LogLogic Microsoft Windows Server 2003 Log Configuration Guide

Transcription

1 LogLogic Microsoft Windows Server 2003 Log Configuration Guide Document Release: October 2011 Part Number: LL ELS This manual supports LogLogic Microsoft Windows Server 2003 Release 2.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2 2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA Tel: Fax: U.S. Toll Free:

3 Contents Preface About This Guide Technical Support Documentation Support Conventions Chapter 1 Configuring LogLogic s Microsoft Windows Server 2003 Log Collection Introduction to Microsoft Windows Server Prerequisites Configuring Microsoft Windows Server 2003 for Operational s Installing and Configuring Lasso Collector Enabling the LogLogic Appliance to Capture Log Data Automatically Identifying a Microsoft Windows Server 2003 Device Adding Microsoft Windows Server 2003 Device Verifying the Configuration Chapter 2 How LogLogic Supports Microsoft Windows Server 2003 How LogLogic Captures Microsoft Windows Server 2003 Data LogLogic Real-Time Chapter 3 Troubleshooting and FAQ Troubleshooting Frequently Asked Questions Appendix A Reference LogLogic Support for Microsoft Windows Server 2003 s Appendix B Logon s and Descriptions Microsoft Windows Server 2003 Log Configuration Guide 3

4 4 Microsoft Windows Server 2003 Log Configuration Guide

5 Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft Windows enables LogLogic Appliances to capture logs from machines running Microsoft Windows Server Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft Windows Server 2003 s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free LOGS Local EMEA or APAC: + 44 (0) or +44 (0) [email protected] You can also visit the LogLogic Support website at: When contacting Customer Support, be prepared to provide: Your name, address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send to [email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Microsoft Windows Server 2003 Log Configuration Guide 5

6 Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Microsoft Windows Server 2003 Log Configuration Guide

7 Chapter 1 Configuring LogLogic s Microsoft Windows Server 2003 Log Collection This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft Windows Server 2003 logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft Windows Server 2003 log data. Introduction to Microsoft Windows Server Prerequisites Configuring Microsoft Windows Server 2003 for Operational s Enabling the LogLogic Appliance to Capture Log Data Verifying the Configuration Introduction to Microsoft Windows Server 2003 Microsoft Windows Server 2003 operational events appear within the Windows Viewer and are located within the host machine s Windows Log. The events are captured by Loglogic's Lasso Collector. The Lasso Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP. The configuration procedures for Microsoft Windows Server 2003 and the LogLogic Appliance depend upon your environment and how the Lasso Collector is configured. For more information, see How LogLogic Captures Microsoft Windows Server 2003 Data on page 12 and the LogLogic Lasso Collector Guide. Prerequisites Prior to configuring Microsoft Windows Server 2003 and the LogLogic Appliance, ensure that you meet the following prerequisites: Microsoft Windows Server 2003 Server installed Administrative access on the Windows server Microsoft Windows Server 2003 Server Microsoft Windows Server 2003 Server Note: Loglogic Universal Collector 2.2 or later is required for auto-detection of Windows sources. See Adding Microsoft Windows Server 2003 Device on page 9 for manual configuration. Lasso Collector Release 2.0 or later installed on the Windows server. For more information, see LogLogic Lasso Collector Guide. LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft Windows Server 2003 support Administrative access on LogLogic Appliance Microsoft Windows Server 2003 Log Configuration Guide 7

8 Configuring Microsoft Windows Server 2003 for Operational s Microsoft Windows operational events are posted in the Windows Viewer. The events are located in the Windows logs. These events can be captured by LogLogic Appliance using Lasso Collector. For more information about the Windows Viewer, see the Microsoft Windows Server 2003 Product Documentation. Installing and Configuring Lasso Collector Microsoft Windows Server 2003 logs are collected and transported using Lasso. Lasso is used to collect and transfer Windows logs to the LogLogic Appliance. By default, the Lasso program directory is located at: C:\Program Files\Lasso Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages: C:\Program Files\Lasso\LassoRepository\Spool You can change the host machine and event log identification information by editing the hostlist.ini configuration file in Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and configuration procedures for Lasso, including information on the Lasso.ini and hostlist.ini files, see the LogLogic Lasso Collector Guide. 8 Microsoft Windows Server 2003 Log Configuration Guide

9 Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Microsoft Windows Server 2003 log data. Automatically Identifying a Microsoft Windows Server 2003 Device With the auto-identification feature, the LogLogic Appliance recognizes Microsoft Windows Server 2003 log messages by default. As the log messages come into the Appliance, they are automatically identified and a new Microsoft Windows Server 2003 device type is added to the log source device list. Default values are used for certain properties, such as the device name. To enable auto-identification in the LogLogic Appliance: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Administration > Settings. The General tab appears. 3. For Auto-identify Log Sources, select Yes. 4. Click Update. Once the automatically identified device is added, you can edit its properties. IMPORTANT! Do not change the auto-identified Device and Host IP information. To edit an existing Microsoft Windows Server 2003 device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select > Devices. The Devices tab appears. 3. Click on an existing Microsoft Windows Server 2003 device in the list and click Modify Device. The Modify Device tab appears. 4. Edit the device fields as needed, then click Update Device. Adding Microsoft Windows Server 2003 Device If you do not want to utilize the auto-identification feature, you can manually add a Microsoft Windows Server 2003 device to the LogLogic Appliance before you redirect the logs. IMPORTANT! LogLogic highly recommends using the auto-identification feature for all supported devices. If you want to add devices manually, make sure that the Auto-identify Log Sources setting is not enabled on the LogLogic Appliance. If the auto-identification setting is enabled and you manually add devices, duplicate device entries might appear on the Appliance. Microsoft Windows Server 2003 Log Configuration Guide 9

10 To add Microsoft Windows Server 2003 as a new device 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. in the following information for the device: Name Name for the Microsoft Windows Server 2003 device Description (optional) Description of the Microsoft Windows Server 2003 device Device Select Microsoft Windows from the drop-down menu Host IP IP address of the Microsoft Windows Server 2003 appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Figure 1 Adding a Device to the LogLogic Appliance 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Microsoft Windows Server 2003 machine, the LogLogic Appliance uses the device you just added if the hostname or IP match. 10 Microsoft Windows Server 2003 Log Configuration Guide

11 Verifying the Configuration The section describes how to verify that the configuration changes made to Microsoft Windows Server 2003 and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Microsoft Windows Server 2003 device. If the device name (Microsoft Windows Server 2003) appears in the list of devices (Figure 2), then the configuration is correct. Figure 2 Log Source Status Tab If the device does not appear in the Log Source Status tab, check the Microsoft Windows Server 2003 logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft Windows Server 2003 configuration, the Lasso configuration, and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Microsoft Windows Server 2003 by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time on page 13. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 14 for more information. Microsoft Windows Server 2003 Log Configuration Guide 11

12 Chapter 2 How LogLogic Supports Microsoft Windows Server 2003 This chapter describes LogLogic's support for Microsoft Windows Server LogLogic enables you to capture Microsoft Windows Server 2003 log data to monitor Microsoft Windows Server 2003 events. LogLogic supports Microsoft Windows Server 2003 logs. How LogLogic Captures Microsoft Windows Server 2003 Data LogLogic Real-Time How LogLogic Captures Microsoft Windows Server 2003 Data LogLogic's Lasso Collector is used to collect logs stored in the Windows Log. The Windows Collector is an open source application developed by LogLogic to collect and forward Windows event logs in Syslog format to the LogLogic Appliance. If the Windows Collector is in Agent Mode, logs are collected and forwarded from the Windows system where it is installed. If the Windows Collector is in Collector Mode, logs are collected and forwarded from Windows systems other than the system where it is installed. The Windows Collector can also run in both modes at the same time. In hybrid mode, the Collector captures and forwards messages from the Windows machine where it is installed and from other Windows systems it is configured to access. Regardless of the mode used, all collected logs are converted into text format by the collector and then forwarded to the LogLogic Appliance s Syslog Listener via UDP or TCP. Figure 3 Microsoft Windows Server 2003 with Lasso Collector (in Agent Mode) and the LogLogic Appliance Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Microsoft Windows Server For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. 12 Microsoft Windows Server 2003 Log Configuration Guide

13 LogLogic Real-Time LogLogic provides pre-configured Real-Time for Microsoft Windows Server 2003 log data. The following Real-Time are available: All Unparsed s Displays data for all events retrieved from the Microsoft Windows Server 2003 log for a specified time interval Permission Modification Displays events related to permission modifications performed on user and server objects User Access Displays data access and changes done to data during a specified time interval User Authentication Displays identity and access related events during a specified time interval User Created/Deleted Displays user creation and deletion events Displays user specific details and used to track user activity during a specified time interval Windows s Displays Windows event information served during a specified time interval To access LMI 5 Real-Time : 1. In the top navigation pane, click. 2. Click Access Control. The following Real-Time are available: Permission Modification User Access User Authentication User Created/Deleted Windows s 3. ClickOperational. The following Real-Time are available: All Unparsed s You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. Microsoft Windows Server 2003 Log Configuration Guide 13

14 Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Microsoft Windows Server It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting Frequently Asked Questions Troubleshooting Is your version of Microsoft Windows Server 2003 supported? For more information, see Prerequisites on page 7. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information. Are you running Lasso Collector 2.0 or later? If you are running an release prior to 2.0, you might require an upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Microsoft Windows Server Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Microsoft Windows Server 2003 events are not appearing on the LogLogic Appliance... You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab. Make sure that you have properly installed and configured Lasso, and the no errors are present in Lasso s error log (LassoTrace.log). For more information, see the LogLogic Lasso Collector Guide. Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see Automatically Identifying a Microsoft Windows Server 2003 Device on page 9 and Adding Microsoft Windows Server 2003 Device on page 9. If events are not displaying on the LogLogic Appliance even after configuring Microsoft Windows Server 2003 and Lasso correctly... Microsoft Windows Server 2003 sends the logs, via UDP or TCP, in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Microsoft Windows Server 2003 machine. For more information on supported protocols and ports, see the LogLogic Administration Guide. 14 Microsoft Windows Server 2003 Log Configuration Guide

15 Frequently Asked Questions How does the LogLogic appliance collect logs from Microsoft Windows Server 2003? For log collection, Lasso Collector is required in order to read the.evt files from the Windows machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog server. For more information, see How LogLogic Captures Microsoft Windows Server 2003 Data on page 12. What access permissions are required? To configure logging on Microsoft Windows Server 2003, the Windows user must have administrative permissions. How do I configure logging on Microsoft Windows Server 2003? Follow the procedures on Configuring Microsoft Windows Server 2003 for Operational s on page 8. Also make sure that you have properly installed and configured Lasso. For more information, see Installing and Configuring Lasso Collector on page 8 and the LogLogic Lasso Collector Guide. Microsoft Windows Server 2003 Log Configuration Guide 15

16 16 Microsoft Windows Server 2003 Log Configuration Guide

17 Appendix A Reference This appendix lists the LogLogic-supported Microsoft Windows Server 2003 events. The Microsoft Windows Server 2003 event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Microsoft Windows Server 2003 s The following list describes the contents of each of the columns in the tables below. Item # Item numbers with the suffix F show sample logs in. Item # Item numbers with the suffix G show sample logs in. Microsoft Windows Server 2003 event identifier. Defines if the Microsoft Windows Server 2003 event is available through the LogLogic Report Engine or through the search capabilities. If the event is available through the Report Engine, then you can use LogLogic s Real-Time and Summary to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. (OS) where the event can be triggered. In some instances, duplicate s exist for different OSs. Title/Comments Description of the event of events such as, Application, etc. of event such as audit, Failure audit, etc. LogLogic-provided reports that the event appears in Sample Microsoft Windows Server 2003 log messages in text format Microsoft Windows Server 2003 Log Configuration Guide 17

18 Table 1 Microsoft Windows Server 2003 s # Win2003 Windows is starting up. Security <13>Aug 8 09:26: MSWinLog 0 Security 621 Fri Aug 04 12:59: Security SYSTEM User LOGLOGIC-SRV1 Windows is starting up. 25 1F 512 Win2003 1G 512 Win2003 Windows is starting up. Security Windows is starting up. Security <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 Security 7 Thu May 21 10:31: Security SYSTEM User KKKKK-KNBMQ2EU3 Événements système Windows démarre. 1 <13> T11:25: : MSWinLog 0 Security 0 Tue May 10 11:25: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA ereignis Windows wird gestartet Win2003 Windows is shutting down. All logon sessions will be terminated by this shutdown. Security <13>Aug 8 09:26: MSWinLog 0 Security 621 Fri Aug 04 12:59: Security SYSTEM User LOGLOGIC-SRV1 Windows is shutting down.all logon sessions will be terminated by this shutdown. 25 2F 513 Win2003 Windows is shutting down. All logon sessions will be terminated by this shutdown. Security <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 Security 6 Thu May 21 10:29: SECURITY Unknown User N/A KKKKK-KNBMQ2EU3 Événements système Windows s'arrête. Toutes les sessions vont être fermées par cet arrêt. 0 2G 513 Win2003 Windows is shutting down. All logon sessions will be terminated by this shutdown. Security <13> T09:23: : MSWinLog 0 Security 0 Fri May 06 09:23: SECURITY User SRV-W2003-GERMA ereignis Windows wird heruntergefahren. Alle Anmeldesitzungen werden durch den Vorgang des Herunterfahrens beendet Win2003 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Number of audit messages discarded: %1 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 18 Microsoft Windows Server 2003 Log Configuration Guide

19 # 5F 516 Win2003 Les ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Security audit / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59: SecurityAdministrator User LOGLABS-2003FRA Suivi détailléles ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Certains audits ont été perdus. Nombre de messages d'audit rejetés :% Win2003 The audit log was cleared Primary Primary Domain: %2 Primary Logon : %3 Client User Name: %4 Client Domain: %5 Client Logon : %6 Security <13>Jul 25 12:17: MSWinLog 0 Security 7727 Fri Jul 21 14:32: Security SYSTEM User BLR-WSMTEST-DC1 The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon : (0x0,0x3E7) Client User Name: dmsopann Client Domain: WIPRO Client Logon : (0x0,0x44A885) 1 6F 517 Win2003 The audit log was cleared Primary Primary Domain: %2 Primary Logon : %3 Client User Name: %4 Client Domain: %5 Client Logon : %6 Security <13>Jul 7 05:25: MSWinLog 0 Security 1151 Tue Jul 07 05:15: Security SYSTEM Well Known Group B0324-FR2003 Événements système Le journal d'audit a été effacé Utilisateur principal : SYSTEM Domaine principal : AUTORITE NT Id. de session principale : (0x0,0x3E7) Utilisateur client : Administrateur Domaine client : DOMAIN Id. de session client : (0x0,0x489A86) 1<13>Jul 6 05:37:34 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 608 Mon Jul 06 05:37: Security Administrateur User B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/ Microsoft Windows Server 2003 Log Configuration Guide 19

20 # 6G 517 Win2003 The audit log was cleared Primary Primary Domain: %2 Primary Logon : %3 Client User Name: %4 Client Domain: %5 Client Logon : %6 Security <13> T13:40: : MSWinLog 0 Security 0 Mon May 16 13:40: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA ereignis Das Überwachungsprotokoll wurde gelöscht. Primärer Benutzername: SYSTEM Primäre Domäne: NT-AUTORITÄT Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: administrator Clientdomäne: LL Clientanmeldekennung: (0x0,0x439BD) Win2003 The system time was changed. Process : %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 Client User Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 Security <13>Jun 12 14:54: MSWinLog 0 Security 923 Sun Jun 12 14:52: Security loglogic2 User IAM3 The system time was changed. Process : 2128 Process Name: C:\WINDOWS\system32\rundll32.exe Primary User Name: loglogic2 Primary Domain: SECTIS Primary Logon : (0x0,0xF15F58) Client User Name: loglogic2 Client Domain: SECTIS Client Logon : (0x0,0xF15F58) Previous Time: 2:51:48 PM 6/12/2005 New Time: 2:52:47 PM 6/12/ F 520 Win2003 The system time was changed. Process : %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 Client User Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 Security <13>Jul 6 05:37:34 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 608 Mon Jul 06 05:37: Security Administrateur User B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/ Microsoft Windows Server 2003 Log Configuration Guide

