LogLogic Microsoft Windows Server 2000/2003 Log Configuration Guide Document Release: September 2011 Part Number: LL600029-00ELS090002 This manual supports LogLogic Microsoft Windows Server 2000/2003 Release 2.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.
2011 LogLogic, c. Proprietary formation Trademarks This document contains proprietary and confidential information of LogLogic, c. and its licensors. accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, c. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, c. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, c. 110 Rose Orchard Way, Ste 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 www.loglogic.com
Contents Preface About This Guide........................................................ 5 Technical Support....................................................... 5 Documentation Support................................................... 5 Conventions............................................................ 6 Chapter 1 Configuring LogLogic s Microsoft Windows Server 2000/2003 Log Collection troduction to Microsoft Windows Server 2000/2003............................ 7 Prerequisites........................................................... 7 Configuring Microsoft Windows Server 2000/2003 for Operational s............ 8 stalling and Configuring Lasso Collector.................................. 8 Enabling the LogLogic Appliance to Capture Log Data........................... 9 Automatically Identifying a Microsoft Windows Server 2000/2003 Device......... 9 Adding Microsoft Windows Server 2000/2003 Device......................... 9 Verifying the Configuration............................................... 11 Chapter 2 How LogLogic Supports Microsoft Windows Server 2000/2003 How LogLogic Captures Microsoft Windows Server 2000/2003 Data............... 12 LogLogic Real-Time.............................................. 13 Chapter 3 Troubleshooting and FAQ Troubleshooting........................................................ 15 Frequently Asked Questions.............................................. 16 Appendix A Reference LogLogic Support for Microsoft Windows Server 2000/2003 s............... 17 Appendix B Logon s and Descriptions Microsoft Windows Server 2000/2003 Log Configuration Guide 3
4 Microsoft Windows Server 2000/2003 Log Configuration Guide
Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft Windows enables LogLogic Appliances to capture logs from machines running Microsoft Windows Server 2000/2003. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft Windows Server 2000/2003 s operations. For more information on creating reports and alerts, see the LogLogic Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free 1-800-957-LOGS Local 1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Microsoft Windows Server 2000/2003 Log Configuration Guide 5
Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Microsoft Windows Server 2000/2003 Log Configuration Guide
Chapter 1 Configuring LogLogic s Microsoft Windows Server 2000/2003 Log Collection This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft Windows Server 2000/2003 logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft Windows Server 2000/2003 log data. troduction to Microsoft Windows Server 2000/2003.............................. 7 Prerequisites............................................................. 7 Configuring Microsoft Windows Server 2000/2003 for Operational s.............. 8 Enabling the LogLogic Appliance to Capture Log Data............................. 9 Verifying the Configuration.................................................. 11 troduction to Microsoft Windows Server 2000/2003 Microsoft Windows Server 2000/2003 operational events appear within the Windows Viewer and are located within the host machine s Windows Log. The events are captured by Loglogic's Lasso Collector. The Lasso Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP. The configuration procedures for Microsoft Windows Server 2000/2003 and the LogLogic Appliance depend upon your environment and how the Lasso Collector is configured. For more information, see How LogLogic Captures Microsoft Windows Server 2000/2003 Data on page 12 and the LogLogic Lasso Collector Guide. Prerequisites Prior to configuring Microsoft Windows Server 2000/2003 and the LogLogic Appliance, ensure that you meet the following prerequisites: Microsoft Windows Server 2000/2003 Server installed Administrative access on the Windows server Microsoft Windows Server 2000/2003 Server Note: For Windows support you will need to run LogLogic Appliance Release 5.1or later. Lasso Collector Release 2.0 or later installed on the Windows server. For more information, see LogLogic Lasso Collector Guide. LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft Windows Server 2000/2003 support Administrative access on LogLogic Appliance Microsoft Windows Server 2000/2003 Log Configuration Guide 7
Configuring Microsoft Windows Server 2000/2003 for Operational s Microsoft Windows operational events are posted in the Windows Viewer. The events are located in the Windows logs. These events can be captured by LogLogic Appliance using Lasso Collector. For more information about the Windows Viewer, see the Microsoft Windows Server 2000/2003 Product stalling and Configuring Lasso Collector Microsoft Windows Server 2000/2003 logs are collected and transported using Lasso. Lasso is used to collect and transfer Windows logs to the LogLogic Appliance. By default, the Lasso program directory is located at: C:\Program Files\Lasso Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages: C:\Program Files\Lasso\LassoRepository\Spool You can change the host machine and event log identification information by editing the hostlist.ini configuration file in Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and configuration procedures for Lasso, including information on the Lasso.ini and hostlist.ini files, see the LogLogic Lasso Collector Guide. 8 Microsoft Windows Server 2000/2003 Log Configuration Guide
Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Microsoft Windows Server 2000/2003 log data. Automatically Identifying a Microsoft Windows Server 2000/2003 Device With the auto-identification feature, the LogLogic Appliance recognizes Microsoft Windows Server 2000/2003 log messages by default. As the log messages come into the Appliance, they are automatically identified and a new Microsoft Windows Server 2000/2003 device type is added to the log source device list. Default values are used for certain properties, such as the device name. To enable auto-identification in the LogLogic Appliance: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Administration > Settings. The General tab appears. 3. For Auto-identify Log Sources, select Yes. 4. Click Update. Once the automatically identified device is added, you can edit its properties. IMPORTANT! Do not change the auto-identified Device and Host IP information. To edit an existing Microsoft Windows Server 2000/2003 device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select > Devices. The Devices tab appears. 3. Click on an existing Microsoft Windows Server 2000/2003 device in the list and click Modify Device. The Modify Device tab appears. 4. Edit the device fields as needed, then click Update Device. Adding Microsoft Windows Server 2000/2003 Device If you do not want to utilize the auto-identification feature, you can manually add a Microsoft Windows Server 2000/2003 device to the LogLogic Appliance before you redirect the logs. IMPORTANT! LogLogic highly recommends using the auto-identification feature for all supported devices. If you want to add devices manually, make sure that the Auto-identify Log Sources setting is not enabled on the LogLogic Appliance. If the auto-identification setting is enabled and you manually add devices, duplicate device entries might appear on the Appliance. Microsoft Windows Server 2000/2003 Log Configuration Guide 9
