descriptions Microsoft Windows Server 2000/2003 Log Configuration Guide 3

4 4 Microsoft Windows Server 2000/2003 Log Configuration Guide

5 Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft Windows enables LogLogic Appliances to capture logs from machines running Microsoft Windows Server 2000/2003. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft Windows Server 2000/2003 s operations. For more information on creating reports and alerts, see the LogLogic Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free LOGS Local EMEA or APAC: + 44 (0) or +44 (0) support@loglogic.com You can also visit the LogLogic Support website at: When contacting Customer Support, be prepared to provide: Your name, address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. your message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Microsoft Windows Server 2000/2003 Log Configuration Guide 5

6 Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Microsoft Windows Server 2000/2003 Log Configuration Guide

7 Chapter 1 Configuring LogLogic s Microsoft Windows Server 2000/2003 Log Collection This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft Windows Server 2000/2003 logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft Windows Server 2000/2003 log data. troduction to Microsoft Windows Server 2000/ Prerequisites Configuring Microsoft Windows Server 2000/2003 for Operational s Enabling the LogLogic Appliance to Capture Log Data Verifying the Configuration troduction to Microsoft Windows Server 2000/2003 Microsoft Windows Server 2000/2003 operational events appear within the Windows Viewer and are located within the host machine s Windows Log. The events are captured by Loglogic's Lasso Collector. The Lasso Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP. The configuration procedures for Microsoft Windows Server 2000/2003 and the LogLogic Appliance depend upon your environment and how the Lasso Collector is configured. For more information, see How LogLogic Captures Microsoft Windows Server 2000/2003 Data on page 12 and the LogLogic Lasso Collector Guide. Prerequisites Prior to configuring Microsoft Windows Server 2000/2003 and the LogLogic Appliance, ensure that you meet the following prerequisites: Microsoft Windows Server 2000/2003 Server installed Administrative access on the Windows server Microsoft Windows Server 2000/2003 Server Note: For Windows support you will need to run LogLogic Appliance Release 5.1or later. Lasso Collector Release 2.0 or later installed on the Windows server. For more information, see LogLogic Lasso Collector Guide. LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft Windows Server 2000/2003 support Administrative access on LogLogic Appliance Microsoft Windows Server 2000/2003 Log Configuration Guide 7

8 Configuring Microsoft Windows Server 2000/2003 for Operational s Microsoft Windows operational events are posted in the Windows Viewer. The events are located in the Windows logs. These events can be captured by LogLogic Appliance using Lasso Collector. For more information about the Windows Viewer, see the Microsoft Windows Server 2000/2003 Product stalling and Configuring Lasso Collector Microsoft Windows Server 2000/2003 logs are collected and transported using Lasso. Lasso is used to collect and transfer Windows logs to the LogLogic Appliance. By default, the Lasso program directory is located at: C:\Program Files\Lasso Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages: C:\Program Files\Lasso\LassoRepository\Spool You can change the host machine and event log identification information by editing the hostlist.ini configuration file in Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and configuration procedures for Lasso, including information on the Lasso.ini and hostlist.ini files, see the LogLogic Lasso Collector Guide. 8 Microsoft Windows Server 2000/2003 Log Configuration Guide

9 Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Microsoft Windows Server 2000/2003 log data. Automatically Identifying a Microsoft Windows Server 2000/2003 Device With the auto-identification feature, the LogLogic Appliance recognizes Microsoft Windows Server 2000/2003 log messages by default. As the log messages come into the Appliance, they are automatically identified and a new Microsoft Windows Server 2000/2003 device type is added to the log source device list. Default values are used for certain properties, such as the device name. To enable auto-identification in the LogLogic Appliance: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Administration > Settings. The General tab appears. 3. For Auto-identify Log Sources, select Yes. 4. Click Update. Once the automatically identified device is added, you can edit its properties. IMPORTANT! Do not change the auto-identified Device and Host IP information. To edit an existing Microsoft Windows Server 2000/2003 device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select > Devices. The Devices tab appears. 3. Click on an existing Microsoft Windows Server 2000/2003 device in the list and click Modify Device. The Modify Device tab appears. 4. Edit the device fields as needed, then click Update Device. Adding Microsoft Windows Server 2000/2003 Device If you do not want to utilize the auto-identification feature, you can manually add a Microsoft Windows Server 2000/2003 device to the LogLogic Appliance before you redirect the logs. IMPORTANT! LogLogic highly recommends using the auto-identification feature for all supported devices. If you want to add devices manually, make sure that the Auto-identify Log Sources setting is not enabled on the LogLogic Appliance. If the auto-identification setting is enabled and you manually add devices, duplicate device entries might appear on the Appliance. Microsoft Windows Server 2000/2003 Log Configuration Guide 9