21 # 7G 520 Win2003 The system time was changed. Process : %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 Client User Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 Security <13> T11:26: : MSWinLog 0 Security 0 Tue May 10 11:26: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA ereignis Die zeit wurde geändert. Prozesskennung: 1452 Prozessname: C:\Programme\VMware\VMware Tools\vmtoolsd.exe Primärer Benutzername: SRV-W2003-GERMA$ Primäre Benutzerdomäne: LL Primäre Benutzeranmeldekennung: (0x0,0x3E7) Clientbenutzername: SRV-W2003-GERMA$ Clientdomäne: LL Clientanmeldekennung: (0x0,0x3E7) Alte Zeit: 11:26: Neue Zeit: 11:26: Win2003 ful Logon: Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff <13>Jul 5 11:04: MSWinLog 0 security 130 Wed Jul 05 10:54: Security qatest User W2K3-LASSO Logon/ Logoff "ful Logon: User Name: qatest Domain: SQA Logon : (0x0,0xD72AEE) Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Logon GU: {4fa5f915-b6cf-cc49-b484-b7b61551b7d0} Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 396 Transited Services: - Source Network Address: Source Port: 1133 " F 528 Win2003 ful Logon: Logon/Logoff Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 <13>May 21 10:24:28 kkkkk-knbmq2eu3 MSWinLog 1 Security 40 Thu May 21 10:24: Security SERVICE LOCAL Well Known Group KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : SERVICE LOCAL Domaine : AUTORITE NT Id. de la session : (0x0,0x3E5) de session : 5 Processus de session : Advapi Package d'authentification : Negotiate Station de travail : GU d'ouv. de session : - Nom de l'utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : WORKGROUP Id. de session de l'appelant : (0x0,0x3E7) de processus appelant : 868 Services en transit : - Adresse réseau source : - Port source : - 24 Microsoft Windows Server 2003 Log Configuration Guide 21

22 # 8G 528 Win2003 ful Logon: Logon/Logoff Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 <13> T11:25: : MSWinLog 0 Security 0 Tue May 10 11:25: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA An-/Abmeldung Erfolgreiche Anmeldung: Benutzername: SYSTEM Domäne: NT-AUTORITÄT Anmeldekennung: (0x0,0x3E7) Anmeldetyp: 0 Anmeldevorgang: - Authentifizierungspaket: - Name der Arbeitsstation: - Anmelde-GU: - Aufruferbenutzername: - Aufruferdomäne: - Aufruferanmeldekennung: - Aufruferprozesskennung: 4 Dienste: - Quellnetzwerkadresse: - Quellport: Übertragene Win2003 Logon Failure: Reason: Unknown user name or bad password Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 5 16:23: MSWinLog 0 security 2566 Wed Jul 05 16:23: Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Unknown user name or bad password User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 724 Transited Services: - Source Network Address: Source Port: 1443 " F 529 Win2003 Logon Failure: Reason: Unknown user name or bad password Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 6 08:44:18 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1332 Mon Jul 06 08:44: Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Nom d'utilisateur inconnu ou mot de passe incorrect Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Microsoft Windows Server 2003 Log Configuration Guide

23 # 9G 529 Win2003 Logon Failure: Reason: Unknown user name or bad password Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13> T13:55: : MSWinLog 0 Security 0 Mon May 16 13:55: Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Unbekannter Benutzername oder falsches Kennwort Benutzername: administrator Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: Quellport: Aufruferprozesskennung: Win2003 Logon Failure: Reason: logon time restriction violation Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 5 16:42: MSWinLog 0 security 2904 Wed Jul 05 16:42: Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: logon time restriction violation User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 3444 Transited Services: - Source Network Address: Source Port: 1464 " F 530 Win2003 Logon Failure: Reason: logon time restriction violation Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 6 09:16:06 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1850 Mon Jul 06 09:16: Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Violation de la limite de temps d'accès au compte Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Microsoft Windows Server 2003 Log Configuration Guide 23

24 # 10G 530 Win2003 Logon Failure: Reason: logon time restriction violation Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13> T13:58: : MSWinLog 0 Security 0 Mon May 16 13:58: Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Außerhalb der Anmeldezeiten des Kontos Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: Quellport: Aufruferprozesskennung: Win2003 Logon Failure: Reason: currently disabled Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 5 16:45: MSWinLog 0 security 2940 Wed Jul 05 16:45: Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: currently disabled User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 3000 Transited Services: - Source Network Address: Source Port: 1468 " F 531 Win2003 Logon Failure: Reason: currently disabled Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 6 08:50:26 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1399 Mon Jul 06 08:50: Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte actuellement désactivé Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Microsoft Windows Server 2003 Log Configuration Guide

25 # 11G 531 Win F 532 Win2003 Logon Failure: Reason: currently disabled Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon Failure: Reason: The specified user account has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Logon/Logoff Failure <13> T14:01: : MSWinLog 0 Security 0 Mon May 16 14:01: Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Konto ist gegenwärtig deaktiviert Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: Quellport: Aufruferprozesskennung: <13>Jul 18 04:17:27 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security Sat Jul 18 04:17: Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le compte d'utilisateur mentionné est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Microsoft Windows Server 2003 Log Configuration Guide 25

26 # 11G 532 Win2003 Logon Failure: Reason: The specified user account has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure <13> T14:03: : MSWinLog 0 Security 0 Mon May 16 14:03: Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Das angegebene Benutzerkonto ist abgelaufen Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: Quellport: Aufruferprozesskennung: Win2003 Logon Failure: Reason: The specified user account has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: % Win2003 Logon Failure: Reason: User not allowed to logon at this computer Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Logon/Logoff Failure <13>Jul 5 16:47: MSWinLog 0 security 2954 Wed Jul 05 16:47: Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The specified user account has expired User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2960 Transited Services: - Source Network Address: Source Port: 1470 " <13>Jul 5 16:48: MSWinLog 0 security 2976 Wed Jul 05 16:48: Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: User not allowed to logon at this computer User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2996 Transited Services: - Source Network Address: Source Port: 1472 " Microsoft Windows Server 2003 Log Configuration Guide

27 # 13F 533 Win G 533 Win2003 Logon Failure: Reason: User not allowed to logon at this computer Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon Failure: Reason: User not allowed to logon at this computer Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Logon/Logoff Failure <13>Jul 22 05:08:53 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1371 Wed Jul 22 05:08: Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Utilisateur non autorisé à se connecter sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN de session : 2 Processus d'ouv. de session : User32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) de processus appelant : 308 Services en transit : - Adresse réseau source : Port source : <13> T14:07: : MSWinLog 0 Security 0 Mon May 16 14:07: Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Benutzer darf sich an diesem Computer nicht anmelden Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: Quellport: Aufruferprozesskennung: Microsoft Windows Server 2003 Log Configuration Guide 27

28 # Win2003 Logon Failure: Reason: The user has not been granted the requested logon type at this machine Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 5 16:28: MSWinLog 0 security 2741 Wed Jul 05 16:28: Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2480 Transited Services: - Source Network Address: Source Port: 1447 " F 534 Win2003 Logon Failure: Reason: The user has not been granted the requested logon type at this machine Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 22 04:39:40 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 913 Wed Jul 22 04:39: Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Il n'a pas été accordé à l'utilisateur le type de session demandé sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN de session : 2 Processus d'ouv. de session : User32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) de processus appelant : 308 Services en transit : - Adresse réseau source : Port source : Microsoft Windows Server 2003 Log Configuration Guide

29 # 14G 534 Win2003 Logon Failure: Reason: The user has not been granted the requested logon type at this machine Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13> T14:05: : MSWinLog 0 Security 0 Mon May 16 14:05: Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Dem Benutzer wurde der angeforderte Anmeldetyp an diesem Computer nicht gestattet. Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: Quellport: Aufruferprozesskennung: Win2003 Logon Failure: Reason: The specified account's password has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Sep 7 14:19: MSWinLog 0 security Thu Sep 07 14:19: Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The specified account's password has expired User Name: expire Domain: SQA Logon : 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 1344 Transited Services: - Source Network Address: Source Port: 0 " F 535 Win2003 Logon Failure: Reason: The specified account's password has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 6 08:52:46 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1422 Mon Jul 06 08:52: Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le mot de passe spécifié pour ce compte est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : Microsoft Windows Server 2003 Log Configuration Guide 29

30 # 15G 535 Win2003 Logon Failure: Reason: The specified account's password has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13> T14:10: : MSWinLog 0 Security 0 Mon May 16 14:10: Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Das Kennwort des angegebenen Kontos ist abgelaufen Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: Quellport: Aufruferprozesskennung: Win2003 Logon Failure: Reason: The NetLogon component is not active Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 16F 536 Win2003 Logon Failure: Reason: The NetLogon component is not active Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 16 10:37:58 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security Thu Jul 16 10:37: Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le composant NetLogon n'est pas actif Nom de l'utilisateur : Meng Kangjian Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : 0 30 Microsoft Windows Server 2003 Log Configuration Guide

31 # Win2003 Logon Failure: Reason: An error occurred during logon Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Failure The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 17F 537 Win2003 Logon Failure: Reason: An error occurred during logon Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Failure <13>Jul 17 08:07:50 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security Fri Jul 17 08:07: Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Erreur lors de l'ouverture de session Nom de l'utilisateur : Domaine : d'ouverture de session : 3 Processus d'ouv. de session : Kerberos Package d'authentification : Kerberos Nom de station de travail : - Code du statut : 0xC Code du sous-statut : 0x0 Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : - Port source : Win2003 User Logoff Logon/Logoff <13> T11:26: : MSWinLog 0 Security 0 Tue May 10 11:26: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA An-/Abmeldung Benutzerabmeldung: Benutzername: SRV-W2003-GERMA$ Domäne: LL Anmeldekennung: (0x0,0x22421) Anmeldetyp: Microsoft Windows Server 2003 Log Configuration Guide 31

32 # Win2003 Logon Failure: Reason: locked out Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 5 16:34: MSWinLog 0 security 2803 Wed Jul 05 16:34: Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: locked out User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2304 Transited Services: - Source Network Address: Source Port: 1455 " F 539 Win G 539 Win2003 Logon Failure: Reason: locked out Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon Failure: Reason: locked out Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Logon/Logoff Failure <13>Jul 17 03:30:03 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security Fri Jul 17 03:30: Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte verrouillé Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : Port source : <13> T14:24: : MSWinLog 0 Security 0 Mon May 16 14:24: Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Konto gesperrt Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: Quellport: Aufruferprozesskennung: 32 Microsoft Windows Server 2003 Log Configuration Guide

33 # Win2003 ful Network Logon: Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff <13>Jul 5 11:04: MSWinLog 0 security 3 Wed Jul 05 10:19: Security SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "ful Network Logon: User Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0xD30C93) Logon : 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GU: {e6b578ec-aae0-9e50-b248-c2004fb821e 8} Caller User Name: - Caller Domain: - Caller Logon : - Caller Process : - Transited Services: - Source Network Address: Source Port: 0 " F 540 Win2003 ful Network Logon: Logon/Logoff Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 Security 15 Thu May 21 10:31: Security ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : Domaine : Id. de la session : (0x0,0xA565) de session : 3 Processus de session : NtLmSsp Package d'authentification : NTLM Nom de la station de travail : GU d'ouv. de session : - Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : - Port source : G 540 Win2003 ful Network Logon: Logon/Logoff Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 <13> T11:25: : MSWinLog 0 Security 0 Tue May 10 11:25: Security NT-AUTORITÄT\ANONYMOUS-ANMELD UNG User SRV-W2003-GERMA An-/Abmeldung Erfolgreiche Netzwerkanmeldung: Benutzername: Domäne: Anmeldekennung: (0x0,0xF6DC) Anmeldetyp: 3 Anmeldevorgang: NtLmSsp Authentifizierungspaket: NTLM Arbeitsstationsname: Anmelde-GU: - Aufruferbenutzername: - Aufruferdomäne: - Aufruferanmeldekennung: - Aufruferprozesskennung: - Übertragene Dienste: - Quellnetzwerkadresse: - Quellport: Microsoft Windows Server 2003 Log Configuration Guide 33

34 # Win2003 Logon Failure: Reason: Domain sid inconsistent Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Transited Services: %7 Security Failure /User Authentication The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 33F Win2003 Échec de l'ouverture de session Security audit User Authentication / / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59: SecurityAdministrator User LOGLABS-2003FRA Suivi détaillééchec de l'ouverture de session : Raison : S du domaine incohérent Nom d'utilisateur : %1 Domaine : %2 d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de station de travail : %6 Services en transit : % Win2003 Logon Failure: Reason: All sids were filtered out Domain: %2 Logon : %3 Logon Process: %4 Authentication Package : %5 Workstation Name: %6 Security Failure / User Authentication The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 35F 549 Win2003 Échec de l'ouverture de session Security audit User Authentication / / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59: SecurityAdministrator UserFailure LOGLABS-2003FRA Suivi détaillééchec de l'ouverture de session : Raison : Tous les S étaient épuisés Utilisateur : %1 Domaine : %2 d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de la station de travail : % Win2003 Notification message that could indicate a possible denial-of-service attack. Security Logon / Logoff The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 34 Microsoft Windows Server 2003 Log Configuration Guide

35 # Win2003 User initiated logoff: Domain: %2 Logon : %3 Security audit / Information / User Access <13>Aug 8 09:26: MSWinLog 0 Security 619 Fri Aug 04 12:58: Security Unknown User N/A LOGLOGIC-SRV1 Logon/Logoff User initiated logoff: User Name: Administrator Domain: LOGLOGIC-SRV1 Logon : (0x0,0x14d2b) 23 37F 551 Win2003 User initiated logoff: Domain: %2 Logon : %3 Security User Access <13>Jul 1 03:18:31 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 3252 Wed Jul 01 03:18: Security Administrateur User KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de session initiée par l'utilisateur : Utilisateur : Administrateur Domaine : FORESTA Id. d'ouv. de session : (0x0,0x260dd) G 551 Win2003 User initiated logoff: Domain: %2 Logon : %3 Security User Access <13> T13:54: : MSWinLog 0 Security 0 Mon May 16 13:54: Security LL\Administrator User SRV-W2003-GERMA An-/Abmeldung Benutzerinitiierte Abmeldung: Benutzername: administrator Domäne: LL Anmeldekennung: (0x0,0x2194f8) Win2003 Logon attempt using explicit credentials: Logged on user: Domain: %2 Logon : %3 Logon GU: %4 User whose credentials were used: Target User Name: %5 Target Domain: %6 Target Logon GU: %7 Target Server Name: %8 Target Server Info: %9 Caller Process : %10 Source Network Address: %11 Source Port: %12 Security / User Authentication <13>Aug 8 09:26: MSWinLog 0 Security 614 Fri Aug 04 12:30: Security SYSTEM User LOGLOGIC-SRV1 Logon/Logoff Logon attempt using explicit credentials: Logged on user: User Name: LOGLOGIC-SRV1$ Domain: WORKGROUP Logon : (0x0,0x3E7) Logon GU: - User whose credentials were used: Target User Name: Administrator Target Domain: LOGLOGIC-SRV1 Target Logon GU: - Target Server Name: localhost Target Server Info: localhost Caller Process : 568 Source Network Address: Source Port: 0 18 Microsoft Windows Server 2003 Log Configuration Guide 35

36 # 38F 552 Win2003 Tentative d'ouverture de session en utilisant des informations d'identification explicites Security audit User Authentication / / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59: SecurityAdministrator UserFailure LOGLABS-2003FRA Suivi détaillétentative d'ouverture de session en utilisant des informations d'identification explicites : Utilisateur connecté : Nom d'utilisateur : %1 Domaine : %2 d'ouv. de session : %3 GU d'ouv. de session : %4 Utilisateur dont les informations d'identification ont été utilisées : Nom d'utilisateur cible : %5 Domaine cible : %6 GU d'ouv. de session cible : %7 Nom du serveur cible : %8 Informations du serveur cible : %9 de processus appelant : %10 Adresse réseau source : %12 Port source : %13 38G 552 Win2003 Logon attempt using explicit credentials Security audit User Authentication / / Windows s <13> T12:54: : MSWinLog 0 Security 0 Mon May 16 12:54: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA An-/Abmeldung Anmeldeversuch unter Verwendung expliziter Anmeldeinformationen: Angemeldeter Benutzer: Benutzername: SRV-W2003-GERMA$ Domäne: LL Anmeldekennung: (0x0,0x3E7) Anmelde-GU: - Benutzer, dessen Anmeldeinformationen verwendet wurden: Zielbenutzerame: administrator Zieldomäne: LL Zielanmelde-GU:{5baf06a3-3fff-c4f8-fa f76700bd3} Zielservername: localhost Zielserverinfo: localhost Aufruferprozesskennung: 548 Quellnetzwerkadresse: Quellport: Microsoft Windows Server 2003 Log Configuration Guide

37 # Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Restricted Sid Count: %17 Access Mask: %18 Object Access <13>Jul 5 15:58: MSWinLog 0 security 2074 Wed Jul 05 15:58: Security qatest User W2K3-LASSO Object Access "Object Open: Object Server: Security Object : Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlS et001\services\log\security Handle : 452 Operation : {0, } Process : 3280 Image File Name: C:\WINDOWS\system32\mmc.exe Primary User Name: qatest Primary Domain: SQA Primary Logon : (0x0,0x668A8) Client User Name: - Client Domain: - Client Logon : - Accesses: Set key value Privileges: - Restricted Sid Count: 0 Access Mask: 0x2 " F 560 Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Restricted Sid Count: %17 Access Mask: %18 Object Access <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 12 Tue Jun 30 10:42: Security SYSTEM User KKKKK-KNBMQ2EU3 Accès aux objets Objet ouvert Serveur de l'objet : Security de l'objet : Key Nom de l'objet : \REGISTRY\MACHINE\SYSTEM\ControlS et001\services\log\security Identificateur du handle : 204 Identificateur de l'opération : {0, } Id. du processus : 2404 Nom du fichier image : C:\Program Files\Snare\SnareCore.exe Utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA Id d'ouv. de session principale : (0x0,0x3E7) Utilisateur du client : - Domaine du client : - Id. d'ouv. de session client : - Accès : %%1538 %%4432 %%4433 %%4435 %%4436 Privilèges : - Nombre de S restreint : 0 Masque d'accès : 0x2001B 11 Microsoft Windows Server 2003 Log Configuration Guide 37