To add Microsoft Windows Server 2000/2003 as a new device 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. in the following information for the device: Name Name for the Microsoft Windows Server 2000/2003 device Description (optional) Description of the Microsoft Windows Server 2000/2003 device Device Select Microsoft Windows Server 2000/2003 from the drop-down menu Host IP IP address of the Microsoft Windows Server 2000/2003 appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Figure 1 Adding a Device to the LogLogic Appliance 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Microsoft Windows Server 2000/2003 machine, the LogLogic Appliance uses the device you just added if the hostname or IP match. 10 Microsoft Windows Server 2000/2003 Log Configuration Guide
Verifying the Configuration The section describes how to verify that the configuration changes made to Microsoft Windows Server 2000/2003 and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Microsoft Windows Server 2000/2003 device. If the device name (Microsoft Windows Server 2000/2003) appears in the list of devices (Figure 2), then the configuration is correct. Figure 2 Log Source Status Tab If the device does not appear in the Log Source Status tab, check the Microsoft Windows Server 2000/2003 logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft Windows Server 2000/2003 configuration, the Lasso configuration, and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Microsoft Windows Server 2000/2003 by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time on page 13. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 15 for more information. Microsoft Windows Server 2000/2003 Log Configuration Guide 11
Chapter 2 How LogLogic Supports Microsoft Windows Server 2000/2003 This chapter describes LogLogic's support for Microsoft Windows Server 2000/2003. LogLogic enables you to capture Microsoft Windows Server 2000/2003 log data to monitor Microsoft Windows Server 2000/2003 events. LogLogic supports Microsoft Windows Server 2000/2003 logs. How LogLogic Captures Microsoft Windows Server 2000/2003 Data................. 12 LogLogic Real-Time................................................ 13 How LogLogic Captures Microsoft Windows Server 2000/2003 Data LogLogic's Lasso Collector is used to collect logs stored in the Windows Log. The Windows Collector is an open source application developed by LogLogic to collect and forward Windows event logs in Syslog format to the LogLogic Appliance. If the Windows Collector is in Agent Mode, logs are collected and forwarded from the Windows system where it is installed. If the Windows Collector is in Collector Mode, logs are collected and forwarded from Windows systems other than the system where it is installed. The Windows Collector can also run in both modes at the same time. hybrid mode, the Collector captures and forwards messages from the Windows machine where it is installed and from other Windows systems it is configured to access. Regardless of the mode used, all collected logs are converted into text format by the collector and then forwarded to the LogLogic Appliance s Syslog Listener via UDP or TCP. Figure 3 Microsoft Windows Server 2000/2003 with Lasso Collector (in Agent Mode) and the LogLogic Appliance Once the data is captured and parsed, you can generate reports. addition, you can create alerts to notify you of issues on Microsoft Windows Server 2000/2003. For more information on creating reports and alerts, see the LogLogic Guide and LogLogic Online Help. 12 Microsoft Windows Server 2000/2003 Log Configuration Guide
LogLogic Real-Time LogLogic provides pre-configured Real-Time for Microsoft Windows Server 2000/2003 log data. The following Real-Time are available: All Unparsed s Displays data for all events retrieved from the Microsoft Windows Server 2000/2003 log for a specified time interval Permission Modification Displays events related to permission modifications performed on user and server objects Access Displays data access and changes done to data during a specified time interval Authentication Displays identity and access related events during a specified time interval Created/Deleted Displays user creation and deletion events Last Displays user specific details and used to track user activity during a specified time interval Windows s Displays Windows event information served during a specified time interval To access LMI 4 Real-Time : 1. the left navigation pane, click Real-Time. 2. Click Access Control. The following Real-Time are available: Permission Modification Access Authentication Created/Deleted Last Windows s 3. Click Logs. The following Real-Time are available: All Unparsed s Microsoft Windows Server 2000/2003 Log Configuration Guide 13
To access LMI 5 Real-Time : 1. the top navigation pane, click. 2. Click Access Control. The following Real-Time are available: Permission Modification Access Authentication Created/Deleted Last Windows s 3. ClickOperational. The following Real-Time are available: All Unparsed s You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic Guide and LogLogic Online Help. 14 Microsoft Windows Server 2000/2003 Log Configuration Guide
Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Microsoft Windows Server 2000/2003. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting.......................................................... 15 Frequently Asked Questions................................................ 16 Troubleshooting Is your version of Microsoft Windows Server 2000/2003 supported? For more information, see Prerequisites on page 7. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information. Are you running Lasso Collector 2.0 or later? If you are running an release prior to 2.0, you might require an upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Microsoft Windows Server 2000/2003. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Microsoft Windows Server 2000/2003 events are not appearing on the LogLogic Appliance... You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab. Make sure that you have properly installed and configured Lasso, and the no errors are present in Lasso s error log (LassoTrace.log). For more information, see the LogLogic Lasso Collector Guide. Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see Automatically Identifying a Microsoft Windows Server 2000/2003 Device on page 9 and Adding Microsoft Windows Server 2000/2003 Device on page 9. If events are not displaying on the LogLogic Appliance even after configuring Microsoft Windows Server 2000/2003 and Lasso correctly... Microsoft Windows Server 2000/2003 sends the logs, via UDP or TCP, in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Microsoft Windows Server 2000/2003 machine. For more information on supported protocols and ports, see the LogLogic Administration Guide. Microsoft Windows Server 2000/2003 Log Configuration Guide 15
Frequently Asked Questions How does the LogLogic appliance collect logs from Microsoft Windows Server 2000/2003? For log collection, Lasso Collector is required in order to read the.evt files from the Windows machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog server. For more information, see How LogLogic Captures Microsoft Windows Server 2000/2003 Data on page 12. What access permissions are required? To configure logging on Microsoft Windows Server 2000/2003, the Windows user must have administrative permissions. How do I configure logging on Microsoft Windows Server 2000/2003? Follow the procedures on Configuring Microsoft Windows Server 2000/2003 for Operational s on page 8. Also make sure that you have properly installed and configured Lasso. For more information, see stalling and Configuring Lasso Collector on page 8 and the LogLogic Lasso Collector Guide. 16 Microsoft Windows Server 2000/2003 Log Configuration Guide
Appendix A Reference This appendix lists the LogLogic-supported Microsoft Windows Server 2000/2003 events. The Microsoft Windows Server 2000/2003 event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Microsoft Windows Server 2000/2003 s The following list describes the contents of each of the columns in the tables below. Item # Item numbers with the suffix F show sample logs in. Microsoft Windows Server 2000/2003 event identifier. Defines if the Microsoft Windows Server 2000/2003 event is available through the LogLogic Report Engine or through the search capabilities. If the event is available through the Report Engine, then you can use LogLogic s Real-Time and Summary to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. (OS) where the event can be triggered. some instances, duplicate s exist for different OSs. Title/Comments Description of the event of events such as, Application, etc. of event such as audit, audit, etc. LogLogic-provided reports that the event appears in Sample Microsoft Windows Server 2000/2003 Server 2000/2003 log messages in text format Microsoft Windows Server 2000/2003 Log Configuration Guide 17