10 To add Microsoft Windows Server 2000/2003 as a new device 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. in the following information for the device: Name Name for the Microsoft Windows Server 2000/2003 device Description (optional) Description of the Microsoft Windows Server 2000/2003 device Device Select Microsoft Windows Server 2000/2003 from the drop-down menu Host IP IP address of the Microsoft Windows Server 2000/2003 appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Figure 1 Adding a Device to the LogLogic Appliance 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Microsoft Windows Server 2000/2003 machine, the LogLogic Appliance uses the device you just added if the hostname or IP match. 10 Microsoft Windows Server 2000/2003 Log Configuration Guide

11 Verifying the Configuration The section describes how to verify that the configuration changes made to Microsoft Windows Server 2000/2003 and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Microsoft Windows Server 2000/2003 device. If the device name (Microsoft Windows Server 2000/2003) appears in the list of devices (Figure 2), then the configuration is correct. Figure 2 Log Source Status Tab If the device does not appear in the Log Source Status tab, check the Microsoft Windows Server 2000/2003 logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft Windows Server 2000/2003 configuration, the Lasso configuration, and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Microsoft Windows Server 2000/2003 by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time on page 13. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 15 for more information. Microsoft Windows Server 2000/2003 Log Configuration Guide 11

12 Chapter 2 How LogLogic Supports Microsoft Windows Server 2000/2003 This chapter describes LogLogic's support for Microsoft Windows Server 2000/2003. LogLogic enables you to capture Microsoft Windows Server 2000/2003 log data to monitor Microsoft Windows Server 2000/2003 events. LogLogic supports Microsoft Windows Server 2000/2003 logs. How LogLogic Captures Microsoft Windows Server 2000/2003 Data LogLogic Real-Time How LogLogic Captures Microsoft Windows Server 2000/2003 Data LogLogic's Lasso Collector is used to collect logs stored in the Windows Log. The Windows Collector is an open source application developed by LogLogic to collect and forward Windows event logs in Syslog format to the LogLogic Appliance. If the Windows Collector is in Agent Mode, logs are collected and forwarded from the Windows system where it is installed. If the Windows Collector is in Collector Mode, logs are collected and forwarded from Windows systems other than the system where it is installed. The Windows Collector can also run in both modes at the same time. hybrid mode, the Collector captures and forwards messages from the Windows machine where it is installed and from other Windows systems it is configured to access. Regardless of the mode used, all collected logs are converted into text format by the collector and then forwarded to the LogLogic Appliance s Syslog Listener via UDP or TCP. Figure 3 Microsoft Windows Server 2000/2003 with Lasso Collector (in Agent Mode) and the LogLogic Appliance Once the data is captured and parsed, you can generate reports. addition, you can create alerts to notify you of issues on Microsoft Windows Server 2000/2003. For more information on creating reports and alerts, see the LogLogic Guide and LogLogic Online Help. 12 Microsoft Windows Server 2000/2003 Log Configuration Guide