38 # 39G 560 Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Restricted Sid Count: %17 Access Mask: %18 Object Access <13> T13:37: : MSWinLog 0 Security 0 Mon May 16 13:37: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Objektzugriff Geöffnetes Objekt: Objektserver: Security Objekttyp: Key Objektname: \REGISTRY\MACHINE\SYSTEM\ControlS et001\services\log\security Handlekennung: 1612 Vorgangskennung: {0, } Prozesskennung: 592 Abbilddateiname: C:\WINDOWS\system32\services.exe Primärer Benutzername: SRV-W2003-GERMA$ Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: - Clientdomäne: - Clientanmeldekennung: - Zugriffe: READ_CONTROL Schlüsselwert abfragen Schlüsselwert festlegen Unterschlüssel auflisten Änderungen an Schlüssel benachrichtigen Rechte: - Beschränkte S-Anzahl: 0 Zugriffsmaske: 0x2001B Win2003 The handle to an object was closed. Object Access Special Multi-use Subcategory MSWinLog 0 Security 0 Tue Jul Microsoft-Windows-Security-ing Unknown hayward.loglabs08native.lab File The handle to an object was closed. Subject : Security : S Name: HAYWARD$ Domain: LOGLABS08NATIVE Logon : 0x3e7 Object: Object Server: Security Handle : 0x1c0 Process Information: Process : 0x7e8 Process Name: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe G 562 Win2003 The handle to an object was closed. Object Access Special Multi-use Subcategory <13> T13:18: : MSWinLog 0 Security 0 Mon May 16 13:18: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Objektzugriff Geschlossenes Handle: Objektserver: Security Manager Handlekennung: Prozesskennung: 604 Abbilddateiname: C:\WINDOWS\system32\lsass.exe Microsoft Windows Server 2003 Log Configuration Guide

39 # Win2003 Object Open for Delete: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Primary User Name: %8 Primary Domain: %9 Primary Logon : %10 Client User Name: %11 Client Domain: %12 Client Logon : %13 Accesses: %14 Privileges: %15 Access Mask: %16 Object Access The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 43F 563 Win2003 Objet ouvert pour suppression Security audit / Failure audit / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59: SecurityAdministrator User LOGLABS-2003FRA Suivi détailléobjet ouvert pour suppression : Serveur d'objet : %1 d'objet : %2 Nom de l'objet : %3 Identificateur du handle : %4 Identificateur de l'opération : {%5,%6} Id. du processus : %7 Utilisateur principal : %8 Domaine principal : %9 Id d'ouv. de session principale : %10 Utilisateur client : %11 Domaine client : %12 Id. d'ouv. de session client : %13 Accès : %14 Privilèges : %15 Masque d'accès : % Win2003 Object Deleted: Object Server: %1 Handle : %2 Process : %3 Image File Name: %4 Object Access The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 44F 564 Win2003 Object Deleted: Object Server: %1 Handle : %2 Process : %3 Image File Name: %4 Object Access <13>Jul 23 09:21:20 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 8498 Thu Jul 23 09:21: Security Administrateur User B0324-FR2003 Accès aux objets Objet supprimé : Serveur d'objet : Security Id. de handle : 1516 Id. de processus : 2544 Nom du fichier d'image : C:\WINDOWS\explorer.exe 8338 Microsoft Windows Server 2003 Log Configuration Guide 39

40 # Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Process Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service <13>Jul 5 11:04: MSWinLog 0 security 132 Wed Jul 05 10:54: Security qatest User W2K3-LASSO Directory Service Access "Object Open: Object Server: Security Manager Object : SAM_DOMAIN Object Name: DC=sqa,DC=loglogic,DC=com Handle : Operation : {0, } Process : 1424 Process Name: C:\WINDOWS\system32\lsass.exe Primary User Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client User Name: qatest Client Domain: SQA Client Logon : (0x0,0xD72AEE) Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership Lists Privileges: - Properties: Access Mask: 0 " F 565 Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Process Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service <13>Jun 30 10:43:21 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 34 Tue Jun 30 10:43: Security Unknown User N/A KKKKK-KNBMQ2EU3 Accès Active Directory Security Manager Microsoft Windows Server 2003 Log Configuration Guide

41 # 45G 565 Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Process Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service <13> T11:26: : MSWinLog 0 Security 0 Tue May 10 11:26: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Verzeichnisdienstzugriff Geöffnetes Objekt: Objektserver: Security Manager Objekttyp: SAM_DOMAIN Objektname: CN=Builtin,DC=ll,DC=local Handlekennung: Vorgangskennung: {0,72007} Prozesskennung: 556 Prozessname: C:\WINDOWS\system32\lsass.exe Primärer Benutzername: SRV-W2003-GERMA$ Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: SRV-W2003-GERMA$ Clientdomäne: LL Clientanmeldekennung: (0x0,0x3E7) Zugriffe DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Kennwortparameter lesen Kennwortparameter schreiben Andere Parameter lesen Andere Parameter schreiben Benutzer erstellen Globale Gruppe erstellen Lokale Gruppe erstellen Lokale Gruppenmitgliedschaft erhalten Konten auflisten Berechtigungen - Eigenschaften: --- domain DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Kennwortparameter lesen Kennwortparameter schreiben Andere Parameter lesen Andere Parameter schreiben Benutzer erstellen Globale Gruppe erstellen Lokale Gruppe erstellen Lokale Gruppenmitgliedschaft erhalten Konten auflisten Domain Password & Lockout Policies lockoutobservationwindow lockoutduration lockoutthreshold maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties Other Domain Parameters (for use by SAM) serverstate serverrole modifiedcount uascompat forcelogoff domainreplica oeminformation Domain Administer Server Zugriffsmaske: Microsoft Windows Server 2003 Log Configuration Guide 41

42 # Win2003 Object Operation: Object Server: %1 Operation : %2 Object : %3 Object Name: %4 Handle : %5 Primary User Name: %6 Primary Domain: %7 Primary Logon : %8 Client User Name: %9 Client Domain: %10 Client Logon : %11 Accesses: %12 Properties: %13 Additional Info: %14 Additional Info2: %15 Access Mask: %16 Directory Service <13>Jul 5 11:09: MSWinLog 0 security 306 Wed Jul 05 11:09: Security SYSTEM Well Known Group W2K3-LASSO Directory Service Access "Object Operation: Object Server: DS Operation : Object Access Object : %{19195a5b-6da0-11d0-afd3-00c04fd930 c9} Object Name: %{0d f4a-4f11-acdb-5a70b025bc 6b} Handle : - Primary User Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client User Name: W2K3-LASSO$ Client Domain: SQA Client Logon : (0x0,0x59DBA) Accesses: Control Access Properties: Control Access Additional Info: Additional Info2: Access Mask: 0x100 " F 566 Win2003 Object Operation: Object Server: %1 Operation : %2 Object : %3 Object Name: %4 Handle : %5 Primary User Name: %6 Primary Domain: %7 Primary Logon : %8 Client User Name: %9 Client Domain: %10 Client Logon : %11 Accesses: %12 Properties: %13 Additional Info: %14 Additional Info2: %15 Access Mask: %16 Directory Service <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 16 Tue Jun 30 10:42: Security SYSTEM User KKKKK-KNBMQ2EU3 Accès Active Directory Opération d'objet : Serveur d'objet : DS d'opération : Object Access d'objet : %{f30e3bc2-9ff0-11d1-b f80367c 1} Nom d'objet : %{4e9f93a be3c-781ee698fa 35} de handle : - Nom d'utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA d'ouv de session principale : (0x0,0x3E7) Nom d'utilisateur client : KKKKK-KNBMQ2EU3$ Domaine client : FORESTA d'ouv de session client : (0x0,0x1813EA) Accès : %%7685 Propriétés : %%7685 %{771727b1-31b8-4cdf-ae62-4fe39fadf89 e} %{bf967a76-0de6-11d0-a285-00aa e2} %{f30e3bc2-9ff0-11d1-b f80367c 1} Informations additionnelles : Informations additionnelles 2 : Masque d'accès : 0x Microsoft Windows Server 2003 Log Configuration Guide

43 # 46G 566 Win2003 Object Operation: Object Server: %1 Operation : %2 Object : %3 Object Name: %4 Handle : %5 Primary User Name: %6 Primary Domain: %7 Primary Logon : %8 Client User Name: %9 Client Domain: %10 Client Logon : %11 Accesses: %12 Properties: %13 Additional Info: %14 Additional Info2: %15 Access Mask: %16 Directory Service <13> T11:40: : MSWinLog 0 Security 0 Tue May 10 11:40: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Verzeichnisdienstzugriff Objektvorgang: Objektserver: DS Vorgangstyp Object Access Objekttyp: domaindns Objektname: DC=ll,DC=local Handlekennung: - Primärer Benutzername: SRV-W2003-GERMA$ Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: SRV-W2003-GERMA$ Clientdomäne: LL Clientanmeldekennung: (0x0,0x7EFCC) Zugriffe Zugriff steuern Eigenschaften: Zugriff steuern Replicating Directory Changes domaindns Weitere Info: Weitere Info2: Zugriffsmaske: 0x Win2003 An attempt was made to access an object Object Access audit / Failure audit <13>Aug 8 09:26: MSWinLog 0 Security 530 Fri Aug 04 12:08: SecurityLOCAL SERVICEWell Known Group MACHINENAME Logon/Logoff Object Access Attempt: Object Server: Security Handle : 9780 Object : File Process : 904 Image File Name: C:\WINDOWS\system32\svchost.exe Accesses: WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) Access Mask: 0x Win2003 Special privileges assigned to new logon: Domain: %2 Logon : %3 Privileges: %4 Privilege Use / Permission Modification <13>Jul 5 11:04: MSWinLog 0 security 2 Wed Jul 05 10:19: Security SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Special privileges assigned to new logon: User Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0xD30C93) Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeEnableDelegationPrivilege " Microsoft Windows Server 2003 Log Configuration Guide 43

44 # 48F 576 Win2003 Special privileges assigned to new logon: Domain: %2 Logon : %3 Assigned: %4 Privilege Use / Permission Modification <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 5 Tue Jun 30 10:42: Security SYSTEM User KKKKK-KNBMQ2EU3 Utilisation d'un privilège Privilèges spéciaux assignés à la nouvelle session : Utilisateur : KKKKK-KNBMQ2EU3$ Domaine : FORESTA Id. de la session : (0x0,0x18126D) Privilèges : SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeChangeNotifyPrivilege 4 48G 576 Win2003 Special privileges assigned to new logon: Domain: %2 Logon : %3 Assigned: %4 Privilege Use / Permission Modification <13> T11:25: : MSWinLog 0 Security 0 Tue May 10 11:25: Security NT-AUTORITÄT\NETZWERKDIENST User SRV-W2003-GERMA An-/Abmeldung Besondere Rechte bei neuer Anmeldung: Benutzername: NETZWERKDIENST Domäne: NT-AUTORITÄT Anmeldekennung: (0x0,0x3E4) Berechtigungen: SePrivilege SeAssignPrimaryTokenPrivilege SeImpersonatePrivilege Win2003 Privileged Service Called. Privilege Use <13>Jul 5 15:58: MSWinLog 0 security 2054 Wed Jul 05 15:58: Security SYSTEM Well Known Group W2K3-LASSO Privilege Use "Privileged Service Called: Server: NT Local Security Authority / Authentication Service Service: LsaRegisterLogonProcess() Primary User Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client User Name: W2K3-LASSO$ Client Domain: SQA Client Logon : (0x0,0x3E7) Privileges: SeTcbPrivilege " Microsoft Windows Server 2003 Log Configuration Guide

45 # 49F 577 Win2003 Privileged Service Called. Privilege Use <13>Jun 30 10:43:21 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 37 Tue Jun 30 10:43: Security SYSTEM User KKKKK-KNBMQ2EU3 Utilisation d'un privilège Service privilégié appelé : Serveur : NT Local Security Authority / Authentication Service Service : LsaRegisterLogonProcess() Utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA Id. de session principale : (0x0,0x3E7) Utilisateur client : KKKKK-KNBMQ2EU3$ Domaine client : FORESTA Id. de la session cliente : (0x0,0x3E7) Privilèges : SeTcbPrivilege 33 49G 577 Win2003 Privileged Service Called. Privilege Use <13> T13:27: : MSWinLog 0 Security 0 Mon May 16 13:27: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Berechtigungen Aufgerufener privilegierter Dienst: Server: NT Local Security Authority / Authentication Service Dienst: LsaRegisterLogonProcess() Primärer Benutzername: SRV-W2003-GERMA$ Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: SRV-W2003-GERMA$ Clientdomäne: LL Clientanmeldekennung: (0x0,0x3E7) Rechte: SeTcbPrivilege Win2003 Privileged object operation: Object Server: %1 Object Handle: %2 Process : %3 Primary User Name: %4 Primary Domain: %5 Primary Logon : %6 Client User Name: %7 Client Domain: %8 Client Logon : %9 Privileges: %10 Privilege Use The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. Microsoft Windows Server 2003 Log Configuration Guide 45

46 # 50F 578 Win2003 Privileged object operation: Object Server: %1 Object Handle: %2 Process : %3 Primary User Name: %4 Primary Domain: %5 Primary Logon : %6 Client User Name: %7 Client Domain: %8 Client Logon : %9 Privileges: %10 Privilege Use <13>Jul 1 10:20: MSWinLog 0 Security 255 Wed Jul 01 09:51: Security Administrateur User B0324-FR2003 Utilisation d'un privilège Opération sur objet privilégié : Serveur objet : Security Handle d'objet : 224 Id. de processus : 1084 Utilisateur principal : Administrateur Domaine principal : B0324-FR2003 Id. de session principale : (0x0,0xC08C) Utilisateur client : - Domaine client : - Id. de la session cliente : - Privilèges : SeTakeOwnershipPrivilege G 578 Win2003 Privileged object operation: Object Server: %1 Object Handle: %2 Process : %3 Primary User Name: %4 Primary Domain: %5 Primary Logon : %6 Client User Name: %7 Client Domain: %8 Client Logon : %9 Privileges: %10 Privilege Use <13> T13:43: : MSWinLog 0 Security 0 Mon May 16 13:43: Security LL\Administrator User SRV-W2003-GERMA Berechtigungen Privilegiertes-Objekt-Vorgang: Objektserver: Security Objekthandle: 228 Prozesskennung: 1212 Primärer Benutzername: administrator Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x439BD) Clientbenutzername: - Clientdomäne: - Clientanmeldekennung: - Rechte: SeTakeOwnershipPrivilege Win2003 A new process has been created. Detailed Tracking <13>Jul 5 15:57: MSWinLog 0 security 2050 Wed Jul 05 15:57: Security SYSTEM Well Known Group W2K3-LASSO Detailed Tracking "A new process has been created: New Process : 4040 Image File Name: C:\WINDOWS\system32\userinit.exe Creator Process : 1344 User Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0x3E7) " F 592 Win2003 A new process has been created. Detailed Tracking <13>May 21 09:39:35 kkkkk-knbmq2eu3 MSWinLog 0 Security 2 Thu May 21 09:39: Security Administrateur User KKKKK-KNBMQ2EU3 Suivi détaillé Un nouveau processus a été créé : Id. du nouveau processus : 948 Nom du fichier image : C:\WINDOWS\system32\cmd.exe Id. du processus créateur : 1536 Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. de la session : (0x0,0xB1AE) 0 46 Microsoft Windows Server 2003 Log Configuration Guide