Table 1 Microsoft Windows Server 2000/2003 s # 1 512 Windows is starting up. formation/ Last <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 621 Fri Aug 04 12:59:22 2006 512 SYSTEM LOGLOGIC-SRV1 Windows is starting up. 25 1F 512 Windows is starting up. formation/ Last <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 7 Thu May 21 10:31:06 2009 512 SYSTEM KKKKK-KNBMQ2EU3 Événements système Windows démarre. 1 2 512 Win2000 Windows NT is starting up. formation/ Last <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 621 Fri Aug 04 12:59:22 2006 512 SYSTEM LOGLOGIC-SRV1 Windows NT is starting up. 25 3 513 Windows is shutting down. All logon sessions will be terminated by this shutdown. formation/ Last <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 621 Fri Aug 04 12:59:22 2006 513 SYSTEM LOGLOGIC-SRV1 Windows is shutting down.all logon sessions will be terminated by this shutdown. 25 3F 513 Windows is shutting down. All logon sessions will be terminated by this shutdown. formation/ Last <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 6 Thu May 21 10:29:57 2009 513 SECURITY Unknown N/A KKKKK-KNBMQ2EU3 Événements système Windows s'arrête. Toutes les sessions vont être fermées par cet arrêt. 0 4 513 Win2000 Windows NT is shutting down. All logon sessions will be terminated by this shutdown. formation/ Last <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 621 Fri Aug 04 12:59:22 2006 513 SYSTEM LOGLOGIC-SRV1 Windows NT is shutting down.all logon sessions will be terminated by this shutdown. 25 5 516 ternal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Number of audit messages discarded: %1 formation/ Last 18 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 5F Les ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. audit Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59:55 2010516Administrator LOGLABS-2003FRA Suivi détailléles ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Certains audits ont été perdus. Nombre de messages d'audit rejetés :%1 6 517 Win2000, The audit log was cleared Primary Name: %1 Primary Primary Logon : %3 Client Name: %4 Client Domain: %5 Client Logon : %6 formation/ Last <13>Jul 25 12:17:36 10.201.20.214 MSWinLog 0 7727 Fri Jul 21 14:32:00 2006 517 SYSTEM BLR-WSMTEST-DC1 The audit log was cleared Primary Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon : (0x0,0x3E7) Client Name: dmsopann Client Domain: WIPRO Client Logon : (0x0,0x44A885) 1 6F 517 The audit log was cleared Primary Name: %1 Primary Primary Logon : %3 Client Name: %4 Client Domain: %5 Client Logon : %6 formation/ Last <13>Jul 7 05:25:53 10.8.0.39 MSWinLog 0 1151 Tue Jul 07 05:15:00 2009 517 SYSTEM Well Known Group B0324-FR2003 Événements système Le journal d'audit a été effacé Utilisateur principal : SYSTEM Domaine principal : AUTORITE NT Id. de session principale : (0x0,0x3E7) Utilisateur client : Administrateur Domaine client : DOMAIN Id. de session client : (0x0,0x489A86) 1<13>Jul 6 05:37:34 MSWinLog 4 608 Mon Jul 06 05:37:34 2009 520 Administrateur B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/2009 567 Microsoft Windows Server 2000/2003 Log Configuration Guide 19
# 7 520 The system time was changed. Process : %1 Process Name: %2 Primary Name: %3 Primary Domain: %4 Primary Logon : %5 Client Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 formation/ Last <13>Jun 12 14:54:42 10.0.0.61 MSWinLog 0 923 Sun Jun 12 14:52:47 2005 520 loglogic2 IAM3 The system time was changed. Process : 2128 Process Name: C:\WINDOWS\system32\rundll32.exe Primary Name: loglogic2 Primary Domain: SECTIS Primary Logon : (0x0,0xF15F58) Client Name: loglogic2 Client Domain: SECTIS Client Logon : (0x0,0xF15F58) Previous Time: 2:51:48 PM 6/12/2005 New Time: 2:52:47 PM 6/12/2005 829 7F 520 The system time was changed. Process : %1 Process Name: %2 Primary Name: %3 Primary Domain: %4 Primary Logon : %5 Client Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 formation/ Last <13>Jul 6 05:37:34 MSWinLog 4 608 Mon Jul 06 05:37:34 2009 520 Administrateur B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/2009 567 8 528 Win2000 ful Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon/Logoff Last 9 528 ful Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>Jul 5 11:04:09 10.1.1.55 MSWinLog 0 security 130 Wed Jul 05 10:54:02 2006 528 qatest W2K3-LASSO Logon/ Logoff "ful Logon: Name: qatest Domain: SQA Logon : (0x0,0xD72AEE) Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Logon GU: {4fa5f915-b6cf-cc49-b484-b7b61551b7d0 } Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 396 Transited Services: - Source Network Address: 172.16.0.22 Source Port: 1133 " 45737 20 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 9F 528 ful Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>May 21 10:24:28 kkkkk-knbmq2eu3 MSWinLog 1 40 Thu May 21 10:24:03 2009 528 SERVICE LOCAL Well Known Group KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : SERVICE LOCAL Domaine : AUTORITE NT Id. de la session : (0x0,0x3E5) de session : 5 Processus de session : Advapi Package d'authentification : Negotiate Station de travail : GU d'ouv. de session : - Nom de l'utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : WORKGROUP Id. de session de l'appelant : (0x0,0x3E7) de processus appelant : 868 Services en transit : - Adresse réseau source : - Port source : - 24 10 529 Win2000 Logon : Reason: Unknown user name or bad password Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 11 529 Logon : Reason: Unknown user name or bad password Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:23:52 10.1.1.55 MSWinLog 0 security 2566 Wed Jul 05 16:23:52 2006 529 SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: Unknown user name or bad password Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 724 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1443 " 48173 Microsoft Windows Server 2000/2003 Log Configuration Guide 21
# 11F 529 Logon : Reason: Unknown user name or bad password Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 08:44:18 MSWinLog 4 1332 Mon Jul 06 08:44:14 2009 529 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Nom d'utilisateur inconnu ou mot de passe incorrect Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1277 12 530 Logon : Reason: logon time restriction violation Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:42:13 10.1.1.55 MSWinLog 0 security 2904 Wed Jul 05 16:42:12 2006 530 SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: logon time restriction violation Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 3444 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1464 " 48511 12F 530 Logon : Reason: logon time restriction violation Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 09:16:06 MSWinLog 4 1850 Mon Jul 06 09:16:06 2009 530 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Violation de la limite de temps d'accès au compte Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1792 22 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 13 530 Win2000 Logon : Reason: logon time restriction violation Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 14 531 Logon : Reason: currently disabled Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:45:06 10.1.1.55 MSWinLog 0 security 2940 Wed Jul 05 16:45:06 2006 531 SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: currently disabled Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 3000 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1468 " 48547 14F 531 Logon : Reason: currently disabled Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 08:50:26 MSWinLog 4 1399 Mon Jul 06 08:50:18 2009 531 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte actuellement désactivé Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1344 15 531 Win2000 Logon : Reason: currently disabled Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last has not been fully validated byloglogic. Microsoft Windows Server 2000/2003 Log Configuration Guide 23
# 16 532 Win2000 Logon : Reason: The specified user account has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last has not been fully validated byloglogic. 