13 LogLogic Real-Time LogLogic provides pre-configured Real-Time for Microsoft Windows Server 2000/2003 log data. The following Real-Time are available: All Unparsed s Displays data for all events retrieved from the Microsoft Windows Server 2000/2003 log for a specified time interval Permission Modification Displays events related to permission modifications performed on user and server objects Access Displays data access and changes done to data during a specified time interval Authentication Displays identity and access related events during a specified time interval Created/Deleted Displays user creation and deletion events Last Displays user specific details and used to track user activity during a specified time interval Windows s Displays Windows event information served during a specified time interval To access LMI 4 Real-Time : 1. the left navigation pane, click Real-Time. 2. Click Access Control. The following Real-Time are available: Permission Modification Access Authentication Created/Deleted Last Windows s 3. Click Logs. The following Real-Time are available: All Unparsed s Microsoft Windows Server 2000/2003 Log Configuration Guide 13

14 To access LMI 5 Real-Time : 1. the top navigation pane, click. 2. Click Access Control. The following Real-Time are available: Permission Modification Access Authentication Created/Deleted Last Windows s 3. ClickOperational. The following Real-Time are available: All Unparsed s You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic Guide and LogLogic Online Help. 14 Microsoft Windows Server 2000/2003 Log Configuration Guide

15 Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Microsoft Windows Server 2000/2003. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting Frequently Asked Questions Troubleshooting Is your version of Microsoft Windows Server 2000/2003 supported? For more information, see Prerequisites on page 7. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information. Are you running Lasso Collector 2.0 or later? If you are running an release prior to 2.0, you might require an upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Microsoft Windows Server 2000/2003. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Microsoft Windows Server 2000/2003 events are not appearing on the LogLogic Appliance... You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab. Make sure that you have properly installed and configured Lasso, and the no errors are present in Lasso s error log (LassoTrace.log). For more information, see the LogLogic Lasso Collector Guide. Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see Automatically Identifying a Microsoft Windows Server 2000/2003 Device on page 9 and Adding Microsoft Windows Server 2000/2003 Device on page 9. If events are not displaying on the LogLogic Appliance even after configuring Microsoft Windows Server 2000/2003 and Lasso correctly... Microsoft Windows Server 2000/2003 sends the logs, via UDP or TCP, in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Microsoft Windows Server 2000/2003 machine. For more information on supported protocols and ports, see the LogLogic Administration Guide. Microsoft Windows Server 2000/2003 Log Configuration Guide 15

16 Frequently Asked Questions How does the LogLogic appliance collect logs from Microsoft Windows Server 2000/2003? For log collection, Lasso Collector is required in order to read the.evt files from the Windows machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog server. For more information, see How LogLogic Captures Microsoft Windows Server 2000/2003 Data on page 12. What access permissions are required? To configure logging on Microsoft Windows Server 2000/2003, the Windows user must have administrative permissions. How do I configure logging on Microsoft Windows Server 2000/2003? Follow the procedures on Configuring Microsoft Windows Server 2000/2003 for Operational s on page 8. Also make sure that you have properly installed and configured Lasso. For more information, see stalling and Configuring Lasso Collector on page 8 and the LogLogic Lasso Collector Guide. 16 Microsoft Windows Server 2000/2003 Log Configuration Guide

17 Appendix A Reference This appendix lists the LogLogic-supported Microsoft Windows Server 2000/2003 events. The Microsoft Windows Server 2000/2003 event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Microsoft Windows Server 2000/2003 s The following list describes the contents of each of the columns in the tables below. Item # Item numbers with the suffix F show sample logs in. Microsoft Windows Server 2000/2003 event identifier. Defines if the Microsoft Windows Server 2000/2003 event is available through the LogLogic Report Engine or through the search capabilities. If the event is available through the Report Engine, then you can use LogLogic s Real-Time and Summary to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. (OS) where the event can be triggered. some instances, duplicate s exist for different OSs. Title/Comments Description of the event of events such as, Application, etc. of event such as audit, audit, etc. LogLogic-provided reports that the event appears in Sample Microsoft Windows Server 2000/2003 Server 2000/2003 log messages in text format Microsoft Windows Server 2000/2003 Log Configuration Guide 17