47 # 51G 592 Win2003 A new process has been created. Detailed Tracking <13> T13:18: : MSWinLog 0 Security 0 Mon May 16 13:18: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Detaillierte Überwachung Ein neuer Vorgangs wurde erstellt: Neue Prozesskennung: 2432 Bilddateiname: C:\WINDOWS\system32\userinit.exe Erstellte Prozesskennung: 548 Benutzername: SRV-W2003-GERMA$ Domäne: LL Anmeldekennung: (0x0,0x3E7) Win2003 A process has exited: Process : %1 Image File Name: %2 User Name: %3 Domain: %4 Logon : %5 Detailed Tracking <13>Jul 5 15:57: MSWinLog 0 security 2051 Wed Jul 05 15:57: Security SYSTEM Well Known Group W2K3-LASSO Detailed Tracking "A process has exited: Process : 4040 Image File Name: C:\WINDOWS\system32\userinit.exe User Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0x3E7) " F 593 Win2003 A process has exited: Process : %1 Image File Name: %2 User Name: %3 Domain: %4 Logon : %5 Detailed Tracking <13>May 21 09:39:44 kkkkk-knbmq2eu3 MSWinLog 0 Security 3 Thu May 21 09:39: Security Administrateur User KKKKK-KNBMQ2EU3 Suivi détaillé Un processus est terminé : Id. du processus : 948 Nom du fichier image : C:\WINDOWS\system32\cmd.exe Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. d'ouv. de session : (0x0,0xB1AE) 1 52G 593 Win2003 A process has exited: Process : %1 Image File Name: %2 User Name: %3 Domain: %4 Logon : %5 Detailed Tracking <13> T13:18: : MSWinLog 0 Security 0 Mon May 16 13:18: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Detaillierte Überwachung Ein Vorgang wurde beendet: Prozesskennung: 2432 Abbilddateiname: C:\WINDOWS\system32\userinit.exe Benutzername: SRV-W2003-GERMA$ Domäne: LL Anmeldekennung: (0x0,0x3E7) Win2003 An attempt was made to duplicate a handle to an object Process Tracking <13>Aug 8 09:26: MSWinLog4Security1768Wed Feb 14 02:12: Security AdministratorUser ll-a155d4 Logon/LogoffA handle to an object has been duplicated Source Handle : 345 Source Process : 345 Target Handle : 3453 Target Process : Microsoft Windows Server 2003 Log Configuration Guide 47

48 # Win2003 Indirect access to an object has been obtained: Object : %1 Object Name: %2 Process : %3 Primary User Name: %4 Primary Domain: %5 Primary Logon : %6 Client User Name: %7 Client Domain: %8 Client Logon : %9 Accesses: %10 Access Mask: %11 Detailed Tracking The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 59F 595 Win2003 Un accès indirect à un objet a été obtenu Security Failure audit / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59: SecurityAdministrator User LOGLABS-2003FRA Suivi détailléun accès indirect à un objet a été obtenu : d'objet : %1 Nom d'objet : %2 Id. de processus : %3 Utilisateur principal : %4 Domaine principal : %5 Id. de session principale : %6 Utilisateur client : %7 Domaine client : %8 Id. de la session cliente : %9 Accès : %10 Masque d'accès : % Win2003 A process was assigned a primary token. Assigning Process Information: Process : %1 Image File Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 New Process Information: Process : %6 Image File Name: %7 Target User Name: %8 Target Domain: %9 Target Logon : %10 Security <13>Aug 9 14:01: MSWinLog 0 Security Tue Aug 08 14:26: Security SYSTEM User LOGLOGIC-SRV1 Detailed Tracking A process was assigned a primary token. Assigning Process Information: Process : 840 Image File Name: C:\WINDOWS\system32\svchost.exe Primary User Name: LOGLOGIC-SRV1$ Primary Domain: LOGLOGIC Primary Logon : (0x0,0x3E7) New Process Information: Process : 2824 Image File Name: C:\WINDOWS\system32\wbem\wmiprvse. exe Target User Name: NETWORK SERVICE Target Domain: NT AUTHORITY Target Logon : (0x0,0x3E4) Microsoft Windows Server 2003 Log Configuration Guide

49 # 60F 600 Win2003 A process was assigned a primary token. Assigning Process Information: Process : %1 Image File Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 New Process Information: Process : %6 Image File Name: %7 Target User Name: %8 Target Domain: %9 Target Logon : %10 Security <13>Jun 30 10:54:59 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 90 Tue Jun 30 10:54: Security SYSTEM User KKKKK-KNBMQ2EU3 Suivi détaillé Un jeton principal a été attribué à un processus. Informations sur l'attribution de processus : Id. du processus : 392 Nom du fichier image : C:\WINDOWS\system32\winlogon.exe Nom d'utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA d'ouv de session principale : (0x0,0x3E7) Informations de nouveau processus : de processus : 2692 Nom du fichier image : C:\WINDOWS\system32\logon.scr Nom d'utilisateur cible : Administrateur Domaine cible : FORESTA d'ouv de session : (0x0,0x260DD) 82 60G 600 Win2003 A process was assigned a primary token. Assigning Process Information: Process : %1 Image File Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 New Process Information: Process : %6 Image File Name: %7 Target User Name: %8 Target Domain: %9 Target Logon : %10 Security <13> T13:19: : MSWinLog 0 Security 0 Mon May 16 13:19: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Detaillierte Überwachung Einem Prozess wurde ein primäres Token zugewiesen. Prozessinformationen: Prozesskennung: 1152 Abbilddateiname: C:\WINDOWS\system32\svchost.exe Primärer Benutzername: SRV-W2003-GERMA$ Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x3E7) Neue Prozessinformationen: Prozesskennung: 2440 Abbilddateiname: C:\WINDOWS\system32\wuauclt.exe Zielbenutzername: administrator Zieldomäne: LL Zielanmeldekennung: (0x0,0x439BD) Win2003 User Right Assigned: User Right: %1 Assigned To: %2 Assigned By: User Name: %3 Domain: %4 Logon : %5 Policy Change <13>Jul 6 16:22: MSWinLog 0 security Thu Jul 06 16:22: Security qatest User W2K3-LASSO Policy Change "User Right Assigned: User Right: SeCreateGlobalPrivilege Assigned To: %{S } Assigned By: User Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " Microsoft Windows Server 2003 Log Configuration Guide 49

50 # 61F 608 Win2003 User Right Assigned: User Right: %1 Assigned To: %2 Assigned By: User Name: %3 Domain: %4 Logon : %5 Policy Change <13>Jun 30 08:30:37 kkkkk-knbmq2eu3 MSWinLog 3 Security 246 Tue Jun 30 08:30: Security Administrateur User KKKKK-KNBMQ2EU3 Changement de stratégie Droit assigné à l'utilisateur : Droit assigné à l'utilisateur : SeAssignPrimaryTokenPrivilege Assigné à : %{S } Assigné par : Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. de la session : (0x0,0x13261) Win2003 User Right Assigned: User Right: %1 Assigned To: %2 Assigned By: User Name: %3 Domain: %4 Logon : %5 Policy Change <13> T13:18: : MSWinLog 0 Security 0 Mon May 16 13:18: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Richtlinienänderung Änderung der Überwachungsrichtlinien: Neue Richtlinie: Erfolg Fehlschlag + + Anmeldung/Abmeldung + + Objektzugriff + + Rechteverwendung + + Kontenverwaltung + + Richtlinienänderung Ausführliche Überwachung + + Verzeichnisdienstzugriff + + Kontoanmeldung Geändert von: Benutzername: SRV-W2003-GERMA$ Domänenname: LL Anmeldekennung: (0x0,0x3E7) Win2003 User Right Removed. Policy Change <13>Jul 6 16:22: MSWinLog 0 security Thu Jul 06 16:22: Security qatest User W2K3-LASSO Policy Change "User Right Removed: User Right: SeCreateGlobalPrivilege Removed From: %{S } Removed By: User Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " Microsoft Windows Server 2003 Log Configuration Guide

51 # 62F 609 Win2003 User Right Removed. Policy Change <13>Jun 30 08:49:01 kkkkk-knbmq2eu3 MSWinLog 3 Security 52 Tue Jun 30 08:48: Security SYSTEM User KKKKK-KNBMQ2EU3 Changement de stratégie Droit de l'utilisateur supprimé : Droit de l'utilisateur : SetimePrivilege SeShutdownPrivilege SeProfileSingleProcessPrivilege SeChangeNotifyPrivilege SeUndockPrivilege Supprimé de : %{S } Supprimé par : Utilisateur : KKKKK-KNBMQ2EU3$ Domaine : WORKGROUP Id. de la session : (0x0,0x3E7) Win2003 New Trusted Domain: Domain Name: %1 Domain : %2 Established By: User Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change <13>Jul 6 16:48: MSWinLog 0 security Thu Jul 06 16:48: Security qatest User W2K3-LASSO Policy Change "New Trusted Domain: Domain Name: loglogic.sbs Domain : - Established By: User Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) Trust : 3 Trust Direction: 3 Trust Attributes: 1 S Filtering: Disabled " F 610 Win2003 New Trusted Domain: Domain Name: %1 Domain : %2 Established By: User Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change <13>Jul 22 07:32:28 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2039 Wed Jul 22 07:32: Security Administrateur User B0324-FR2003 Changement de stratégie Nouveau domaine approuvé : Nom du domaine : abc.com Id. du domaine : %{S } Établi par : Utilisateur : Administrateur Domaine : DOMAIN Id. de la session : (0x0,0x3EAB48) d'approbation : 2 Direction de l'approbation : 1 Attributs de l'approbation : 0 Filtrage S : %% Win2003 Trusted Domain Removed: Domain Name: %1 Domain : %2 Removed By: User Name: %3 Domain: %4 Logon : %5 Policy Change <13>Jul 6 16:59: MSWinLog 0 security Thu Jul 06 16:59: Security qatest User W2K3-LASSO Policy Change "Trusted Domain Removed: Domain Name: loglogic.sbs Domain : - Removed By: User Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " Microsoft Windows Server 2003 Log Configuration Guide 51

52 # 64F 611 Win2003 Trusted Domain Removed: Domain Name: %1 Domain : %2 Removed By: User Name: %3 Domain: %4 Logon : %5 Policy Change <13>Jul 22 07:35:25 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2053 Wed Jul 22 07:35: Security Administrateur User B0324-FR2003 Changement de stratégie Domaine approuvé supprimé : Nom du domaine : ABC Id. du domaine : %{S } Supprimé par : Utilisateur : Administrateur Domaine : DOMAIN Id. de la session : (0x0,0x3EAB48) Win2003 Policy Change Failure. Policy Change / Permission Modification <13>Jul 5 15:57: MSWinLog 0 security 2049 Wed Jul 05 15:57: Security SYSTEM Well Known Group W2K3-LASSO Policy Change " Policy Change: New Policy: Failure + + Logon/Logoff + + Object Access + + Privilege Use Policy Change Detailed Tracking + + Directory Service Access + + Logon Changed By: User Name: W2K3-LASSO$ Domain Name: SQA Logon : (0x0,0x3E7) " F 612 Win2003 Policy Change Failure. Policy Change / Permission Modification <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 3 Security 8 Thu May 21 10:31: Security SYSTEM User KKKKK-KNBMQ2EU3 Changement de stratégie Modification de la stratégie d'audit : Nouvelle stratégie : Succès Échec + - Ouvertures/Fermetures de session - - Accès aux objets - - Utilisation d'un privilège + + Gestion des comptes + + Changement de stratégie + + Système + + Suivi détaillé - - Accès Active Directory + - Connexion au compte Modifié par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom du domaine : WORKGROUP Id. de la session : (0x0,0x3E7) 2 52 Microsoft Windows Server 2003 Log Configuration Guide

53 # 65G 612 Win2003 Policy Change Failure. Policy Change / Permission Modification <13> T13:18: : MSWinLog 0 Security 0 Mon May 16 13:18: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Richtlinienänderung Änderung der Überwachungsrichtlinien: Neue Richtlinie: Erfolg Fehlschlag + + Anmeldung/Abmeldung + + Objektzugriff + + Rechteverwendung + + Kontenverwaltung + + Richtlinienänderung Ausführliche Überwachung + + Verzeichnisdienstzugriff + + Kontoanmeldung Geändert von: Benutzername: SRV-W2003-GERMA$ Domänenname: LL Anmeldekennung: (0x0,0x3E7) Win2003 Kerberos Policy Changed: Changed By: Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4. Policy Change <13>Jun 29 15:01: MSWinLog 0 security 170 Thu Jun 29 14:56: Security SYSTEM Well Known Group W2K3-LASSO Policy Change "Kerberos Policy Changed: Changed By: User Name: W2K3-LASSO$ Domain Name: SQA Logon : (0x0,0x3E7) Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0xa09b (none); " F 617 Win2003 Kerberos Policy Changed: Changed By: Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4. Policy Change <13>Jun 30 09:27:33 kkkkk-knbmq2eu3.foresta MSWinLog 3 Security 236 Tue Jun 30 09:27: Security SYSTEM User KKKKK-KNBMQ2EU3 Changement de stratégie Stratégie Kerberos modifiée : Modifiée par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine : FORESTA Id. d'ouv. de session : (0x0,0x3E7) Modifications effectuées : ('--' signifie aucune modification, sinon chaque modification est affichée sous la forme : <NomParamètre> : <nouvelle valeur> (<ancienne valeur>)) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0xa05b (none); 203 Microsoft Windows Server 2003 Log Configuration Guide 53

54 # Win2003 Encrypted Data Recovery Policy Changed: Changed By: Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4 Policy Change The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 67F 618 Win2003 Encrypted Data Recovery Policy Changed: Changed By: Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4 Policy Change <13>Jun 26 04:33:24 kkkkk-knbmq2eu3 MSWinLog 3 Security 132 Fri Jun 26 04:33: Security SYSTEM User KKKKK-KNBMQ2EU3 Changement de stratégie Stratégie de récupération de données cryptées modifiée : Modifiée par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine : WORKGROUP Id. d'ouv. de session : (0x0,0x3E7) Modifications effectuées : ('--' signifie aucune modification, sinon chaque modification est affichée sous la forme : <NomParamètre> : <nouvelle valeur> (<ancienne valeur>)) Win2003 Quality of Service Policy Changed Changed By. Policy Change The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation Win2003 Trusted Domain Information Modified: Domain Name: %1 Domain : %2 Modified By: User Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change <13>Jul 7 14:11: MSWinLog 0 security Thu Jul 06 16:59: Security qatest User W2K3-LASSO Policy Change "Trusted Domain Information Modified: Domain Name: - Domain : - Modified By: User Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) Trust : - Trust Direction: 1 Trust Attributes: - S Filtering: - " Microsoft Windows Server 2003 Log Configuration Guide

55 # 69F 620 Win2003 Trusted Domain Information Modified: Domain Name: %1 Domain : %2 Modified By: User Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change <13>Jul 22 08:07:47 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2297 Wed Jul 22 08:07: Security Administrateur User B0324-FR2003 Changement de stratégie Informations sur le domaine approuvé modifiées : Nom de domaine : - Id. de domaine : %{S } Modifié par : Utilisateur : Administrateur Domaine : DOMAIN Id. d'ouv. de session : (0x0,0x3EAB48) d'approbation : - Direction de l'approbation : 3 Attributs de l'approbation : - Filtrage S: Win2003 Security Access Granted: Access Granted: %4 Modified: %5 Assigned By: Domain: %2 Logon : %3 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 70F 621 Win2003 Security Access Granted: Access Granted: %4 Modified: %5 Assigned By: Domain: %2 Logon : %3 Security <13>Jul 1 10:20: MSWinLog 0 Security 7891 Wed Jul 01 10:18: Security Administrateur User B0324-FR2003 Changement de stratégie Accès sécurité système accordé : Accès accordé : SeServiceLogonRight Compte modifié : %{S } Attribué par : Utilisateur : Administrateur Domaine : B0324-FR2003 d'ouv. de session : (0x0,0xAFD9) Win2003 Security Access Removed: Access Removed: %4 Modified: %5 Removed By: Domain: %2 Logon : %3 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 71F 622 Win2003 Security Access Removed: Access Removed: %4 Modified: %5 Removed By: Domain: %2 Logon : %3 Security <13>Jul 1 09:58:39 b0324-fr2003 MSWinLog 4 Security 61 Wed Jul 01 09:58: Security Administrateur User B0324-FR2003 Changement de stratégie Accès de sécurité système supprimé : Accès supprimé : SeNetworkLogonRight Compte modifié : %{S-1-1-0} Supprimé par : Utilisateur : Administrateur Domaine : B0324-FR2003 Id. d'ouv. de session : (0x0,0xAFD9) 43 Microsoft Windows Server 2003 Log Configuration Guide 55

56 # Win2003 User Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 / Permission Modification <13>Jul 5 12:15: MSWinLog 0 security 698 Wed Jul 05 12:15: Security qatest User W2K3-LASSO "User Created: New Name: test New Domain: SQA New : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges - Attributes: Sam Name: test Display Name: hg ghf. gf User Principal Name: [email protected] Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: <never> Expires: <never> Primary Group : 513 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x15 User Control: User Parameters: - Sid History: - Logon Hours: <value not set> " F 624 Win2003 User Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 / Permission Modification <13>May 21 09:47:06 kkkkk-knbmq2eu3 MSWinLog 2 Security 17 Thu May 21 09:47: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur créé : Nom du nouveau compte : loglogic Nouveau domaine : KKKKK-KNBMQ2EU3 Id. du nouveau compte : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) Privilèges : - Attributs : Nom du compte SAM : loglogic Nom affiché : %%1793 Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : %%1794 Le compte expire le : %%1794 de groupe principal : 513 Délégué autorisé : - Précédente valeur UAC : 0x Nouvelle valeur UAC : 0x Contrôle du compte utilisateur (UAC) : - Paramètres utilisateurs : %%1793 Historique S : - Heures d'ouverture de session : %% Microsoft Windows Server 2003 Log Configuration Guide