16F 532 Logon : Reason: The specified user account has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last <13>Jul 18 04:17:27 MSWinLog 4 193700 Sat Jul 18 04:17:24 2009 532 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le compte d'utilisateur mentionné est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 192727 17 532 Logon : Reason: The specified user account has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:47:03 10.1.1.55 MSWinLog 0 security 2954 Wed Jul 05 16:47:02 2006 532 SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: The specified user account has expired Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2960 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1470 " 48561 18 533 Win2000 Logon : Reason: not allowed to logon at this computer Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 24 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 19 533 Logon : Reason: not allowed to logon at this computer Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:48:07 10.1.1.55 MSWinLog 0 security 2976 Wed Jul 05 16:48:06 2006 533 SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: not allowed to logon at this computer Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2996 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1472 " 48583 19F 533 Logon : Reason: not allowed to logon at this computer Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 22 05:08:53 MSWinLog 4 1371 Wed Jul 22 05:08:53 2009 533 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Utilisateur non autorisé à se connecter sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN de session : 2 Processus d'ouv. de session : 32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) de processus appelant : 308 Services en transit : - Adresse réseau source : 127.0.0.1 Port source : 0 1317 20 534 Logon : Reason: The user has not been granted the requested logon type at this machine Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:28:08 10.1.1.55 MSWinLog 0 security 2741 Wed Jul 05 16:28:07 2006 534 SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: The user has not been granted the requested logon type at this machine Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2480 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1447 " 48348 Microsoft Windows Server 2000/2003 Log Configuration Guide 25
# 20F 534 Logon : Reason: The user has not been granted the requested logon type at this machine Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 22 04:39:40 MSWinLog 4 913 Wed Jul 22 04:39:38 2009 534 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Il n'a pas été accordé à l'utilisateur le type de session demandé sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN de session : 2 Processus d'ouv. de session : 32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) de processus appelant : 308 Services en transit : - Adresse réseau source : 127.0.0.1 Port source : 0 862 21 534 Win2000 Logon : Reason: The user has not been granted the requested logon type at this machine Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 22 535 Logon : Reason: The specified account's password has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Sep 7 14:19:29 10.1.1.55 MSWinLog 0 security 67016 Thu Sep 07 14:19:28 2006 535 SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: The specified account's password has expired Name: expire Domain: SQA Logon : 2 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 1344 Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 " 67016 26 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 22F 535 Logon : Reason: The specified account's password has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 6 08:52:46 MSWinLog 4 1422 Mon Jul 06 08:52:44 2009 535 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le mot de passe spécifié pour ce compte est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1366 23 535 Win2000 Logon : Reason: The specified account's password has expired Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 24 536 Logon : Reason: The NetLogon component is not active Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last Microsoft Windows Server 2000/2003 Log Configuration Guide 27
# 24F 536 Logon : Reason: The NetLogon component is not active Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 16 10:37:58 MSWinLog 4 177163 Thu Jul 16 10:37:21 2009 536 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le composant NetLogon n'est pas actif Nom de l'utilisateur : Meng Kangjian Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 25 536 Win2000 Logon : Reason: The NetLogon component is not active Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 26 537 Logon : Reason: An error occurred during logon Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last 28 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 26F 537 Logon : Reason: An error occurred during logon Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>Jul 17 08:07:50 MSWinLog 4 196324 Fri Jul 17 08:07:50 2009 537 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Erreur lors de l'ouverture de session Nom de l'utilisateur : Domaine : d'ouverture de session : 3 Processus d'ouv. de session : Kerberos Package d'authentification : Kerberos Nom de station de travail : - Code du statut : 0xC0000133 Code du sous-statut : 0x0 Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : - Port source : - 195243 27 537 Win2000 Logon : Reason: An unexpected error occurred during logon Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 28 538 Win2000 Description: Logoff: Name: %1 Logon : %3 Logon : %4 Logon/Logoff Last <13>Jul 5 11:04:08 10.1.1.55 MSWinLog 0 security 1 Wed Jul 05 10:19:11 2006 538 qatest W2K3-LASSO Logon/ Logoff " Logoff: Name: qatest Domain: SQA Logon : (0x0,0x2ABA3D) Logon : 5 " 45608 28F 538 Win2000 Description: Logoff: Name: %1 Logon : %3 Logon : %4 Logon/Logoff Last <13>May 21 11:01:37 kkkkk-knbmq2eu3 MSWinLog 1 110 Thu May 21 11:01:37 2009 538 Administrateur KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de la session utilisateur : Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. de la session : (0x0,0x74297) de session : 7 19 Microsoft Windows Server 2000/2003 Log Configuration Guide 29
# 29 539 Logon : Reason: locked out Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 5 16:34:07 10.1.1.55 MSWinLog 0 security 2803 Wed Jul 05 16:34:06 2006 539 SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Logon : Reason: locked out Name: test Domain: SQA Logon : 10 Logon Process: 32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2304 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1455 " 48410 29F 539 Logon : Reason: locked out Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Last <13>Jul 17 03:30:03 MSWinLog 4 193000 Fri Jul 17 03:30:03 2009 539 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte verrouillé Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 0.8.0.45 Port source : 0 192031 30 539 Win2000 Logon : Reason: locked out Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Last 30 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 31 540 ful Network Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>Jul 5 11:04:08 10.1.1.55 MSWinLog 0 security 3 Wed Jul 05 10:19:59 2006 540 SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "ful Network Logon: Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0xD30C93) Logon : 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GU: {e6b578ec-aae0-9e50-b248-c2004fb821e 8} Caller Name: - Caller Domain: - Caller Logon : - Caller Process : - Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 " 45610 31F 540 ful Network Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Last <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 15 Thu