18 Table 1 Microsoft Windows Server 2000/2003 s # Windows is starting up. formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:59: SYSTEM LOGLOGIC-SRV1 Windows is starting up. 25 1F 512 Windows is starting up. formation/ Last <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 7 Thu May 21 10:31: SYSTEM KKKKK-KNBMQ2EU3 Événements système Windows démarre Win2000 Windows NT is starting up. formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:59: SYSTEM LOGLOGIC-SRV1 Windows NT is starting up Windows is shutting down. All logon sessions will be terminated by this shutdown. formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:59: SYSTEM LOGLOGIC-SRV1 Windows is shutting down.all logon sessions will be terminated by this shutdown. 25 3F 513 Windows is shutting down. All logon sessions will be terminated by this shutdown. formation/ Last <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 6 Thu May 21 10:29: SECURITY Unknown N/A KKKKK-KNBMQ2EU3 Événements système Windows s'arrête. Toutes les sessions vont être fermées par cet arrêt Win2000 Windows NT is shutting down. All logon sessions will be terminated by this shutdown. formation/ Last <13>Aug 8 09:26: MSWinLog Fri Aug 04 12:59: SYSTEM LOGLOGIC-SRV1 Windows NT is shutting down.all logon sessions will be terminated by this shutdown ternal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Number of audit messages discarded: %1 formation/ Last 18 Microsoft Windows Server 2000/2003 Log Configuration Guide

19 # 5F Les ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. audit Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59: Administrator LOGLABS-2003FRA Suivi détailléles ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Certains audits ont été perdus. Nombre de messages d'audit rejetés :% Win2000, The audit log was cleared Primary Name: %1 Primary Primary Logon : %3 Client Name: %4 Client Domain: %5 Client Logon : %6 formation/ Last <13>Jul 25 12:17: MSWinLog Fri Jul 21 14:32: SYSTEM BLR-WSMTEST-DC1 The audit log was cleared Primary Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon : (0x0,0x3E7) Client Name: dmsopann Client Domain: WIPRO Client Logon : (0x0,0x44A885) 1 6F 517 The audit log was cleared Primary Name: %1 Primary Primary Logon : %3 Client Name: %4 Client Domain: %5 Client Logon : %6 formation/ Last <13>Jul 7 05:25: MSWinLog Tue Jul 07 05:15: SYSTEM Well Known Group B0324-FR2003 Événements système Le journal d'audit a été effacé Utilisateur principal : SYSTEM Domaine principal : AUTORITE NT Id. de session principale : (0x0,0x3E7) Utilisateur client : Administrateur Domaine client : DOMAIN Id. de session client : (0x0,0x489A86) 1<13>Jul 6 05:37:34 MSWinLog Mon Jul 06 05:37: Administrateur B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/ Microsoft Windows Server 2000/2003 Log Configuration Guide 19

20 # The system time was changed. Process : %1 Process Name: %2 Primary Name: %3 Primary Domain: %4 Primary Logon : %5 Client Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 formation/ Last <13>Jun 12 14:54: MSWinLog Sun Jun 12 14:52: loglogic2 IAM3 The system time was changed. Process : 2128 Process Name: C:\WINDOWS\system32\rundll32.exe Primary Name: loglogic2 Primary Domain: SECTIS Primary Logon : (0x0,0xF15F58) Client Name: loglogic2 Client Domain: SECTIS Client Logon : (0x0,0xF15F58) Previous Time: 2:51:48 PM 6/12/2005 New Time: 2:52:47 PM 6/12/ F 520 The system time was changed. Process : %1 Process Name: %2 Primary Name: %3 Primary Domain: %4 Primary Logon : %5 Client Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 formation/ Last <13>Jul 6 05:37:34 MSWinLog Mon Jul 06 05:37: Administrateur B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/ Win2000 ful Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon/Logoff Last ful Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>Jul 5 11:04: MSWinLog 0 security 130 Wed Jul 05 10:54: qatest W2K3-LASSO Logon/ Logoff "ful Logon: Name: qatest Domain: SQA Logon : (0x0,0xD72AEE) Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Logon GU: {4fa5f915-b6cf-cc49-b484-b7b61551b7d0 } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 396 Transited Services: - Source Network Address: Source Port: 1133 " Microsoft Windows Server 2000/2003 Log Configuration Guide