57 # 72G 624 Win2003 User Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 / Permission Modification <13> T13:57: : MSWinLog 0 Security 0 Mon May 16 13:57: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Benutzerkonto wurde erstellt: Neuer Kontenname: admin Neue Domäne: LL Neue Kontokennung: %{S } Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2A1414) Rechte: - Attribute: SAM-Kontoname: admin Anzeigename: Admin Benutzerprinzipalname: [email protected] Stammverzeichnis: - Stammlaufwerk: - Skriptpfad: - Profilpfad: - Benutzerworkstations: - Kennwort zuletzt gesetzt: <nie> Konto läuft ab: <nie> Primäre Gruppenkennung: 513 DelegierenAnZulässig: - Alter UAC Wert: 0x0 Neuer UAC Wert: 0x15 Benutzerkontensteuerung: Konto Deaktiviert "Kennwort nicht benötigt" - Aktiviert "Normales Konto" - Aktiviert Benutzerparameter: - Sid-Verlauf: - Anmeldestunden: <Wert nicht gesetzt> Win2003 User Enabled: Target Name: %1 Target : %3 Caller Logon : %6 <13>Jul 5 11:04: MSWinLog 0 security 166 Wed Jul 05 11:00: Security qatest User W2K3-LASSO "User Enabled: Target Name: test Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " F 626 Win2003 User Enabled: Target Name: %1 Target : %3 Caller Logon : %6 <13>Jul 5 11:04: MSWinLog 0 security 166 Wed Jul 05 11:00: Security qatest User W2K3-LASSO "User Enabled: Target Name: test Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " Microsoft Windows Server 2003 Log Configuration Guide 57

58 # 73G 626 Win2003 User Enabled: Target Name: %1 Target : %3 Caller Logon : %6 <13> T13:57: : MSWinLog 0 Security 0 Mon May 16 13:57: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Aktiviertes Benutzerkonto: Zielkontenname: admin Zieldomäne: LL Zielkontokennung: LL\admin Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2A1414) Win2003 Change Password Attempt: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 5 12:28: MSWinLog 0 security 826 Wed Jul 05 12:28: Security SYSTEM Well Known Group W2K3-LASSO "Change Password Attempt: Target Name: test Target Domain: SQA Target : %{S } Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - " F 627 Win2003 Change Password Attempt: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jun 26 03:42:34 kkkkk-knbmq2eu3 MSWinLog 2 Security 63 Fri Jun 26 03:42: Security SYSTEM User KKKKK-KNBMQ2EU3 Gestion des comptes Tentative de changement de mot de passe : Nom du compte cible : test Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : WORKGROUP Id. de la session appelante : (0x0,0x3E7) Privilèges : G 627 Win2003 Change Password Attempt: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13> T14:10: : MSWinLog 0 Security 0 Mon May 16 14:10: Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA Kontenverwaltung Versuch, Kennwort zu ändern: Zielkontenname: admin Zieldomäne: LL Zielkontokennung: LL\admin Benutzername des Aufrufers: SRV-W2003-GERMA$ Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x3E7) Rechte: Microsoft Windows Server 2003 Log Configuration Guide

59 # Win2003 User password set: Target Name: %1 Target : %3 Caller Logon : %6 / Permission Modification <13>Jul 5 12:15: MSWinLog 0 security 702 Wed Jul 05 12:15: Security qatest User W2K3-LASSO "User password set: Target Name: test Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " F 628 Win2003 User password set: Target Name: %1 Target : %3 Caller Logon : %6 / Permission Modification <13>May 21 09:47:07 kkkkk-knbmq2eu3 MSWinLog 2 Security 20 Thu May 21 09:47: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Établissement d'un mot de passe de compte d'utilisateur : Nom du compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) 13 75G 628 Win2003 User password set: Target Name: %1 Target : %3 Caller Logon : %6 / Permission Modification <13> T13:57: : MSWinLog 0 Security 0 Mon May 16 13:57: Security LL\Administrator User Failure SRV-W2003-GERMA Kontenverwaltung Kennwort für Benutzerkonto gesetzt: Zielkontenname: Zieldomäne: LL Zielkontokennung: %{S } Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2A1414) Win2003 User Disabled: Target Name: %1 Target : %3 Caller Logon : %6 Security <13>Aug 9 18:11: MSWinLog 0 Security Tue Aug 08 13:01: Security Unknown User N/A LOGLOGIC-SRV1 User Disabled: Target Name: AAA$ Target Domain: LOGLOGIC Target : %{S } Caller User Name: administrator Caller Domain: LOGLOGIC Caller Logon : (0x0,0xC25B9) Microsoft Windows Server 2003 Log Configuration Guide 59

60 # 76F 629 Win2003 User Disabled: Target Name: %1 Target : %3 Caller Logon : %6 Security <13>Jun 26 03:36:33 kkkkk-knbmq2eu3 MSWinLog 2 Security 43 Fri Jun 26 03:36: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur désactivé : Nom du compte cible : test Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x100D3) 24 76G 629 Win2003 User Disabled: Target Name: %1 Target : %3 Caller Logon : %6 Security <13> T14:00: : MSWinLog 0 Security 0 Mon May 16 14:00: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Deaktiviertes Benutzerkonto: Zielkontenname: admin Zieldomäne: LL Zielkontokennung: LL\admin Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2EE9BA) Win2003 User Deleted. / Permission Modification <13>Jul 5 12:14: MSWinLog 0 security 693 Wed Jul 05 12:14: Security qatest User W2K3-LASSO "User Deleted: Target Name: test Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 630 Win2003 User Deleted. / Permission Modification <13>May 21 09:51:28 kkkkk-knbmq2eu3 MSWinLog 2 Security 30 Thu May 21 09:51: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur supprimé : Nom du compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) Privilèges : Microsoft Windows Server 2003 Log Configuration Guide

61 # 77G 630 Win2003 User Deleted. / Permission Modification <13> T13:57: : MSWinLog 0 Security 0 Mon May 16 13:57: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschtes Benutzerkonto: Zielkontenname: admin Zieldomäne: LL Zielkontokennung: %{S } Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2A1414) Rechte: Win2003 Security Enabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 29 15:01: MSWinLog 0 security 41 Thu Jun 29 14:54: Security ANONYMOUS LOGON Well Known Group W2K3-LASSO "Security Enabled Global Group Created: New Name: Domain Computers New Domain: SQA New : %{S } Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Attributes: Sam Name: Domain Computers Sid History: - " F 631 Win2003 Security Enabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 22 Tue Jun 30 09:20: Security ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée créé : Nouveau nom de compte : Ordinateurs du domaine Nouveau domaine : FORESTA Id. du nouveau compte : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs : Nom du compte SAM : Ordinateurs du domaine Historique S : - 21 Microsoft Windows Server 2003 Log Configuration Guide 61

62 # 78G 631 Win2003 Security Enabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13> T14:47: : MSWinLog 0 Security 0 Mon May 16 14:47: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Erstellte globale Gruppe mit aktivierter Sicherheit: Neuer Kontoname: test Neue Domäne: LL Neue Kontokennung: LL\test Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Attribute: SAM-Kontoname: test Sid-Verlauf: Win2003 Security Enabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13>Jun 29 15:01: MSWinLog 0 security 79 Thu Jun 29 14:54: Security ANONYMOUS LOGON Well Known Group W2K3-LASSO "Security Enabled Global Group Member Added: Member Name: - Member : %{S } Target Name: Domain Admins Target Domain: SQA Target : %{S } Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - " F 632 Win2003 Security Enabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13>May 21 09:47:06 kkkkk-knbmq2eu3 MSWinLog 2 Security 16 Thu May 21 09:47: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe global de sécurité activée ajouté : Nom du membre : - Id. du membre : %{S } Nom de compte cible : Aucun Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : Microsoft Windows Server 2003 Log Configuration Guide

63 # 79G 632 Win2003 Security Enabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13> T13:58: : MSWinLog 0 Security 0 Mon May 16 13:58: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Hinzugefügtes globales Gruppenmitglied mit aktivierter Sicherheit: Mitgliedname: cn=admin,cn=users,dc=ll,dc=local Mitgliedkennung: LL\admin Zielkontoname: Domänen-Admins Zieldomäne: LL Zielkontokennung: LL\Domänen-Admins Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x2A1414) Rechte: Win2003 Security Enabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13>Jun 29 15:30: MSWinLog 0 security 466 Thu Jun 29 15:30: Security qatest User W2K3-LASSO "Security Enabled Global Group Member Removed: Member Name: CN=tester,CN=Users,DC=sqa,DC=loglogi c,dc=com Member : %{S } Target Name: test123 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 633 Win2003 Security Enabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13>May 21 09:42:29 kkkkk-knbmq2eu3 MSWinLog 2 Security 11 Thu May 21 09:42: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe global de sécurité activée supprimé : Nom du membre : - Id. du membre : %{S } Nom de compte cible : Aucun Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB1AE) Privilèges : - 4 Microsoft Windows Server 2003 Log Configuration Guide 63

64 # 80G 633 Win2003 Security Enabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13> T14:04: : MSWinLog 0 Security 0 Mon May 16 14:04: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Entferntes globale Gruppenmitglied mit aktivierter Sicherheit: ymitgliedname: CN=Admin,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\admin Zielkontoname: Domänen-Admins Zieldomäne: LL Zielkontokennung: LL\Domänen-Admins Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3801FF) Rechte: Win2003 Security Enabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 / Permission Modification <13>Jun 29 15:35: MSWinLog 0 security 497 Thu Jun 29 15:35: Security qatest User W2K3-LASSO "Security Enabled Global Group Deleted: Target Name: test123 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 634 Win2003 Security Enabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 / Permission Modification <13>Jul 2 08:06:49 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3792 Thu Jul 02 08:06: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe global de sécurité activée supprimé : Nom de compte cible : qdsfqd Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Microsoft Windows Server 2003 Log Configuration Guide

65 # 81G 634 Win2003 Security Enabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 / Permission Modification <13> T14:49: : MSWinLog 0 Security 0 Mon May 16 14:49: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschte globale Gruppe mit aktivierter Sicherheit: Zielkontoname: test Zieldomäne: LL Zielkontokennung: LL\test Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Win2003 Security Enabled Local Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 15:01: MSWinLog 0 security 20 Thu Jun 29 14:54: Security SYSTEM Well Known Group W2K3-LASSO "Security Enabled Local Group Created: New Name: Print Operators New Domain: Builtin New : %{S } Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Attributes: Sam Name: Print Operators Sid History: - " F 635 Win2003 Security Enabled Local Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jun 25 09:24:48 kkkkk-knbmq2eu3 MSWinLog 2 Security 85 Thu Jun 25 09:24: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée créé : Nom du nouveau compte : qsdsqd Nouveau domaine : KKKKK-KNBMQ2EU3 Id. du nouveau compte : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : - Attributs : Nom du compte SAM : qsdsqd Historique S : - 42 Microsoft Windows Server 2003 Log Configuration Guide 65

66 # 82G 635 Win2003 Security Enabled Local Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13> T14:50: : MSWinLog 0 Security 0 Mon May 16 14:50: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Erstellte lokale Gruppe mit aktivierter Sicherheit: Neuer Kontoname: local-security-group Neue Domäne: LL Neue Kontokennung: LL\local-security-group Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Attribute: SAM-Kontoname: local-security-group Sid-Verlauf: Win2003 Security Enabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 5 11:07: MSWinLog 0 security 300 Wed Jul 05 11:07: Security qatest User W2K3-LASSO "Security Enabled Local Group Member Added: Member Name: CN=testt,CN=Users,DC=sqa,DC=loglogic, DC=com Member : %{S } Target Name: Users Target Domain: Builtin Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 636 Win2003 Security Enabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>May 21 09:49:36 kkkkk-knbmq2eu3 MSWinLog 2 Security 24 Thu May 21 09:49: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe local de sécurité activée ajouté : Nom du membre : - Id. du membre : %{S } Nom de compte cible : Administrateurs Domaine cible : Builtin Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : Microsoft Windows Server 2003 Log Configuration Guide

67 # 83G 636 Win2003 Security Enabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13> T14:41: : MSWinLog 0 Security 0 Mon May 16 14:41: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Hinzugefügtes lokales Gruppenmitglied mit aktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: DnsAdmins Zieldomäne: LL Zielkontokennung: LL\DnsAdmins Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Win2003 Security Enabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 5 15:44: MSWinLog 0 security 1949 Wed Jul 05 15:44: Security qatest User W2K3-LASSO "Security Enabled Local Group Member Removed: Member Name: CN=hg ghf. gf,cn=users,dc=sqa,dc=loglogic,dc=co m Member : %{S } Target Name: Administrators Target Domain: Builtin Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x668A8) Privileges: - " F 637 Win2003 Security Enabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>May 21 09:50:00 kkkkk-knbmq2eu3 MSWinLog 2 Security 25 Thu May 21 09:49: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe local de sécurité activée supprimé : Nom du membre : - Id. du membre : %{S } Nom de compte cible : Utilisateurs Domaine cible : Builtin Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - 18 Microsoft Windows Server 2003 Log Configuration Guide 67

68 # 84G 637 Win2003 Security Enabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13> T14:50: : MSWinLog 0 Security 0 Mon May 16 14:50: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Entferntes lokales Gruppenmitglied mit aktivierter Sicherheit: Mitgliedname: CN=Admin,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\admin Zielkontoname: local-security-group Zieldomäne: LL Zielkontokennung: LL\local-security-group Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Win2003 Security Enabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7. <13>Jun 29 16:10: MSWinLog 0 security 799 Thu Jun 29 16:09: Security qatest User W2K3-LASSO "Security Enabled Local Group Deleted: Target Name: test Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 638 Win2003 Security Enabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7. <13>Jun 25 09:24:56 kkkkk-knbmq2eu3 MSWinLog 2 Security 87 Thu Jun 25 09:24: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Groupe local de sécurité activée supprimé : Nom de compte cible : qsdsqd Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : G 638 Win2003 Security Enabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7. <13> T14:50: : MSWinLog 0 Security 0 Mon May 16 14:50: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschte lokale Gruppe mit aktivierter Sicherheit: Zielkontoname: local-security-group Zieldomäne: LL Zielkontokennung: LL\local-security-group Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Microsoft Windows Server 2003 Log Configuration Guide

69 # Win2003 Enabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jul 5 11:07: MSWinLog 0 security 299 Wed Jul 05 11:07: Security qatest User W2K3-LASSO "Security Enabled Local Group Changed: Target Name: Users Target Domain: Builtin Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: - Sid History: - " F 639 Win2003 Enabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 25 09:24:48 kkkkk-knbmq2eu3 MSWinLog 2 Security 86 Thu Jun 25 09:24: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Groupe local de sécurité activée modifié : Nom de compte cible : qsdsqd Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : G 639 Win2003 Enabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13> T14:41: : MSWinLog 0 Security 0 Mon May 16 14:41: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geänderte lokale Gruppe mit aktivierter Sicherheit: Zielkontoname: DnsAdmins Zieldomäne: LL Zielkontokennung: LL\DnsAdmins Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Geänderte Attribute: SAM-Kontoname: - Sid-Verlauf: Win2003 General Database Change. The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. Microsoft Windows Server 2003 Log Configuration Guide 69

70 # 96F 640 Win2003 Modification de la base de données des comptes généraux Security audit / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59: SecurityAdministrator User LOGLABS-2003FRA Suivi détaillémodification de la base de données des comptes généraux : de modification : %1 d'objet : %2 Nom d'objet : %3 Id. de l'objet : %4 Utilisateur appelant : %5 Domaine appelant : %6 Id. de la session appelante : % Win2003 Security Enabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 29 15:01: MSWinLog 0 security 42 Thu Jun 29 14:54: Security ANONYMOUS LOGON Well Known Group W2K3-LASSO "Security Enabled Global Group Changed: Target Name: Domain Computers Target Domain: SQA Target : %{S } Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Sam Name: - Sid History: - " F 641 Win2003 Security Enabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 23 Tue Jun 30 09:20: Security ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée modifié : Nom de compte cible : Ordinateurs du domaine Domaine cible : FORESTA Id. de compte cible : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : Microsoft Windows Server 2003 Log Configuration Guide

71 # 97G 641 Win2003 Security Enabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13> T13:58: : MSWinLog 0 Security 0 Mon May 16 13:58: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geänderte globale Gruppe mit aktivierter Sicherheit: Zielkontoname: Domänen-Admins Zieldomäne: LL Zielkontokennung: LL\Domänen-Admins Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x2A1414) Rechte: - Geänderte Attribute: SAM-Kontoname: - Sid-Verlauf: Win2003 User Changed: Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 User Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 User Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 User Control: %23 User Parameters: %24 Sid History: %25 Logon Hours: %26 / Permission Modification <13>Jul 5 11:04: MSWinLog 0 security 165 Wed Jul 05 11:00: Security qatest User W2K3-LASSO "User Changed: Target Name: testt Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Expires: - Primary Group : - AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x10 User Control: User Parameters: - Sid History: - Logon Hours: - " Microsoft Windows Server 2003 Log Configuration Guide 71