May 21 10:31:14 2009 540 ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : Domaine : Id. de la session : (0x0,0xA565) de session : 3 Processus de session : NtLmSsp Package d'authentification : NTLM Nom de la station de travail : GU d'ouv. de session : - Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : - Port source : - 9 32 540 Win2000 ful Network Logon: Name: %1 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon/Logoff Last 33 548 Logon : Reason: Domain sid inconsistent Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Transited Services: %7 Last / Authenticat ion Microsoft Windows Server 2000/2003 Log Configuration Guide 31
# 33F Échec de l'ouverture de session audit Access / Authenticat ion/ Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59:55 2010548Administrator LOGLABS-2003FRA Suivi détaillééchec de l'ouverture de session : Raison : S du domaine incohérent Nom d'utilisateur : %1 Domaine : %2 d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de station de travail : %6 Services en transit : %7 34 548 Win2000 Logon : Reason: Domain sid inconsistent Name: %1 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Access / Last / Authenticat ion 35 549 Logon : Reason: All sids were filtered out Name: %1 Logon : %3 Logon Process: %4 Authentication Package : %5 Workstation Name: %6 Access / Last / Authenticat ion 35F 549 Échec de l'ouverture de session audit Access / Authenticat ion/ Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59:55 2010549Administrator LOGLABS-2003FRA Suivi détaillééchec de l'ouverture de session : Raison : Tous les S étaient épuisés Utilisateur : %1 Domaine : %2 d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de la station de travail : %6 36 550 Notification message that could indicate a possible denial-of-service attack. Logon / Logoff Access / Last 32 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 37 551 initiated logoff: Name: %1 Logon : %3 formation / Access <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 619 Fri Aug 04 12:58:16 2006 551 Unknown N/A LOGLOGIC-SRV1 Logon/Logoff initiated logoff: Name: Administrator Domain: LOGLOGIC-SRV1 Logon : (0x0,0x14d2b) 23 37F 551 initiated logoff: Name: %1 Logon : %3 formation/ Access <13>Jul 1 03:18:31 kkkkk-knbmq2eu3.foresta MSWinLog 4 3252 Wed Jul 01 03:18:31 2009 551 Administrateur KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de session initiée par l'utilisateur : Utilisateur : Administrateur Domaine : FORESTA Id. d'ouv. de session : (0x0,0x260dd) 3228 38 552 Logon attempt using explicit credentials: Logged on user: Name: %1 Logon : %3 Logon GU: %4 whose credentials were used: Target Name: %5 Target Domain: %6 Target Logon GU: %7 Target Server Name: %8 Target Server fo: %9 Caller Process : %10 Source Network Address: %11 Source Port: %12 formation/ Last / Authenticat ion <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 614 Fri Aug 04 12:30:37 2006 552 SYSTEM LOGLOGIC-SRV1 Logon/Logoff Logon attempt using explicit credentials: Logged on user: Name: LOGLOGIC-SRV1$ Domain: WORKGROUP Logon : (0x0,0x3E7) Logon GU: - whose credentials were used: Target Name: Administrator Target Domain: LOGLOGIC-SRV1 Target Logon GU: - Target Server Name: localhost Target Server fo: localhost Caller Process : 568 Source Network Address: 127.0.0.1 Source Port: 0 18 38F 552 Tentative d'ouverture de session en utilisant des informations d'identification explicites audit Access / Authenticat ion/ Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59:55 2010552Administrator LOGLABS-2003FRA Suivi détaillétentative d'ouverture de session en utilisant des informations d'identification explicites : Utilisateur connecté : Nom d'utilisateur : %1 Domaine : %2 d'ouv. de session : %3 GU d'ouv. de session : %4 Utilisateur dont les informations d'identification ont été utilisées : Nom d'utilisateur cible : %5 Domaine cible : %6 GU d'ouv. de session cible : %7 Nom du serveur cible : %8 formations du serveur cible : %9 de processus appelant : %10 Adresse réseau source : %12 Port source : %13 Microsoft Windows Server 2000/2003 Log Configuration Guide 33
# 39 560 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Image File Name: %8 Primary Name: %9 Primary Domain: %10 Primary Logon : %11 Client Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Restricted Sid Count: %17 Access Mask: %18 Object Access Last <13>Jul 5 15:58:59 10.1.1.55 MSWinLog 0 security 2074 Wed Jul 05 15:58:58 2006 560 qatest W2K3-LASSO Object Access "Object Open: Object Server: Object : Key Object Name: \REGISTRY\MACHINE\SYSTEM\Control Set001\Services\log\ Handle : 452 Operation : {0,17577785} Process : 3280 Image File Name: C:\WINDOWS\system32\mmc.exe Primary Name: qatest Primary Domain: SQA Primary Logon : (0x0,0x668A8) Client Name: - Client Domain: - Client Logon : - Accesses: Set key value Privileges: - Restricted Sid Count: 0 Access Mask: 0x2 " 47681 39F 560 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Image File Name: %8 Primary Name: %9 Primary Domain: %10 Primary Logon : %11 Client Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Restricted Sid Count: %17 Access Mask: %18 Object Access Last <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 12 Tue Jun 30 10:42:33 2009 560 SYSTEM KKKKK-KNBMQ2EU3 Accès aux objets Objet ouvert Serveur de l'objet : de l'objet : Key Nom de l'objet : \REGISTRY\MACHINE\SYSTEM\Control Set001\Services\log\ Identificateur du handle : 204 Identificateur de l'opération : {0,1577787} Id. du processus : 2404 Nom du fichier image : C:\Program Files\Snare\SnareCore.exe Utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA Id d'ouv. de session principale : (0x0,0x3E7) Utilisateur du client : - Domaine du client : - Id. d'ouv. de session client : - Accès : %%1538 %%4432 %%4433 %%4435 %%4436 Privilèges : - Nombre de S restreint : 0 Masque d'accès : 0x2001B 11 40 560 Win2000 Object Open: Object Server: %1 Object : %2 Object Name: %3 New Handle : %4 Operation : {%5,%6} Process : %7 Primary Name: %8 Primary Domain: %9 Primary Logon : %10 Client Name: %11 Client Domain: %12 Client Logon : %13 Accesses %14 Privileges %15 Object Access Last 34 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 41 562 The handle to an object was closed. Object Access Special Multi-use Subcategor y Access / Last MSWinLog 0 0 Tue Jul 21 8 59 57 2010 4658 Microsoft-Windows--ing Unknown hayward.loglabs08native.lab File The handle to an object was closed. Subject : : S-1-5-18 Name: HAYWARD$ Domain: LOGLABS08NATIVE Logon : 0x3e7 Object: Object Server: Handle : 0x1c0 Process formation: Process : 0x7e8 Process Name: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 51813549 42 563 Win2000 Object Open for Delete: Object Server: %1 Object : %2 Object Name: %3 New Handle : %4 Operation : {%5,%6} Process : %7 Primary Name: %8 Primary Domain: %9 Primary Logon : %10 Client Name: %11 Client Domain: %12 Client Logon : %13 Accesses %14 Privileges %15 Object Access Last 43 563 Object Open for Delete: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Primary Name: %8 Primary Domain: %9 Primary Logon : %10 Client Name: %11 Client Domain: %12 Client Logon : %13 Accesses: %14 Privileges: %15 Access Mask: %16 Object Access Last Microsoft Windows Server 2000/2003 Log Configuration Guide 35
# 43F 563 Objet ouvert pour suppression audit Access / Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59:55 2010563Administrator LOGLABS-2003FRA Suivi détailléobjet ouvert pour suppression : Serveur d'objet : %1 d'objet : %2 Nom de l'objet : %3 Identificateur du handle : %4 Identificateur de l'opération : {%5,%6} Id. du processus : %7 Utilisateur principal : %8 Domaine principal : %9 Id d'ouv. de session principale : %10 Utilisateur client : %11 Domaine client : %12 Id. d'ouv. de session client : %13 Accès : %14 Privilèges : %15 Masque d'accès : %16 17 44 564 Win2000 Object Deleted: Object Server: %1 Handle : %2 Process : %3 Object Access Last 45 564 Object Deleted: Object Server: %1 Handle : %2 Process : %3 Image File Name: %4 Object Access Last 45F 564 Object Deleted: Object Server: %1 Handle : %2 Process : %3 Image File Name: %4 Object Access Last <13>Jul 23 09:21:20 MSWinLog 4 8498 Thu Jul 23 09:21:14 2009 564 Administrateur B0324-FR2003 Accès aux objets Objet