21 # 9F 528 ful Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>May 21 10:24:28 kkkkk-knbmq2eu3 MSWinLog 1 40 Thu May 21 10:24: SERVICE LOCAL Well Known Group KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : SERVICE LOCAL Domaine : AUTORITE NT Id. de la session : (0x0,0x3E5) de session : 5 Processus de session : Advapi Package d'authentification : Negotiate Station de travail : GU d'ouv. de session : - Nom de l'utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : WORKGROUP Id. de session de l'appelant : (0x0,0x3E7) de processus appelant : 868 Services en transit : - Adresse réseau source : - Port source : Win2000 Logon : Reason: Unknown user name or bad password Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Logon : Reason: Unknown user name or bad password Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:23: MSWinLog 0 security 2566 Wed Jul 05 16:23: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: Unknown user name or bad password Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 724 Transited Services: - Source Network Address: Source Port: 1443 " Microsoft Windows Server 2000/2003 Log Configuration Guide 21

22 # 11F 529 Logon : Reason: Unknown user name or bad password Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 08:44:18 MSWinLog Mon Jul 06 08:44: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Nom d'utilisateur inconnu ou mot de passe incorrect Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Logon : Reason: logon time restriction violation Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:42: MSWinLog 0 security 2904 Wed Jul 05 16:42: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: logon time restriction violation Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 3444 Transited Services: - Source Network Address: Source Port: 1464 " F 530 Logon : Reason: logon time restriction violation Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 09:16:06 MSWinLog Mon Jul 06 09:16: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Violation de la limite de temps d'accès au compte Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Microsoft Windows Server 2000/2003 Log Configuration Guide

23 # Win2000 Logon : Reason: logon time restriction violation Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Logon : Reason: currently disabled Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:45: MSWinLog 0 security 2940 Wed Jul 05 16:45: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: currently disabled Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 3000 Transited Services: - Source Network Address: Source Port: 1468 " F 531 Logon : Reason: currently disabled Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 08:50:26 MSWinLog Mon Jul 06 08:50: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte actuellement désactivé Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Win2000 Logon : Reason: currently disabled Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last has not been fully validated byloglogic. Microsoft Windows Server 2000/2003 Log Configuration Guide 23

24 # Win2000 Logon : Reason: The specified user account has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last has not been fully validated byloglogic. 16F 532 Logon : Reason: The specified user account has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last <13>Jul 18 04:17:27 MSWinLog Sat Jul 18 04:17: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le compte d'utilisateur mentionné est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Logon : Reason: The specified user account has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:47: MSWinLog 0 security 2954 Wed Jul 05 16:47: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: The specified user account has expired Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2960 Transited Services: - Source Network Address: Source Port: 1470 " Win2000 Logon : Reason: not allowed to logon at this computer Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 24 Microsoft Windows Server 2000/2003 Log Configuration Guide

25 # Logon : Reason: not allowed to logon at this computer Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:48: MSWinLog 0 security 2976 Wed Jul 05 16:48: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: not allowed to logon at this computer Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2996 Transited Services: - Source Network Address: Source Port: 1472 " F 533 Logon : Reason: not allowed to logon at this computer Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 22 05:08:53 MSWinLog Wed Jul 22 05:08: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Utilisateur non autorisé à se connecter sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN de session : 2 Processus d'ouv. de session : 32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) de processus appelant : 308 Services en transit : - Adresse réseau source : Port source : Logon : Reason: The user has not been granted the requested logon type at this machine Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:28: MSWinLog 0 security 2741 Wed Jul 05 16:28: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: The user has not been granted the requested logon type at this machine Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2480 Transited Services: - Source Network Address: Source Port: 1447 " Microsoft Windows Server 2000/2003 Log Configuration Guide 25