72 # 98F 642 Win2003 User Changed: Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 User Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 User Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 User Control: %23 User Parameters: %24 Sid History: %25 Logon Hours: %26 / Permission Modification <13>May 21 09:47:07 kkkkk-knbmq2eu3 MSWinLog 2 Security 19 Thu May 21 09:47: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur modifié : Nom de compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - Attributs modifiés : Nom du compte SAM : loglogic Nom affiché : loglogic Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : 21/05/ :47:06 Le compte expire le : %%1794 de groupe principal : 513 Délégué autorisé : - Précédente valeur UAC : 0x Nouvelle valeur UAC : 0x Contrôle du compte utilisateur (UAC) : - Paramètres utilisateurs : - Historique S : - Heures d'ouverture de session : %% G 642 Win2003 User Changed: Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 User Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 User Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 User Control: %23 User Parameters: %24 Sid History: %25 Logon Hours: %26 / Permission Modification <13> T13:57: : MSWinLog 0 Security 0 Mon May 16 13:57: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Benutzerkonto wurde geändert: Neuer Kontenname: admin Neue Domäne: LL Neue Kontokennung: LL\admin Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2A1414) Rechte: - Geänderte Attribute: SAM-Kontoname: - Anzeigename: - Benutzerprinzipalname: - Stammverzeichnis: - Stammlaufwerk: - Skriptpfad: - Profilpfad: - Benutzerworkstations: - Kennwort zuletzt gesetzt: :57:47 Konto läuft ab: - Primäre Gruppenkennung: - DelegierenAnZulässig: - Alter UAC Wert: - Neuer UAC Wert: - Benutzerkontensteuerung: - Benutzerparameter: - Sid-Verlauf: - Anmeldestunden: Microsoft Windows Server 2003 Log Configuration Guide

73 # Win2003 User Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 / Permission Modification The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation Win2003 Domain Policy Changed: %1 modified Domain Name: %2 Domain : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Min. Password Age: %8 Max. Password Age: %9 Force Logoff: %10 Lockout Threshold: %11 Lockout Observation Window: %12 Lockout Duration: %13 Password Properties: %14 Min. Password Length: %15 Password History Length: %16 Machine Quota: %17 Mixed Domain Mode: %18 Domain Behavior Version: %19 OEM Information: %20 / Permission Modification <13>Jul 5 12:27: MSWinLog 0 security 816 Wed Jul 05 12:27: Security SYSTEM Well Known Group W2K3-LASSO "Domain Policy Changed: Lockout Policy modified Domain Name: SQA Domain : %{S } Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Min. Password Age: - Max. Password Age: - Force Logoff: - Lockout Threshold: 5 Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: - Machine Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: - " Microsoft Windows Server 2003 Log Configuration Guide 73

74 # 100F 643 Win2003 Domain Policy Changed: %1 modified Domain Name: %2 Domain : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Min. Password Age: %8 Max. Password Age: %9 Force Logoff: %10 Lockout Threshold: %11 Lockout Observation Window: %12 Lockout Duration: %13 Password Properties: %14 Min. Password Length: %15 Password History Length: %16 Machine Quota: %17 Mixed Domain Mode: %18 Domain Behavior Version: %19 OEM Information: %20 / Permission Modification <13>Jun 30 09:27:33 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 233 Tue Jun 30 09:27: Security SYSTEM User KKKKK-KNBMQ2EU3 Gestion des comptes Stratégie de domaine modifiée : Stratégie de mot de passe modifié Domaine : FORESTA Id. de domaine : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de la session appelante : (0x0,0x3E7) Privilèges : - Attributs modifiés : Âge minimal du mot de passe : Âge maximal du mot de passe : - Fermeture de session forcée : - Seuil de verrouillage : - Fenêtre d'observation du verrouillage : - Durée du verrouillage : - Propriétés du mot de passe : 1 Longueur minimale du mot de passe : 7 Longueur de l'historique de mot de passe : 24 Quota de comptes ordinateurs : - Mode domaine mixte : - Version de comportement du domaine : - Informations OEM : G 643 Win2003 Domain Policy Changed: %1 modified Domain Name: %2 Domain : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Min. Password Age: %8 Max. Password Age: %9 Force Logoff: %10 Lockout Threshold: %11 Lockout Observation Window: %12 Lockout Duration: %13 Password Properties: %14 Min. Password Length: %15 Password History Length: %16 Machine Quota: %17 Mixed Domain Mode: %18 Domain Behavior Version: %19 OEM Information: %20 / Permission Modification <13> T14:24: : MSWinLog 0 Security 0 Mon May 16 14:24: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Kontenverwaltung Domänenrichtlinien geändert: Sperrrichtlinie geändert Domänenname: LL Domänenkennung: LL\ Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) Berechtigungen: - Geänderte Attribute: Min. Kennwortalter: - Max. Kennwortalter: - Abmeldung erzwingen: - Sperrschwelle: 5 Sperrüberwachungsfenster: - Sperrdauer: - Kennworteigenschaften: - Min. Kennwortlänge: - Kennwortverlaufslänge: - Computerkontokontingent: - Gemischter Domänenmodus: - Domänenverhaltensversion: - OEM-Information: Microsoft Windows Server 2003 Log Configuration Guide

75 # Win2003 User Locked Out: Target Name: %1 Target : %3 Caller Machine Name: %2 Caller Logon : %6 / Permission Modification <13>Jul 5 12:28: MSWinLog 0 security 833 Wed Jul 05 12:28: Security SYSTEM Well Known Group W2K3-LASSO "User Locked Out: Target Name: test Target : %{S } Caller Machine Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) " F 644 Win2003 User Locked Out: Target Name: %1 Target : %3 Caller Machine Name: %2 Caller Logon : %6 / Permission Modification <13>Jul 17 03:29:48 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security Fri Jul 17 03:29: Security SYSTEM User B0324-FR2003 Gestion des comptes Compte d'utilisateur verrouillé : Nom du compte cible : test du compte cible : %{S } Nom de l'ordinateur appelant : B0324-MENGKJ Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) G 644 Win2003 User Locked Out: Target Name: %1 Target : %3 Caller Machine Name: %2 Caller Logon : %6 / Permission Modification <13> T14:24: : MSWinLog 0 Security 0 Mon May 16 14:24: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Kontenverwaltung Gesperrtes Benutzerkonto: Zielkontoname: admin Zieldomäne: SRV-W2003-GERMA Aufrufercomputername: LL\admin Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 1674 Microsoft Windows Server 2003 Log Configuration Guide 75

76 # Win2003 Computer Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 DNS Host Name: %26 Service Principal Names: %27 / Permission Modification <13>Jun 29 15:01: MSWinLog 0 security 33 Thu Jun 29 14:54: Security ANONYMOUS LOGON Well Known Group W2K3-LASSO "Computer Created: New Name: W2K3-LASSO$ New Domain: SQA New : %{S } Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges - Attributes: Sam Name: W2K3-LASSO$ Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Expires: <never> Primary Group : 516 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x105 User Control: User Parameters: <value changed, but not displayed> Sid History: -Logon Hours:- DNS Host Name:- Service Principal Names: -" 0 76 Microsoft Windows Server 2003 Log Configuration Guide

77 # 102F 645 Win2003 Computer Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 DNS Host Name: %26 Service Principal Names: %27 / Permission Modification <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 14 Tue Jun 30 09:20: Security ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'ordinateur créé : Nom du nouveau compte : KKKKK-KNBMQ2EU3$ Nouveau domaine : FORESTA Id. du nouveau compte : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs : Nom du compte SAM : KKKKK-KNBMQ2EU3$ Nom affiché : %%1793 Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : %%1794 Le compte expire le : %%1794 de groupe principal : 516 Délégué autorisé : - Précédente valeur UAC : 0x0 Nouvelle valeur UAC : 0x105 Contrôle du compte utilisateur (UAC) : %%2080 %%2082 %%2088 Paramètres utilisateurs : %%1792 Historique S : - Heures d'ouverture de session : %% 13 Microsoft Windows Server 2003 Log Configuration Guide 77

78 # 102G 645 Win2003 Computer Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 DNS Host Name: %26 Service Principal Names: %27 / Permission Modification <13> T14:23: : MSWinLog 0 Security 0 Mon May 16 14:23: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Computerkonto wurde erstellt: Neuer Kontenname: XP-CLIENT$ Neue Domäne: LL Neue Kontokennung: LL\XP-CLIENT$ Benutzername des Aufrufers: Administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x59D681) Rechte: - Attribute: SAM-Kontoname: XP-CLIENT$ Anzeigename: <Wert nicht gesetzt> Benutzerprinzipalname: - Stammverzeichnis: <Wert nicht gesetzt> Stammlaufwerk: <Wert nicht gesetzt> Skriptpfad: <Wert nicht gesetzt> Profilpfad: <Wert nicht gesetzt> Benutzerworkstations: <Wert nicht gesetzt> Kennwort zuletzt gesetzt: <nie> Konto läuft ab: <nie> Primäre Gruppenkennung: 515 DelegierenAnZulässig: - Alter UAC-Wert: 0x0 Neuer UAC-Wert: 0x85 Benutzerkontensteuerung: Konto Deaktiviert "Kennwort nicht benötigt" - Aktiviert "Arbeitsstationvertrauenskonto" - Aktiviert Benutzerparameter: <Wert geändert, aber nicht angezeigt> Sid-Verlauf: - Anmeldestunden: <Wert nicht gesetzt> DNS-Hostname: - Dienstprinzipalnamen: Win2003 Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 / Permission Modification <13>Jun 29 15:01: MSWinLog 0 security 35 Thu Jun 29 14:54: Security ANONYMOUS LOGON Well Known Group W2K3-LASSO "Computer Changed: - Target Name: W2K3-LASSO$ Target Domain: SQA Target : %{S } Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Sam Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Expires: - Primary Group : - AllowedToDelegateTo: - Old UAC Value: 0x105 New UAC Value: 0x2100 User Control: User Parameters: - Sid History: - Logon Hours: - DNS Host Name: - Service Principal Names: - " Microsoft Windows Server 2003 Log Configuration Guide

79 # 103F 646 Win2003 Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 / Permission Modification <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 16 Tue Jun 30 09:20: Security ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'ordinateur modifié : - Nom de compte cible : KKKKK-KNBMQ2EU3$ Domaine cible : FORESTA Id. de compte cible : %{S } Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs modifiés : Nom du compte SAM : - Nom affiché : - Nom principal utilisateur : - Répertoire de base : - Lecteur de base : - Chemin d'accès au script : - Chemin d'accès au profil : - Stations de travail utilisateur : - Dernière modification du mot de passe le : - Le compte expire le : - de groupe principal : - Délégué autorisé : - Précédente valeur UAC : 0x105 Nouvelle valeur UAC : 0x2100 Contrôle du compte utilisateur (UAC) : %%2048 %%2050 %%2093 Paramètres utilisateurs : - Historique S : - Heures d'ouverture de session : - Nom d'hôte DNS : - Noms principaux d 15 Microsoft Windows Server 2003 Log Configuration Guide 79

80 # 103G 646 Win2003 Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 / Permission Modification <13> T14:23: : MSWinLog 0 Security 0 Mon May 16 14:23: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geändertes Computerkonto: - Neuer Kontenname: XP-CLIENT$ Neue Domäne: LL Neue Kontokennung: LL\XP-CLIENT$ Benutzername des Aufrufers: Administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x59D681) Rechte: - Geänderte Attribute: SAM-Kontoname: - Anzeigename: XP-CLIENT$ Benutzerprinzipalname: - Stammverzeichnis: - Stammlaufwerk: - Skriptpfad: - Profilpfad: - Benutzerworkstations: - Kennwort zuletzt gesetzt: :23:43 Konto läuft ab: - Primäre Gruppenkennung: - DelegierenAnZulässig: - Alter UAC Wert: 0x85 Neuer UAC Wert: 0x80 Benutzerkontensteuerung: Konto aktiviert "Kennwort nicht benötigt" - Deaktiviert Benutzerparameter: - Sid-Verlauf: - Anmeldestunden: - DNS-Hostname: - Dienstprinzipalnamen: Win2003 Computer Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 7 10:46: MSWinLog 0 security Thu Jul 06 15:52: Security qatest User W2K3-LASSO "Computer Deleted: Target Name: TEST$ Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x151CB1A) Privileges: - " F 647 Win2003 Computer Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 2 08:28:33 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 4089 Thu Jul 02 08:28: Security Administrateur User B0324-FR2003 Gestion des comptes Compte d'ordinateur supprimé : Nom du compte cible : QSDFQDS$ Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de la session appelante : (0x0,0x36824) Privilèges : Microsoft Windows Server 2003 Log Configuration Guide

81 # 104G 647 Win2003 Computer Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13> T14:56: : MSWinLog 0 Security 0 Mon May 16 14:56: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschtes Computerkonto: Zielkontoname: ASDF$ Zieldomäne: LL Zielkontokennung: LL\ASDF$ Aufruferbenutzername: administrator Aufruferdomäne: LL Aufrufer Anmeldekennung: (0x0,0x5B8D3E) Rechte: Win2003 Security Disabled Local Group Created: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 29 15:41: MSWinLog 0 security 535 Thu Jun 29 15:41: Security qatest User W2K3-LASSO "Security Disabled Local Group Created: Target Name: testing Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: testing Sid History: - " F 648 Win2003 Security Disabled Local Group Created: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jul 2 08:15:32 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3842 Thu Jul 02 08:15: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée créé : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs : Nom du compte SAM : dfgdfqdfdqsfdqsfqsfdsqf Historique S : Microsoft Windows Server 2003 Log Configuration Guide 81

82 # 105G 648 Win2003 Security Disabled Local Group Created: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13> T14:58: : MSWinLog 0 Security 0 Mon May 16 14:58: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Erstellte lokale Gruppe mit deaktivierter Sicherheit: Zielkontoname: asdf Zieldomäne: LL Zielkontokennung: LL\asdf Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Attribute: Sam-Kontoname: asdf Sid-Verlauf: Win2003 Security Disabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 15:42: MSWinLog 0 security 536 Thu Jun 29 15:42: Security qatest User W2K3-LASSO "Security Disabled Local Group Changed: Target Name: testing1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: testing1 Sid History: - " F 649 Win2003 Security Disabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jul 2 08:15:49 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3844 Thu Jul 02 08:15: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée modifié : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : Microsoft Windows Server 2003 Log Configuration Guide

83 # 106G 649 Win2003 Security Disabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13> T14:59: : MSWinLog 0 Security 0 Mon May 16 14:59: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geänderte lokale Gruppe mit deaktivierter Sicherheit: Zielkontoname: local Zieldomäne: LL Zielkontokennung: LL\local Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Geänderte Attribute: Sam-Kontoname: - Sid-Verlauf: Win2003 Security Disabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 15:43: MSWinLog 0 security 539 Thu Jun 29 15:43: Security qatest User W2K3-LASSO "Security Disabled Local Group Member Added: Member Name: CN=tester,CN=Users,DC=sqa,DC=loglogi c,dc=com Member : %{S } Target Name: testing1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 650 Win2003 Security Disabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 08:15:49 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3845 Thu Jul 02 08:15: Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe local de sécurité désactivée ajouté : Nom du membre : CN=DnsAdmins,CN=Users,DC=domain,D C=symbio-group,DC=com Id. du membre : %{S } Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Microsoft Windows Server 2003 Log Configuration Guide 83

84 # 107G 650 Win2003 Security Disabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13> T14:59: : MSWinLog 0 Security 0 Mon May 16 14:59: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Hinzugefügtes lokales Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: local Zieldomäne: LL Zielkontokennung: LL\local Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Win2003 Security Disabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 15:44: MSWinLog 0 security 542 Thu Jun 29 15:44: Security qatest User W2K3-LASSO "Security Disabled Local Group Member Removed: Member Name: CN=tester,CN=Users,DC=sqa,DC=loglogi c,dc=com Member : %{S } Target Name: testing1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 651 Win2003 Security Disabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 08:16:00 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3847 Thu Jul 02 08:15: Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe local de sécurité désactivée supprimé : Nom du membre : CN=DnsAdmins,CN=Users,DC=domain,D C=symbio-group,DC=com Id. du membre : %{S } Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : Microsoft Windows Server 2003 Log Configuration Guide

85 # 108G 651 Win2003 Security Disabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13> T14:59: : MSWinLog 0 Security 0 Mon May 16 14:59: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Entferntes lokales Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: local Zieldomäne: LL Zielkontokennung: LL\local Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Win2003 Security Disabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jun 29 15:45: MSWinLog 0 security 545 Thu Jun 29 15:45: Security qatest User W2K3-LASSO "Security Disabled Local Group Deleted: Target Name: testing1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 652 Win2003 Security Disabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 2 08:16:00 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3848 Thu Jul 02 08:15: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée supprimé : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : G 652 Win2003 Security Disabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13> T14:59: : MSWinLog 0 Security 0 Mon May 16 14:59: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschte lokale Gruppe mit deaktivierter Sicherheit: Zielkontoname: local Zieldomäne: LL Zielkontokennung: LL\local Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Microsoft Windows Server 2003 Log Configuration Guide 85