supprimé : Serveur d'objet : Id. de handle : 1516 Id. de processus : 2544 Nom du fichier d'image : C:\WINDOWS\explorer.exe 8338 36 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 46 565 Win2000 Object Open: Object Server: %1 Object : %2 Object Name: %3 New Handle : %4 Operation : {%5,%6} Process : %7 Primary Name: %8 Primary Domain: %9 Primary Logon : %10 Client Name: %11 Client Domain: %12 Client Logon : %13 Accesses %14 Privileges %15 Properties:%16%17%18%19 %20%21%22%23%24%25 Directory Service Last 47 565 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Process Name: %8 Primary Name: %9 Primary Domain: %10 Primary Logon : %11 Client Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service Last <13>Jul 5 11:04:09 10.1.1.55 MSWinLog 0 security 132 Wed Jul 05 10:54:02 2006 565 qatest W2K3-LASSO Directory Service Access "Object Open: Object Server: Manager Object : SAM_DOMAIN Object Name: DC=sqa,DC=loglogic,DC=com Handle : 88255624 Operation : {0,14101324} Process : 1424 Process Name: C:\WINDOWS\system32\lsass.exe Primary Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client Name: qatest Client Domain: SQA Client Logon : (0x0,0xD72AEE) Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters Create CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership Lists Privileges: - Properties: Access Mask: 0 " 45739 Microsoft Windows Server 2000/2003 Log Configuration Guide 37
# 47F 565 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Process Name: %8 Primary Name: %9 Primary Domain: %10 Primary Logon : %11 Client Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service Last <13>Jun 30 10:43:21 kkkkk-knbmq2eu3.foresta MSWinLog 4 34 Tue Jun 30 10:43:14 2009 565 Unknown N/A KKKKK-KNBMQ2EU3 Accès Active Directory Manager 30 48 566 Object Operation: Object Server: %1 Operation : %2 Object : %3 Object Name: %4 Handle : %5 Primary Name: %6 Primary Domain: %7 Primary Logon : %8 Client Name: %9 Client Domain: %10 Client Logon : %11 Accesses: %12 Properties: %13 Additional fo: %14 Additional fo2: %15 Access Mask: %16 Directory Service Last <13>Jul 5 11:09:53 10.1.1.55 MSWinLog 0 security 306 Wed Jul 05 11:09:53 2006 566 SYSTEM Well Known Group W2K3-LASSO Directory Service Access "Object Operation: Object Server: DS Operation : Object Access Object : %{19195a5b-6da0-11d0-afd3-00c04fd930 c9} Object Name: %{0d374542-7f4a-4f11-acdb-5a70b025bc 6b} Handle : - Primary Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client Name: W2K3-LASSO$ Client Domain: SQA Client Logon : (0x0,0x59DBA) Accesses: Control Access Properties: Control Access Additional fo: Additional fo2: Access Mask: 0x100 " 45913 38 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 48F 566 Object Operation: Object Server: %1 Operation : %2 Object : %3 Object Name: %4 Handle : %5 Primary Name: %6 Primary Domain: %7 Primary Logon : %8 Client Name: %9 Client Domain: %10 Client Logon : %11 Accesses: %12 Properties: %13 Additional fo: %14 Additional fo2: %15 Access Mask: %16 Directory Service Last <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 16 Tue Jun 30 10:42:33 2009 566 SYSTEM KKKKK-KNBMQ2EU3 Accès Active Directory Opération d'objet : Serveur d'objet : DS d'opération : Object Access d'objet : %{f30e3bc2-9ff0-11d1-b603-0000f80367c 1} Nom d'objet : %{4e9f93a1-5253-4632-be3c-781ee698fa 35} de handle : - Nom d'utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA d'ouv de session principale : (0x0,0x3E7) Nom d'utilisateur client : KKKKK-KNBMQ2EU3$ Domaine client : FORESTA d'ouv de session client : (0x0,0x1813EA) Accès : %%7685 Propriétés : %%7685 %{771727b1-31b8-4cdf-ae62-4fe39fadf89 e} %{bf967a76-0de6-11d0-a285-00aa00304 9e2} %{f30e3bc2-9ff0-11d1-b603-0000f80367c 1} formations additionnelles : formations additionnelles 2 : Masque d'accès : 0x20 15 49 566 Win2000 Object Operation: Operation %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Primary Name: %7 Primary Domain: %8 Primary Logon : %9 Client Name: %10 Client Domain: %11 Client Logon : %12 Requested Accesses %13 Directory Service Last 50 567 An attempt was made to access an object Object Access audit Access / Last <13>Aug 8 09:26:00 10.116.29.15 MSWinLog 0 530 Fri Aug 04 12:08:23 2006 567 LOCAL SERVICEWell Known Group MACHINENAME Logon/Logoff Object Access Attempt: Object Server: Handle : 9780 Object : File Process : 904 Image File Name: C:\WINDOWS\system32\svchost.exe Accesses: WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipestance) Access Mask: 0x6 2 Microsoft Windows Server 2000/2003 Log Configuration Guide 39
# 51 576 Special privileges assigned to new logon: Name: %1 Logon : %3 Privileges: %4 Privilege Use Last <13>Jul 5 11:04:08 10.1.1.55 MSWinLog 0 security 2 Wed Jul 05 10:19:59 2006 576 SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Special privileges assigned to new logon: Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0xD30C93) Privileges: SePrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeEnableDelegationPrivilege " 45609 52 576 Win2000, Special privileges assigned to new logon: Name: %1 Logon : %3 Assigned: %4 Privilege Use Last 52F 576 Special privileges assigned to new logon: Name: %1 Logon : %3 Assigned: %4 Privilege Use Last <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 5 Tue Jun 30 10:42:33 2009 576 SYSTEM KKKKK-KNBMQ2EU3 Utilisation d'un privilège Privilèges spéciaux assignés à la nouvelle session : Utilisateur : KKKKK-KNBMQ2EU3$ Domaine : FORESTA Id. de la session : (0x0,0x18126D) Privilèges : SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeChangeNotifyPrivilege 4 53 577 Win2000, Privileged Service Called. Privilege Use Last <13>Jul 5 15:58:05 10.1.1.55 MSWinLog 0 security 2054 Wed Jul 05 15:58:04 2006 577 SYSTEM Well Known Group W2K3-LASSO Privilege Use "Privileged Service Called: Server: NT Local Authority / Authentication Service Service: LsaRegisterLogonProcess() Primary Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client Name: W2K3-LASSO$ Client Domain: SQA Client Logon : (0x0,0x3E7) Privileges: SeTcbPrivilege " 47661 40 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 53F 577 Privileged Service Called. Privilege Use Last <13>Jun 30 10:43:21 kkkkk-knbmq2eu3.foresta MSWinLog 4 37 Tue Jun 30 10:43:14 2009 577 SYSTEM KKKKK-KNBMQ2EU3 Utilisation d'un privilège Service privilégié appelé : Serveur : NT Local Authority / Authentication Service Service : LsaRegisterLogonProcess() Utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA Id. de session principale : (0x0,0x3E7) Utilisateur client : KKKKK-KNBMQ2EU3$ Domaine client : FORESTA Id. de la session cliente : (0x0,0x3E7) Privilèges : SeTcbPrivilege 33 54 578 Win2000, Privileged object operation: Object Server: %1 Object Handle: %2 Process : %3 Primary Name: %4 Primary Domain: %5 Primary Logon : %6 Client Name: %7 Client Domain: %8 Client Logon : %9 Privileges: %10 Privilege Use Last 54F 578 Privileged object operation: Object Server: %1 Object Handle: %2 Process : %3 Primary Name: %4 Primary Domain: %5 Primary Logon : %6 Client Name: %7 Client Domain: %8 Client Logon : %9 Privileges: %10 Privilege Use Last <13>Jul 1 10:20:25 10.8.0.39 MSWinLog 0 255 Wed Jul 01 09:51:14 2009 578 Administrateur B0324-FR2003 Utilisation d'un privilège Opération sur objet privilégié : Serveur objet : Handle d'objet : 224 Id. de processus : 1084 Utilisateur principal : Administrateur Domaine principal : B0324-FR2003 Id. de session principale : (0x0,0xC08C) Utilisateur client : - Domaine client : - Id. de la session cliente : - Privilèges : SeTakeOwnershipPrivilege 104 55 592 Win2000, A new process has been created. Detailed Tracking Last <13>Jul 5 15:57:48 10.1.1.55 MSWinLog 0 security 2050 Wed Jul 05 15:57:46 2006 592 SYSTEM Well Known Group W2K3-LASSO Detailed Tracking "A new process has been created: New Process : 4040 Image File Name: C:\WINDOWS\system32\userinit.exe Creator Process : 1344 Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0x3E7) " 47657 Microsoft Windows Server 2000/2003 Log Configuration Guide 41
# 55F 592 A new process has been created. Detailed Tracking Last <13>May 21 09:39:35 kkkkk-knbmq2eu3 MSWinLog 0 2 Thu May 21 09:39:35 2009 592 Administrateur KKKKK-KNBMQ2EU3 Suivi détaillé Un nouveau processus a été créé : Id. du nouveau processus : 