26 # 20F 534 Logon : Reason: The user has not been granted the requested logon type at this machine Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 22 04:39:40 MSWinLog Wed Jul 22 04:39: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Il n'a pas été accordé à l'utilisateur le type de session demandé sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN de session : 2 Processus d'ouv. de session : 32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) de processus appelant : 308 Services en transit : - Adresse réseau source : Port source : Win2000 Logon : Reason: The user has not been granted the requested logon type at this machine Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Logon : Reason: The specified account's password has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Sep 7 14:19: MSWinLog 0 security Thu Sep 07 14:19: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: The specified account's password has expired Name: expire Domain: SQA Logon : 2 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 1344 Transited Services: - Source Network Address: Source Port: 0 " Microsoft Windows Server 2000/2003 Log Configuration Guide

27 # 22F 535 Logon : Reason: The specified account's password has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 08:52:46 MSWinLog Mon Jul 06 08:52: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le mot de passe spécifié pour ce compte est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Win2000 Logon : Reason: The specified account's password has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Logon : Reason: The NetLogon component is not active Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last Microsoft Windows Server 2000/2003 Log Configuration Guide 27

28 # 24F 536 Logon : Reason: The NetLogon component is not active Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 16 10:37:58 MSWinLog Thu Jul 16 10:37: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le composant NetLogon n'est pas actif Nom de l'utilisateur : Meng Kangjian Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Win2000 Logon : Reason: The NetLogon component is not active Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Logon : Reason: An error occurred during logon Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last 28 Microsoft Windows Server 2000/2003 Log Configuration Guide

29 # 26F 537 Logon : Reason: An error occurred during logon Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>Jul 17 08:07:50 MSWinLog Fri Jul 17 08:07: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Erreur lors de l'ouverture de session Nom de l'utilisateur : Domaine : d'ouverture de session : 3 Processus d'ouv. de session : Kerberos Package d'authentification : Kerberos Nom de station de travail : - Code du statut : 0xC Code du sous-statut : 0x0 Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : - Port source : Win2000 Logon : Reason: An unexpected error occurred during logon Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last Win2000 Description: Logoff: Name: %1 Logon : %3 Logon : %4 Logon/Logoff Last <13>Jul 5 11:04: MSWinLog 0 security 1 Wed Jul 05 10:19: qatest W2K3-LASSO Logon/ Logoff " Logoff: Name: qatest Domain: SQA Logon : (0x0,0x2ABA3D) Logon : 5 " F 538 Win2000 Description: Logoff: Name: %1 Logon : %3 Logon : %4 Logon/Logoff Last <13>May 21 11:01:37 kkkkk-knbmq2eu3 MSWinLog Thu May 21 11:01: Administrateur KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de la session utilisateur : Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. de la session : (0x0,0x74297) de session : 7 19 Microsoft Windows Server 2000/2003 Log Configuration Guide 29

30 # Logon : Reason: locked out Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:34: MSWinLog 0 security 2803 Wed Jul 05 16:34: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: locked out Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2304 Transited Services: - Source Network Address: Source Port: 1455 " F 539 Logon : Reason: locked out Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 17 03:30:03 MSWinLog Fri Jul 17 03:30: SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte verrouillé Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Win2000 Logon : Reason: locked out Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 30 Microsoft Windows Server 2000/2003 Log Configuration Guide

31 # ful Network Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>Jul 5 11:04: MSWinLog 0 security 3 Wed Jul 05 10:19: SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "ful Network Logon: Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0xD30C93) Logon : 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GU: {e6b578ec-aae0-9e50-b248-c2004fb821e 8} Caller Name: - Caller Domain: - Caller Logon : - Caller Process : - Transited Services: - Source Network Address: Source Port: 0 " F 540 ful Network Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 15 Thu May 21 10:31: ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : Domaine : Id. de la session : (0x0,0xA565) de session : 3 Processus de session : NtLmSsp Package d'authentification : NTLM Nom de la station de travail : GU d'ouv. de session : - Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : - Port source : Win2000 ful Network Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon/Logoff Last Logon : Reason: Domain sid inconsistent Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Transited Services: %7 Last / Authenticat ion Microsoft Windows Server 2000/2003 Log Configuration Guide 31