86 # Win2003 Security Disabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 15:46: MSWinLog 0 security 558 Thu Jun 29 15:46: Security qatest User W2K3-LASSO "Security Disabled Global Group Created: New Name: test New Domain: SQA New : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: test Sid History: - " F 653 Win2003 Security Disabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jul 2 04:18:33 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security Thu Jul 02 04:18: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée créé : Nouveau nom de compte : test group Nouveau domaine : DOMAIN Id. du nouveau compte : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x66246) Privilèges : - Attributs : Nom du compte SAM : test group Historique S : G 653 Win2003 Security Disabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13> T15:02: : MSWinLog 0 Security 0 Mon May 16 15:02: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Erstellte globale Gruppe mit deaktivierter Sicherheit: Neuer Kontoname: test1 Neue Domäne: LL Neue Kontokennung: LL\test1 Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Attribute: Sam-Kontoname: test1 Sid-Verlauf: Microsoft Windows Server 2003 Log Configuration Guide

87 # Win2003 Security Disabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 15:47: MSWinLog 0 security 563 Thu Jun 29 15:47: Security qatest User W2K3-LASSO "Security Disabled Global Group Changed: Target Name: test1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: test1 Sid History: - " F 654 Win2003 Security Disabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jul 2 08:09:15 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3798 Thu Jul 02 08:09: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée modifié : Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : G 654 Win2003 Security Disabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13> T15:02: : MSWinLog 0 Security 0 Mon May 16 15:02: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geänderte globale Gruppe mit deaktivierter Sicherheit: azielkontoname: test1 Zieldomäne: LL Zielkontokennung: LL\test1 Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Geänderte Attribute: Sam-Kontoname: - Sid-Verlauf: Microsoft Windows Server 2003 Log Configuration Guide 87

88 # Win2003 Security Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 15:48: MSWinLog 0 security 567 Thu Jun 29 15:48: Security qatest User W2K3-LASSO "Security Disabled Global Group Member Added: Member Name: CN=tester,CN=Users,DC=sqa,DC=loglogi c,dc=com Member : %{S } Target Name: test1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 655 Win2003 Security Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 08:09:15 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3799 Thu Jul 02 08:09: Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe global de sécurité désactivée ajouté : Nom du membre : CN=Administrateurs de l'entreprise,cn=users,dc=domain,dc=sy mbio-group,dc=com Id. du membre : %{S } Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : G 655 Win2003 Security Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13> T15:02: : MSWinLog 0 Security 0 Mon May 16 15:02: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Hinzugefügtes globales Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: test1 Zieldomäne: LL Zielkontokennung: LL\test1 Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Microsoft Windows Server 2003 Log Configuration Guide

89 # Win2003 Security Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 15:56: MSWinLog 0 security 581 Thu Jun 29 15:56: Security qatest User W2K3-LASSO "Security Disabled Global Group Member Removed: Member Name: CN=tester,CN=Users,DC=sqa,DC=loglogi c,dc=com Member : %{S } Target Name: test1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 656 Win2003 Security Disabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 08:09:31 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3802 Thu Jul 02 08:09: Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe global de sécurité désactivée supprimé : Nom du membre : CN=Administrateurs de l'entreprise,cn=users,dc=domain,dc=sy mbio-group,dc=com Id. du membre : %{S } Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : G 656 Win2003 Security Disabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13> T15:02: : MSWinLog 0 Security 0 Mon May 16 15:02: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Entferntes globales Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: test1 Zieldomäne: LL Zielkontokennung: LL\test1 Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Microsoft Windows Server 2003 Log Configuration Guide 89

90 # Win2003 Security Disabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jun 29 15:58: MSWinLog 0 security 605 Thu Jun 29 15:58: Security qatest User W2K3-LASSO "Security Disabled Global Group Deleted: Target Name: test1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 657 Win2003 Security Disabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 2 08:09:39 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3804 Thu Jul 02 08:09: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée supprimé : Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : G 657 Win2003 Security Disabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13> T15:02: : MSWinLog 0 Security 0 Mon May 16 15:02: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschte globale Gruppe mit deaktivierter Sicherheit: Zielkontoname: test1 Zieldomäne: LL Zielkontokennung: LL\test1 Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Win2003 Security Enabled Universal Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jul 7 11:52: MSWinLog 0 Security Fri Jul 07 11:47: Security administrator User SUPPORT-SBS "Security Enabled Universal Group Created: New Name: univ658 New Domain: SUPPORT New : %{S } Caller User Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x ) Privileges: - Attributes: Sam Name: univ658 Sid History: - " Microsoft Windows Server 2003 Log Configuration Guide

91 # 115F 658 Win2003 Security Enabled Universal Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jul 6 05:22:47 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 566 Mon Jul 06 05:22: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe universel de sécurité activée créé : Nom du nouveau compte : qfdqqdfdsq Nouveau domaine : DOMAIN Id. du nouveau compte : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : - Attributs : Nom du compte SAM : qfdqqdfdsq Historique S : Win2003 Security Enabled Universal Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jul 7 12:03: MSWinLog 0 Security 313 Fri Jul 07 12:03: Security administrator User SUPPORT-SBS "Security Enabled Universal Group Changed: Target Name: univ658 Target Domain: SUPPORT Target : %{S } Caller User Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x ) Privileges: - Changed Attributes: Sam Name: - Sid History: - " F 659 Win2003 Security Enabled Universal Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jun 30 09:51:22 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 325 Tue Jun 30 09:50: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Groupe universel de sécurité activée modifié : Nom de compte cible : Administrateurs du schéma Domaine cible : FORESTA Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x260DD) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : Microsoft Windows Server 2003 Log Configuration Guide 91

92 # 116F 660 Win2003 Security Enabled Universal Group Member Added. <13>Jul 6 05:23:41 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 568 Mon Jul 06 05:23: Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité activée ajouté : Nom du membre : CN=Administrateur,CN=Users,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S } Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : Win2003 Security Enabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 11 11:25: MSWinLog 0 Security Tue Jul 11 11:25: Security administrator User SUPPORT-SBS "Security Enabled Universal Group Member Removed: Member Name: CN=test628,CN=Users,DC=support,DC=l ocal Member : %{S } Target Name: tesater Target Domain: SUPPORT Target : %{S } Caller User Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x ) Privileges: - " Microsoft Windows Server 2003 Log Configuration Guide

93 # 117F 661 Win2003 Security Enabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 6 05:24:04 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 571 Mon Jul 06 05:24: Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité activée supprimé : Nom du membre : CN=Administrateur,CN=Users,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S } Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : Win2003 Security Enabled Universal Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 7 12:04: MSWinLog 0 Security 336 Fri Jul 07 12:04: Security administrator User SUPPORT-SBS "Security Enabled Universal Group Deleted: Target Name: univ658 Target Domain: SUPPORT Target : %{S } Caller User Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x ) Privileges: - " F 662 Win2003 Security Enabled Universal Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 6 05:24:19 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 572 Mon Jul 06 05:24: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe universel de sécurité activée supprimé : Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : Microsoft Windows Server 2003 Log Configuration Guide 93

94 # Win2003 Security Disabled Universal Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 16:03: MSWinLog 0 security 721 Thu Jun 29 16:03: Security qatest User W2K3-LASSO "Security Disabled Universal Group Created: New Name: test New Domain: SQA New : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: test Sid History: - " F 663 Win2003 Security Disabled Universal Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jul 2 05:21:59 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1173 Thu Jul 02 05:21: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée créé : Nom du nouveau compte : test un Nouveau domaine : DOMAIN Id. du nouveau compte : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs : Nom du compte SAM : test un Historique S : G 663 Win2003 Security Disabled Universal Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13> T15:05: : MSWinLog 0 Security 0 Mon May 16 15:05: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Erstellte universelle Gruppe mit deaktivierter Sicherheit: Neuer Kontoname: test-universal Neue Domäne: LL Neue Kontokennung: LL\test-universal Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Attribute: Sam-Kontoname: test-universal Sid-Verlauf: Microsoft Windows Server 2003 Log Configuration Guide

95 # Win2003 Security Disabled Universal Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 16:03: MSWinLog 0 security 722 Thu Jun 29 16:03: Security qatest User W2K3-LASSO "Security Disabled Universal Group Changed: Target Name: test1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: test1 Sid History: - " F 664 Win2003 Security Disabled Universal Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jul 2 05:23:16 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1191 Thu Jul 02 05:23: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée modifié : Nom de compte cible : test un Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : G 664 Win2003 Security Disabled Universal Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13> T15:05: : MSWinLog 0 Security 0 Mon May 16 15:05: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geänderte universelle Gruppe mit deaktiverter Sicherheit: Zielkontoname: test-universal Zieldomäne: LL Zielkontokennung: LL\test-universal Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Geänderte Attribute: Sam-Kontoname: - Sid-Verlauf: Microsoft Windows Server 2003 Log Configuration Guide 95

96 # Win2003 Security Disabled Universal Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 16:05: MSWinLog 0 security 776 Thu Jun 29 16:05: Security qatest User W2K3-LASSO "Security Disabled Universal Group Member Added: Member Name: cn=testt,cn=users,dc=sqa,dc=loglogic, DC=com Member : %{S } Target Name: test1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 665 Win2003 Security Disabled Universal Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 05:24:02 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1193 Thu Jul 02 05:24: Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité désactivée ajouté : Nom du membre : CN=Administrateur,CN=Users,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S } Nom de compte cible : test un Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : G 665 Win2003 Security Disabled Universal Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13> T15:05: : MSWinLog 0 Security 0 Mon May 16 15:05: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Hinzugefügtes universelles Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: test-universal Zieldomäne: LL Zielkontokennung: LL\test-universal Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Microsoft Windows Server 2003 Log Configuration Guide

97 # Win2003 Security Disabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 16:05: MSWinLog 0 security 778 Thu Jun 29 16:05: Security qatest User W2K3-LASSO "Security Disabled Universal Group Member Removed: Member Name: CN=testt,CN=Users,DC=sqa,DC=loglogic, DC=com Member : %{S } Target Name: test1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 666 Win2003 Security Disabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 05:24:49 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1212 Thu Jul 02 05:24: Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité désactivée supprimé : Nom du membre : CN=Administrateur,CN=Users,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S } Nom de compte cible : test un Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : G 666 Win2003 Security Disabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13> T15:05: : MSWinLog 0 Security 0 Mon May 16 15:05: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Entferntes universelles Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: test-universal Zieldomäne: LL Zielkontokennung: LL\test-universal Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Microsoft Windows Server 2003 Log Configuration Guide 97

98 # Win2003 Security Disabled Universal Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jun 29 16:06: MSWinLog 0 security 779 Thu Jun 29 16:06: Security qatest User W2K3-LASSO "Security Disabled Universal Group Deleted: Target Name: test1 Target Domain: SQA Target : %{S } Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " F 667 Win2003 Security Disabled Universal Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 2 08:02:00 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3768 Thu Jul 02 08:02: Security Administrateur User B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée supprimé : Nom de compte cible : test un Domaine cible : DOMAIN Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : G 667 Win2003 Security Disabled Universal Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13> T15:05: : MSWinLog 0 Security 0 Mon May 16 15:05: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschte universelle Gruppe mit deaktivierter Sicherheit: Zielkontoname: test-universal Zieldomäne: LL Zielkontokennung: LL\test-universal Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: Win2003 Group Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 <13>Jul 7 12:06: MSWinLog 0 Security 361 Fri Jul 07 12:06: Security administrator User SUPPORT-SBS "Group Changed: Security Enabled Local Group Changed to Security Disabled Local Group. Target Name: newlocal635 Target Domain: SUPPORT Target : %{S } Caller User Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x ) Privileges: - " Microsoft Windows Server 2003 Log Configuration Guide

99 # 124F 668 Win2003 Group Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 <13>Jun 30 09:51:22 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 326 Tue Jun 30 09:50: Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes de groupe modifié : Le groupe global activé par la sécurité est changé en groupe universel activé par la sécurité. Nom de compte cible : Administrateurs du schéma Domaine cible : FORESTA Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x260DD) Privilèges : Win2003 Add S History: Source Name: %1 Source : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 SidList: %10 The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 125F 669 Win2003 Add S History: Source Name: %1 Source : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 SidList: %10 <13>Aug 4 10:22:22 b0324-fr2.abc.com MSWinLog 1 Security 1091 Tue Aug 04 10:21: Security Administrateur User B0324-FR2 Gestion des comptes Ajout d'un historique S : Nom de compte source : xyz.com\dev Id. de compte source : %{S } Nom de compte cible : dev Domaine cible : ABC Id. de compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : ABC Id. de session de l'appelant : (0x0,0x1A388) Privilèges : - Liste S : Win2003 Add S History: Source Name: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. Microsoft Windows Server 2003 Log Configuration Guide 99

100 # 126F 670 Win2003 Add S History: Source Name: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 <13>Aug 4 10:22:22 b0324-fr2.abc.com MSWinLog 1 Security 1092 Tue Aug 04 10:21: Security Administrateur User B0324-FR2 Gestion des comptes Ajout d'un historique S : Nom de compte source : xyz.com\dev Nom de compte cible : dev Domaine cible : ABC Id. de compte cible : %{S } Utilisateur appelant : Administrateur Id. de session de l'appelant : (0x0,0x1A388) Privilèges : Domaine appelant : ABC Win2003 User Unlocked: Target Name: %1 Target : %3 Caller Logon : %6 Security <13>Jun 12 15:21: MSWinLog 0 Security 1926 Sun Jun 12 15:18: Security Administrator User IAM3 User Unlocked: Target Name: loglogic2 Target Domain: SECTIS Target : %{S } Caller User Name: Administrator Caller Domain: SECTIS Caller Logon : (0x0,0x170D3) F 671 Win2003 User Unlocked: Target Name: %1 Target : %3 Caller Logon : %6 Security <13>Jul 22 09:01:28 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2641 Wed Jul 22 09:01: Security Administrateur User B0324-FR2003 Gestion des comptes Compte d'utilisateur désactivé : Nom du compte cible : test Domaine cible : DOMAIN Id. du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de la session appelante : (0x0,0x3EAB48) G 671 Win2003 User Unlocked: Target Name: %1 Target : %3 Caller Logon : %6 Security <13> T15:32: : MSWinLog 0 Security 0 Mon May 16 15:32: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Sperrung des Benutzerkontos aufgehoben: Zielkontoname: admin Zieldomäne: LL Zielkontokennung: LL\admin Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x6BD92C) Microsoft Windows Server 2003 Log Configuration Guide

101 # Win2003 Authentication Ticket Request: Supplied Realm Name: %2 User : %3 Service Name: %4 Service : %5 Ticket Options: %6 Result Code: %7 Ticket Encryption : %8 Pre-Authentication : %9 Client Address: %10 Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13 Security <13>Aug 8 09:26: MSWinLog 0 Security 743 Fri Aug 04 13:00: Security SYSTEM User LOGLOGIC-SRV1 Logon Authentication Ticket Request: User Name: LOGLOGIC-SRV1$ Supplied Realm Name: LOGLOGIC.COM User : %{S } Service Name: krbtgt Service : %{S } Ticket Options: 0x Result Code: - Ticket Encryption : 0x17 Pre-Authentication : 2 Client Address: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: F 672 Win2003 Authentication Ticket Security Request: Supplied Realm Name: %2 User : %3 Service Name: %4 Service : %5 Ticket Options: %6 Result Code: %7 Ticket Encryption : %8 Pre-Authentication : %9 Client Address: %10 Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13 <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 1 Security 80 Tue Jun 30 09:20: Security SYSTEM User KKKKK-KNBMQ2EU3 Connexion de compte Requête de ticket d'authentification : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine Kerberos fourni : FORESTA Id. de l'utilisateur : %{S } Nom du service : krbtgt Id. du service : %{S } Options du ticket : 0x Code de résultat : - de cryptage du ticket : 0x17 de pré-authentification : 2 Adresse du client : Nom de l'émetteur du certificat : Numéro de série du certificat : Empreinte digitale du certificat : 79 Microsoft Windows Server 2003 Log Configuration Guide 101