948 Nom du fichier image : C:\WINDOWS\system32\cmd.exe Id. du processus créateur : 1536 Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. de la session : (0x0,0xB1AE) 0 56 593 A process has exited: Process : %1 Image File Name: %2 Name: %3 Domain: %4 Logon : %5 Detailed Tracking Last <13>Jul 5 15:57:48 10.1.1.55 MSWinLog 0 security 2051 Wed Jul 05 15:57:46 2006 593 SYSTEM Well Known Group W2K3-LASSO Detailed Tracking "A process has exited: Process : 4040 Image File Name: C:\WINDOWS\system32\userinit.exe Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0x3E7) " 47658 56F 593 A process has exited: Process : %1 Image File Name: %2 Name: %3 Domain: %4 Logon : %5 Detailed Tracking Last <13>May 21 09:39:44 kkkkk-knbmq2eu3 MSWinLog 0 3 Thu May 21 09:39:37 2009 593 Administrateur KKKKK-KNBMQ2EU3 Suivi détaillé Un processus est terminé : Id. du processus : 948 Nom du fichier image : C:\WINDOWS\system32\cmd.exe Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. d'ouv. de session : (0x0,0xB1AE) 1 57 593 Win2000 A process has exited: Process : %1 Name: %2 Domain: %3 Logon : %4 Detailed Tracking Last 58 594 Win2000, An attempt was made to duplicate a handle to an object Process Tracking Last <13>Aug 8 09:26:00 10.116.29.15 MSWinLog41768Wed Feb 14 02:12:23 2007594 Administrator ll-a155d4 Logon/LogoffA handle to an object has been duplicated Source Handle : 345 Source Process : 345 Target Handle : 3453 Target Process : 34512 42 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 59 595 direct access to an object has been obtained: Object : %1 Object Name: %2 Process : %3 Primary Name: %4 Primary Domain: %5 Primary Logon : %6 Client Name: %7 Client Domain: %8 Client Logon : %9 Accesses: %10 Access Mask: %11 Detailed Tracking Last 59F 595 Un accès indirect à un objet a été obtenu audit Access / Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59:55 2010595Administrator LOGLABS-2003FRA Suivi détailléun accès indirect à un objet a été obtenu : d'objet : %1 Nom d'objet : %2 Id. de processus : %3 Utilisateur principal : %4 Domaine principal : %5 Id. de session principale : %6 Utilisateur client : %7 Domaine client : %8 Id. de la session cliente : %9 Accès : %10 Masque d'accès : %11 60 595 Win2000 direct access to an object has been obtained: Object : %1 Object Name: %2 Process : %3 Primary Name: %4 Primary Domain: %5 Primary Logon : %6 Client Name: %7 Client Domain: %8 Client Logon : %9 Accesses: %10 Detailed Tracking Last Microsoft Windows Server 2000/2003 Log Configuration Guide 43
# 61 600 A process was assigned a primary token. Assigning Process formation: Process : %1 Image File Name: %2 Primary Name: %3 Primary Domain: %4 Primary Logon : %5 New Process formation: Process : %6 Image File Name: %7 Target Name: %8 Target Domain: %9 Target Logon : %10 formation/ Last <13>Aug 9 14:01:41 10.116.28.102 MSWinLog 0 27691 Tue Aug 08 14:26:07 2006 600 SYSTEM LOGLOGIC-SRV1 Detailed Tracking A process was assigned a primary token. Assigning Process formation: Process : 840 Image File Name: C:\WINDOWS\system32\svchost.exe Primary Name: LOGLOGIC-SRV1$ Primary Domain: LOGLOGIC Primary Logon : (0x0,0x3E7) New Process formation: Process : 2824 Image File Name: C:\WINDOWS\system32\wbem\wmiprvse. exe Target Name: NETWORK SERVICE Target Domain: NT AUTHORITY Target Logon : (0x0,0x3E4) 26624 61F 600 A process was assigned a primary token. Assigning Process formation: Process : %1 Image File Name: %2 Primary Name: %3 Primary Domain: %4 Primary Logon : %5 New Process formation: Process : %6 Image File Name: %7 Target Name: %8 Target Domain: %9 Target Logon : %10 formation/ Last <13>Jun 30 10:54:59 kkkkk-knbmq2eu3.foresta MSWinLog 4 90 Tue Jun 30 10:54:59 2009 600 SYSTEM KKKKK-KNBMQ2EU3 Suivi détaillé Un jeton principal a été attribué à un processus. formations sur l'attribution de processus : Id. du processus : 392 Nom du fichier image : C:\WINDOWS\system32\winlogon.exe Nom d'utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA d'ouv de session principale : (0x0,0x3E7) formations de nouveau processus : de processus : 2692 Nom du fichier image : C:\WINDOWS\system32\logon.scr Nom d'utilisateur cible : Administrateur Domaine cible : FORESTA d'ouv de session : (0x0,0x260DD) 82 62 608 Right Assigned: Right: %1 Assigned To: %2 Assigned By: Name: %3 Domain: %4 Logon : %5 Policy Change Last <13>Jul 6 16:22:33 10.1.1.55 MSWinLog 0 security 12161 Thu Jul 06 16:22:31 2006 608 qatest W2K3-LASSO Policy Change " Right Assigned: Right: SeCreateGlobalPrivilege Assigned To: %{S-1-5-21-1578117074-177915290-427 9395478-1132} Assigned By: Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " 57768 44 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 62F 608 Right Assigned: Right: %1 Assigned To: %2 Assigned By: Name: %3 Domain: %4 Logon : %5 Policy Change Last <13>Jun 30 08:30:37 kkkkk-knbmq2eu3 MSWinLog 3 246 Tue Jun 30 08:30:32 2009 608 Administrateur KKKKK-KNBMQ2EU3 Changement de stratégie Droit assigné à l'utilisateur : Droit assigné à l'utilisateur : SeAssignPrimaryTokenPrivilege Assigné à : %{S-1-5-21-4199537000-1147309911-37 89607300-1013} Assigné par : Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. de la session : (0x0,0x13261) 45 63 609 Win2000, Right Removed. Policy Change Last <13>Jul 6 16:22:55 10.1.1.55 MSWinLog 0 security 12165 Thu Jul 06 16:22:54 2006 609 qatest W2K3-LASSO Policy Change " Right Removed: Right: SeCreateGlobalPrivilege Removed From: %{S-1-5-21-1578117074-177915290-427 9395478-1132} Removed By: Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " 57772 63F 609 Right Removed. Policy Change Last <13>Jun 30 08:49:01 kkkkk-knbmq2eu3 MSWinLog 3 52 Tue Jun 30 08:48:56 2009 609 SYSTEM KKKKK-KNBMQ2EU3 Changement de stratégie Droit de l'utilisateur supprimé : Droit de l'utilisateur : SetimePrivilege SeShutdownPrivilege SeProfileSingleProcessPrivilege SeChangeNotifyPrivilege SeUndockPrivilege Supprimé de : %{S-1-5-32-547} Supprimé par : Utilisateur : KKKKK-KNBMQ2EU3$ Domaine : WORKGROUP Id. de la session : (0x0,0x3E7) 22 64 610 Win2000 New Trusted Domain: Domain Name: %1 Domain : %2 Established By: Name: %3 Domain: %4 Logon : %5 Policy Change Last Microsoft Windows Server 2000/2003 Log Configuration Guide 45
# 65 610 New Trusted Domain: Domain Name: %1 Domain : %2 Established By: Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change Last <13>Jul 6 16:48:51 10.1.1.55 MSWinLog 0 security 12350 Thu Jul 06 16:48:50 2006 610 qatest W2K3-LASSO Policy Change "New Trusted Domain: Domain Name: loglogic.sbs Domain : - Established By: Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) Trust : 3 Trust Direction: 3 Trust Attributes: 1 S Filtering: Disabled " 57957 65F 610 New Trusted Domain: Domain Name: %1 Domain : %2 Established By: Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change Last <13>Jul 22 07:32:28 MSWinLog 4 2039 Wed Jul 22 07:32:23 2009 610 Administrateur B0324-FR2003 Changement de stratégie Nouveau domaine approuvé : Nom du domaine : abc.com Id. du domaine : %{S-1-5-21-1893538592-169538710-372 8419160} Établi par : Utilisateur : Administrateur Domaine : DOMAIN Id. de la session : (0x0,0x3EAB48) d'approbation : 2 Direction de l'approbation : 1 Attributs de l'approbation : 0 Filtrage S : %%1796 1974 66 611 Trusted Domain Removed: Domain Name: %1 Domain : %2 Removed By: Name: %3 Domain: %4 Logon : %5 Policy Change Last <13>Jul 6 16:59:13 10.1.1.55 MSWinLog 0 security 12438 Thu Jul 06 16:59:12 2006 611 qatest W2K3-LASSO Policy Change "Trusted Domain Removed: Domain Name: loglogic.sbs Domain : - Removed By: Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " 58045 66F 611 Trusted Domain Removed: Domain Name: %1 Domain : %2 Removed By: Name: %3 Domain: %4 Logon : %5 Policy Change Last <13>Jul 22 07:35:25 MSWinLog 4 2053 Wed Jul 22 07:35:17 2009 611 Administrateur B0324-FR2003 Changement de stratégie Domaine approuvé supprimé : Nom du domaine : ABC Id. du domaine : %{S-1-5-21-1893538592-169538710-372 8419160} Supprimé par : Utilisateur : Administrateur Domaine : DOMAIN Id. de la session : (0x0,0x3EAB48) 1988 67 611 Win2000 Removing Trusted Domain: Domain Name: %1 Domain : %2 Removed By: Name: %3 Domain: %4 Logon : %5 Policy Change Last 46 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 68 612 Win2000, Policy