102 # 128G 672 Win2003 Authentication Ticket Security Request: Supplied Realm Name: %2 User : %3 Service Name: %4 Service : %5 Ticket Options: %6 Result Code: %7 Ticket Encryption : %8 Pre-Authentication : %9 Client Address: %10 Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13 audit / Failure <13> T11:26: : MSWinLog 0 Security 0 Tue May 10 11:26: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Kontoanmeldung Authentifizierungsticketanforderung: Benutzername: SRV-W2003-GERMA$ Angegebener Bereichsname: LL.LOCAL Benutzerkennung: LL\SRV-W2003-GERMA$ Dienstname: krbtgt Dienstkennung: LL\krbtgt Ticketoptionen: 0x Ergebniscode: - Ticketverschlüsselungstyp: 0x17 Vorauthentifizierungstyp: 2 Clientadresse: Zertifikatherausgebername: Zertifikatseriennummer: Zertifikatfingerabdruck: Win2003 Service Ticket Request: User Domain: %2 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Failure Code: %8 Logon GU: %9 Transited Services: %10 Security <13>Aug 8 09:26: MSWinLog 0 Security 752 Fri Aug 04 13:00: Security SYSTEM User LOGLOGIC-SRV1 Logon Service Ticket Request: User Name: [email protected] User Domain: LOGLOGIC.COM Service Name: LOGLOGIC-SRV1$ Service : %{S } Ticket Options: 0x Ticket Encryption : 0x17 Client Address: Failure Code: - Logon GU: {74ebb9ef-d2d7-8d9a-b16c-91ff35b9f49a} Transited Services: F 673 Win2003 Service Ticket Request: User Domain: %2 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Failure Code: %8 Logon GU: %9 Transited Services: %10 Security <13>Jun 30 09:21:02 kkkkk-knbmq2eu3.foresta MSWinLog 1 Security 91 Tue Jun 30 09:21: Security SYSTEM User KKKKK-KNBMQ2EU3 Connexion de compte Accord de la demande de ticket : Utilisateur : kkkkk-knbmq2eu3$@foresta Domaine de l'utilisateur : FORESTA Nom du service : KKKKK-KNBMQ2EU3$ Identificateur du service : %{S } Options du ticket : 0x de cryptage du ticket : 0x17 Adresse du client : Code d'échec : - GU d'ouv. de session : {93f0a bd05-008e-2d3b54075ba e} Services en transit : Microsoft Windows Server 2003 Log Configuration Guide

103 # 129G 673 Win2003 Service Ticket Request: User Domain: %2 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Failure Code: %8 Logon GU: %9 Transited Services: %10 Security <13> T11:26: : MSWinLog 0 Security 0 Tue May 10 11:26: Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Kontoanmeldung Dienstticketanforderung: Benutzername: [email protected] Benutzerdomäne: LL.LOCAL Dienstname: SRV-W2003-GERMA$ Dienstkennung: LL\SRV-W2003-GERMA$ Ticketoptionen: 0x Ticketverschlüsselungstyp: 0x17 Clientadresse: Fehlercode: - Anmelde-GU: { f-96d3-2a70-2fa9-faafcec08460} Übertragene Dienste: Win2003 Service Ticket Renewed: User Domain: %2 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Security <13>Aug 9 14:01: MSWinLog 0 Security 6318 Sat Aug 05 04:16: Security SYSTEM User LOGLOGIC-SRV1 Logon Service Ticket Renewed: User Name: [email protected] User Domain: BLR-LOGLOGIC.COM Service Name: krbtgt Service : %{S } Ticket Options: 0x2 Ticket Encryption : 0x17 Client Address: F 674 Win2003 Service Ticket Renewed: User Domain: %2 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Security <13>Jun 30 10:06:59 kkkkk-knbmq2eu3.foresta MSWinLog 1 Security 376 Tue Jun 30 10:06: Security SYSTEM User KKKKK-KNBMQ2EU3 Connexion de compte Ticket de service renouvelé : Nom utilisateur : Administrateur@FORESTA Domaine utilisateur : FORESTA Nom du service : krbtgt Id. du service : %{S } Options du ticket : 0x2 de cryptage du ticket : 0x17 Adresse du client : Microsoft Windows Server 2003 Log Configuration Guide 103

104 # Win2003 Pre-authentication failed. Logon Failure <13>Jul 5 16:23: MSWinLog 0 security 2565 Wed Jul 05 16:23: Security SYSTEM Well Known Group Failure W2K3-LASSO Logon Pre-authentication failed: User Name: test User : %{S } Service Name: krbtgt/sqa Pre-Authentication : 0x2 Failure Code: 0x18 Client Address: F 675 Win G 675 Win2003 Pre-authentication failed. Logon Failure Pre-authentication failed. Logon Failure <13>Jul 22 04:36:29 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 803 Wed Jul 22 04:36: Security SYSTEM User Failure B0324-FR2003 Connexion de compte Échec de la pré-authentification : Utilisateur : test Id. de l'utilisateur : %{S } Nom du service : krbtgt/ DOMAIN de pré-authentification : 0x2 Code d'échec : 0x18 Adresse du client : <13> T13:55: : MSWinLog 0 Security 0 Mon May 16 13:55: Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA Kontoanmeldung Fehlgeschlagene Vorbestätigung: Benutzername: Administrator Benutzerkennung: LL\Administrator Dienstname: krbtgt/ll Vorauthentifizierungstyp: 0x2 Fehlercode: 0x18 Clientadresse: Win2003 An account was mapped for logon Logon User Authentication / User Access / <13>Jul 25 12:23: MSWinLog 0 Security Tue Jul 25 12:05: Security SYSTEM User BBC-WSMTEST-DC1 Logon/Logoff Mapped for Logon by: NTLM1 Client Name: SQA Mapped Name:abc Win2003 Logon attempt by: %1 Logon account: %2 Source Workstation: %3 Code: %4 Security / User Authentication <13>Aug 8 09:26: MSWinLog 0 Security 609 Fri Aug 04 12:20: Security Unknown User N/A LOGLOGIC-SRV1 Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Logon account: Administrator Source Workstation: LOGLOGIC-SRV1 Code: 0x Microsoft Windows Server 2003 Log Configuration Guide

105 # 133F 680 Win2003 Used for Logon by: %1 Name: %2 Workstation: %3 Security / User Authentication <13>May 21 09:43:08 kkkkk-knbmq2eu3 MSWinLog 1 Security 14 Thu May 21 09:43: Security Administrateur User KKKKK-KNBMQ2EU3 Connexion de compte Tentative d'ouverture de session par : MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Compte d'ouverture de session : Administrateur Station de travail source : KKKKK-KNBMQ2EU3 Code erreur : 0x G 680 Win2003 Used for Logon by: %1 Name: %2 Workstation: %3 Security / User Authentication <13> T13:27: : MSWinLog 0 Security 0 Mon May 16 13:27: Security LL\Administrator User SRV-W2003-GERMA Kontoanmeldung Anmeldversuch von: MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Anmeldekonto: administrator Arbeitsstation: XP-CLIENT Fehlercode: 0x Win2003 The logon to account: %2 by: %1 from workstation: %3 failed. The error code was: %4 Security Failure audit / User Authentication <13>Aug 8 09:26: MSWinLog 0 Security 609 Fri Aug 04 12:20: Security Unknown User N/A LOGLOGIC-SRV1 Logon The logon to account: Administrator by: MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 from Workstation: LOGLOGIC-SRV1 failed. The error code was: 0x Win2003 Session reconnected to winstation: Domain: %2 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 Security <13>Jul 25 12:20: MSWinLog 0 Security Thu Jun 22 10:44: Security SYSTEM User BLR-WIPTEST-DC1 Logon/Logoff Session reconnected to winstation: User Name: dmsopann Domain: WIPRO Logon : (0x0,0x5EEA9) Session Name: RDP-Tcp#2 Client Name: BLR-TEST-RMS01 Client Address: F 682 Win2003 Session reconnected to winstation: Domain: %2 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 Security <13>Jul 22 10:06:58 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3092 Wed Jul 22 10:06: Security SYSTEM User B0324-FR2003 Ouverture/Fermeture de session Session reconnectée à la station Windows : Utilisateur : Administrateur Domaine : DOMAIN Id. de session : (0x0,0x45E43C) Nom de session : RDP-Tcp#7 Nom de client : B0324-MENGKJ Adresse de client : Microsoft Windows Server 2003 Log Configuration Guide 105

106 # Win2003 Session disconnected from winstation: Domain: %2 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 Security <13>Jul 25 12:20: MSWinLog 0 Security Wed Jun 21 14:29: Security SYSTEM User BLR-WIPTEST-DC1 Logon/Logoff Session disconnected from winstation: User Name: dmsopann Domain: WIPRO Logon : (0x0,0x5EEA9) Session Name: RDP-Tcp#1 Client Name: BLR-TEST-RMS04 Client Address: F 683 Win2003 Session disconnected from winstation: Domain: %2 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 Security <13>Jul 22 09:58:49 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2995 Wed Jul 22 09:58: Security SYSTEM User B0324-FR2003 Ouverture/Fermeture de session Session déconnectée de la station Windows : Utilisateur : Administrateur Domaine : DOMAIN Id. de session : (0x0,0x45E43C) Nom de session : RDP-Tcp#4 Nom de client : B0324-MENGKJ Adresse de client : Win2003 Set ACLs of members in administrators groups: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Security <13>Aug 8 09:26: MSWinLog 0 Security 1029 Fri Aug 04 13:14: Security ANONYMOUS LOGON Well Known Group LOGLOGIC-SRV1 Set ACLs of members in administrators groups: Target Name: Domain Admins Target Domain: DC=loglogic,DC=com Target : %{S } Caller User Name: LOGLOGIC-SRV1$ Caller Domain: LOGLOGIC Caller Logon : (0x0,0x3E7) Privileges: Microsoft Windows Server 2003 Log Configuration Guide

107 # 137F 684 Win2003 Set ACLs of members in administrators groups: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Security <13>Jul 2 04:17:46 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security Thu Jul 02 04:17: Security ANONYMOUS LOGON Well Known Group B0324-FR2003 Gestion des comptes Définir les listes ACL des membres des groupes administrateurs : Nom du compte destination : Administrateurs du schéma Domaine destination : DC=domain,DC=symbio-group,DC=com Id. du compte destination : %{S } Utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN Id. d'ouv. de session de l'appelant : (0x0,0x3E7) Privilèges : G 684 Win2003 Set ACLs of members in administrators groups: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Security <13> T14:07: : MSWinLog 0 Security 0 Mon May 16 14:07: Security NT-AUTORITÄT\ANONYMOUS-ANMELD UNG User SRV-W2003-GERMA Kontenverwaltung ACLs von Mitgliedern in Administratorgruppen festlegen: Zielkontoname: admin Zieldomäne: DC=ll,DC=local Zielkontokennung: LL\admin Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) Berechtigungen: Win2003 The name of an account was changed User Authentication / User Access / <13>Aug 8 09:26: MSWinLog 0 Security 981 Fri Aug 04 12:08: Security LOCAL SERVICEWell Known Group MACHINENAME Logon/Logoff Name Changed: Old Name:SQA New Name:SQA_NEW Target Domain:test Target : testac Caller User Name: admin Caller Domain:test Caller Logon :test Privileges:test 896 Microsoft Windows Server 2003 Log Configuration Guide 107

108 # 138F 685 Win2003 The name of an account was changed User Authentication / User Access / <13>Jul 17 04:25:57 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security Fri Jul 17 04:25: Security Administrateur User B0324-FR2003 Gestion des comptes Nom du compte modifié : Ancien nom de compte : test Nouveau nom de compte : test1 Domaine cible : DOMAIN Identificateur du compte cible : %{S } Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x3EEA5) Privilèges : G 685 Win2003 The name of an account was changed User Authentication / User Access / <13> T15:37: : MSWinLog 0 Security 0 Mon May 16 15:37: Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Kontoname wurde geändert: Alter Kontoname: bob Neuer Kontoname: bob1 Zieldomäne: LL Zielkontokennung: LL\bob Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x6BD92C) Berechtigungen: Win2003 Trusted Forest Information Entry Added: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Added by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 108 Microsoft Windows Server 2003 Log Configuration Guide

109 # 139F 769 Win2003 Trusted Forest Information Entry Added: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Added by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security <13>Jul 22 07:37:13 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2077 Wed Jul 22 07:37: Security Administrateur User B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été ajoutée : Racine de la forêt : abc.com S de la racine de la forêt : %{S } Id. de l'opération : {0, } d'entrée : 0 Indicateurs : 0 Nom du niveau le plus élevé : abc.com Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) Win2003 Trusted Forest Information Entry Removed: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 140F 770 Win2003 Trusted Forest Information Entry Removed: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security <13>Jul 23 05:06:09 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 7380 Thu Jul 23 05:06: Security Administrateur User B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été supprimée : Racine de la forêt : abc.com S de la racine de la forêt : %{S } Id. de l'opération : {0, } d'entrée : 1 Indicateurs : 0 Nom du niveau le plus élevé : xzy.abc.com Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) 7234 Microsoft Windows Server 2003 Log Configuration Guide 109

110 # Win2003 Trusted Forest Information Entry Modified: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 141F 771 Win2003 Trusted Forest Information Entry Modified: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security <13>Jul 22 07:39:51 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2092 Wed Jul 22 07:39: Security Administrateur User B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été modifiée : Racine de la forêt : abc.com S de la racine de la forêt : %{S } Id. de l'opération : {0, } d'entrée : 0 Indicateurs : 2 Nom du niveau le plus élevé : - Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) Win2003 Per user auditing policy set for user. Policy Change The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 110 Microsoft Windows Server 2003 Log Configuration Guide

111 # 142F 807 Win2003 Per user auditing policy set for user. Policy Change <13>Jul 23 08:46:53 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 8268 Thu Jul 23 08:46: Security SYSTEM User B0324-FR2003 Changement de stratégie Stratégie d'audit par utilisateur définie pour l'utilisateur : Utilisateur cible : %{S } Id de stratégie : (0x0,0x53E953) Paramètres de catégorie : Système : 0x0 Ouverture de session : 0x0 Accès de l'objet 0x2 Utilisation d'un privilège : 0x0 Suivi détaillé : 0x0 Modification de stratégie : 0x0 Gestion de compte : 0x0 Accès DS : 0x0 Ouverture de session du compte : 0x Win2003 Windows is unable to load or access an object, registry or file. Application The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation Win2003 The session setup from the computer %1 failed to authenticate. The following error occurred: %2 Directory Service <13>Aug 8 10: 53: MSWinLog 0 Directory Service 2507 Tue Aug 08 10: 53: ADS loglogic N/A Information M2-0W55 None The session setup from the computer %1 failed to authenticate. The following error occurred: % F 5805 Win2003 The session setup from the computer %1 failed to authenticate. The following error occurred: %2 Directory Service <13>Jul 22 08:15:53 b0324-fr2003.domain.symbio-group.com MSWinLog Wed Jul 22 08:15: NETLOGON Unknown User N/A B0324-FR2003 None 0000: c0 90 b L'installation de la session à partir de l'ordinateur LOGLOGIC-LVROFF n'a pas pu être authentifiée. L'erreur suivante s'est produite : %% Win2003 The log service was started. <13>Aug 8 09:26: MSWinLog Fri Aug 04 17:34: Log Unknown User N/A Information MACHINENAME None The log service was started. 2 Microsoft Windows Server 2003 Log Configuration Guide 111

112 # 145F 6005 Win2003 The log service was started. <13>May 21 10:31:17 kkkkk-knbmq2eu3 MSWinLog 1 4 Thu May 21 10:31: Log Unknown User N/A Information KKKKK-KNBMQ2EU3 None 0000: e : d : f : 6f : e : 6f : : : : e e : : : 6c : : e : f : : 6f : : a0: 2e a8: f b0: d 00 2e b8: c0: d c8: d0: Le service d'enregistrement d'événement a démarré Win2003 The log service was stopped. <13>Aug 8 09:26: MSWinLog Fri Aug 04 17:34: Log Unknown User N/A Information MACHINENAME None The log service was stopped Microsoft Windows Server 2003 Log Configuration Guide

113 # 146F 6006 Win2003 The log service was stopped. <13>May 21 10:31:17 kkkkk-knbmq2eu3 MSWinLog 1 2 Thu May 21 10:29: Log Unknown User N/A Information KKKKK-KNBMQ2EU3 None 0000: e : d : f : 6f : e : 6f : : : : e e : : : 6c : : e : f : : 6f : : a0: 2e a8: f b0: d 00 2e b8: c0: d c8: d0: Le service d'enregistrement d'événement a été arrêté Win2003 The previous system shutdown at %1 on %2 was unexpected. <13>Aug 9 18:10: MSWinLog Wed Aug 09 15:21: Log Unknown User N/A LOGLOGIC-SRV1 None 0000: d Ö : 0f b 00 d Ø 0010: d Ö : b 00 d Ø The previous system shutdown at 3:20:43 PM on 8/9/2006 was unexpected F 6008 Win2003 The previous system shutdown at %1 on %2 was unexpected. <13>Jul 6 08:05:21 b0324-fr2003.domain.symbio-group.com MSWinLog Mon Jul 06 08:04: Log Unknown User N/A B0324-FR2003 None 0000: d : ab : d : ab L'arrêt système précédant à 08:01:18 le 06/07/2009 n'était pas prévu. 0 Microsoft Windows Server 2003 Log Configuration Guide 113

114 Appendix B Logon s and Descriptions Table 2 Logon s and Descriptions Logon Logon Title Description 1 Interactive A user logged on to this computer at the console. 2 Network A user or computer logged on to this computer from the network. 3 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention. 4 Service A service was started by the Service Control Manager. 5 Unlock This workstation was unlocked. 6 NetworkCleartext A user logged on to a network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). 7 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections. 8 RemoteInteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection. 9 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. 114 Microsoft Windows Server 2003 Log Configuration Guide