Change. Policy Change Last <13>Jul 5 15:57:48 10.1.1.55 MSWinLog 0 security 2049 Wed Jul 05 15:57:46 2006 612 SYSTEM Well Known Group W2K3-LASSO Policy Change " Policy Change: New Policy: + + Logon/Logoff + + Object Access + + Privilege Use + + + + Policy Change + + + + Detailed Tracking + + Directory Service Access + + Logon Changed By: Name: W2K3-LASSO$ Domain Name: SQA Logon : (0x0,0x3E7) " 47656 68F 612 Policy Change. Policy Change Last <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 3 8 Thu May 21 10:31:06 2009 612 SYSTEM KKKKK-KNBMQ2EU3 Changement de stratégie Modification de la stratégie d'audit : Nouvelle stratégie : Succès Échec + - Ouvertures/Fermetures de session - - Accès aux objets - - Utilisation d'un privilège + + Gestion des comptes + + Changement de stratégie + + Système + + Suivi détaillé - - Accès Active Directory + - Connexion au compte Modifié par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom du domaine : WORKGROUP Id. de la session : (0x0,0x3E7) 2 69 617 Win2000, Kerberos Policy Changed: Changed By: Name: %1 Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4. Policy Change Last <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 170 Thu Jun 29 14:56:31 2006 617 SYSTEM Well Known Group W2K3-LASSO Policy Change "Kerberos Policy Changed: Changed By: Name: W2K3-LASSO$ Domain Name: SQA Logon : (0x0,0x3E7) Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0xa09b800000000 (none); " 254 Microsoft Windows Server 2000/2003 Log Configuration Guide 47
# 69F 617 Kerberos Policy Changed: Changed By: Name: %1 Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4. Policy Change Last <13>Jun 30 09:27:33 kkkkk-knbmq2eu3.foresta MSWinLog 3 236 Tue Jun 30 09:27:24 2009 617 SYSTEM KKKKK-KNBMQ2EU3 Changement de stratégie Stratégie Kerberos modifiée : Modifiée par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine : FORESTA Id. d'ouv. de session : (0x0,0x3E7) Modifications effectuées : ('--' signifie aucune modification, sinon chaque modification est affichée sous la forme : <NomParamètre> : <nouvelle valeur> (<ancienne valeur>)) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0xa05b000000000 (none); 203 70 618 Win2000, Encrypted Data Recovery Policy Changed: Changed By: Name: %1 Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4 Policy Change Last 70F 618 Encrypted Data Recovery Policy Changed: Changed By: Name: %1 Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4 Policy Change Last <13>Jun 26 04:33:24 kkkkk-knbmq2eu3 MSWinLog 3 132 Fri Jun 26 04:33:24 2009 618 SYSTEM KKKKK-KNBMQ2EU3 Changement de stratégie Stratégie de récupération de données cryptées modifiée : Modifiée par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine : WORKGROUP Id. d'ouv. de session : (0x0,0x3E7) Modifications effectuées : ('--' signifie aucune modification, sinon chaque modification est affichée sous la forme : <NomParamètre> : <nouvelle valeur> (<ancienne valeur>)) -- 88 71 619 Win2000, Quality of Service Policy Changed Changed By. Policy Change Last 48 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 72 620 Trusted Domain formation Modified: Domain Name: %1 Domain : %2 Modified By: Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change Last <13>Jul 7 14:11:30 10.1.1.55 MSWinLog 0 security 58041 Thu Jul 06 16:59:10 2006 620 qatest W2K3-LASSO Policy Change "Trusted Domain formation Modified: Domain Name: - Domain : - Modified By: Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) Trust : - Trust Direction: 1 Trust Attributes: - S Filtering: - " 58041 72F 620 Trusted Domain formation Modified: Domain Name: %1 Domain : %2 Modified By: Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change Last <13>Jul 22 08:07:47 MSWinLog 4 2297 Wed Jul 22 08:07:40 2009 620 Administrateur B0324-FR2003 Changement de stratégie formations sur le domaine approuvé modifiées : Nom de domaine : - Id. de domaine : %{S-1-5-21-1893538592-169538710-372 8419160} Modifié par : Utilisateur : Administrateur Domaine : DOMAIN Id. d'ouv. de session : (0x0,0x3EAB48) d'approbation : - Direction de l'approbation : 3 Attributs de l'approbation : - Filtrage S: - 2228 73 620 Win2000 Trusted Domain formation Modified: Domain Name: %1 Domain : %2 Modified By: Name: %3 Domain: %4 Logon : %5 Policy Change Last 74 621 Access Granted: Access Granted: %4 Modified: %5 Assigned By: Name: %1 Logon : %3 formation/ Last 74F 621 Access Granted: Access Granted: %4 Modified: %5 Assigned By: Name: %1 Logon : %3 formation/ Last <13>Jul 1 10:20:50 10.8.0.39 MSWinLog 0 7891 Wed Jul 01 10:18:46 2009 621 Administrateur B0324-FR2003 Changement de stratégie Accès sécurité système accordé : Accès accordé : SeServiceLogonRight Compte modifié : %{S-1-5-21-30331043-1043570551-1080 916408-500} Attribué par : Utilisateur : Administrateur Domaine : B0324-FR2003 d'ouv. de session : (0x0,0xAFD9) 7740 Microsoft Windows Server 2000/2003 Log Configuration Guide 49
# 75 622 Access Removed: Access Removed: %4 Modified: %5 Removed By: Name: %1 Logon : %3 formation/ Last 75F 622 Access Removed: Access Removed: %4 Modified: %5 Removed By: Name: %1 Logon : %3 formation/ Last <13>Jul 1 09:58:39 b0324-fr2003 MSWinLog 4 61 Wed Jul 01 09:58:39 2009 622 Administrateur B0324-FR2003 Changement de stratégie Accès de sécurité système supprimé : Accès supprimé : SeNetworkLogonRight Compte modifié : %{S-1-1-0} Supprimé par : Utilisateur : Administrateur Domaine : B0324-FR2003 Id. d'ouv. de session : (0x0,0xAFD9) 43 76 624 Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 Control: %22 Parameters: %23 Sid History: %24 Logon Hours: %25 Last <13>Jul 5 12:15:31 10.1.1.55 MSWinLog 0 security 698 Wed Jul 05 12:15:31 2006 624 qatest W2K3-LASSO " Created: New Name: test New Domain: SQA New : %{S-1-5-21-1578117074-177915290-427 9395478-1125} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges - Attributes: Sam Name: test Display Name: hg ghf. gf Principal Name: test@sqa.loglogic.com Home Directory: - Home Drive: - Script Path: - Profile Path: - Workstations: - Password Last Set: <never> Expires: <never> Primary Group : 513 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x15 Control: Parameters: - Sid History: - Logon Hours: <value not set> " 46305 50 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 76F 624 Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 Control: %22 Parameters: %23 Sid History: %24 Logon Hours: %25 Last <13>May 21 09:47:06 kkkkk-knbmq2eu3 MSWinLog 2 17 Thu May 21 09:47:06 2009 624 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur créé : Nom du nouveau compte : loglogic Nouveau domaine : KKKKK-KNBMQ2EU3 Id. du nouveau compte : %{S-1-5-21-4199537000-1147309911-37 89607300-1004} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) Privilèges : - Attributs : Nom du compte SAM : loglogic Nom affiché : %%1793 Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : %%1794 Le compte expire le : %%1794 de groupe principal : 513 Délégué autorisé : - Précédente valeur UAC : 0x132180 Nouvelle valeur UAC : 0x132180 Contrôle du compte utilisateur (UAC) : - Paramètres utilisateurs : %%1793 Historique S : - Heures d'ouverture de session : %%1792 10 77 624 Win2000 Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Last 78 625 Win2000 Change. Last 79 626 Win2000, Enabled: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Last <13>Jul 5 11:04:09 10.1.1.55 MSWinLog 0 security 166 Wed Jul 05 11:00:23 2006 626 qatest W2K3-LASSO " Enabled: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1121} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " 45773 Microsoft Windows Server 2000/2003 Log Configuration Guide 51
# 79F 626 Enabled: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Last <13>Jul 5 11:04:09 10.1.1.55 MSWinLog 0 security 166 Wed Jul 05 11:00:23 2006 626 qatest W2K3-LASSO " Enabled: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1121} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " 45773 80 627 Win2000, Change Password Attempt: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 5 12:28:01 10.1.1.55 MSWinLog 0 security 826 Wed Jul 05 12:28:01 2006 627 SYSTEM Well Known Group W2K3-LASSO "Change Password Attempt: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1125} Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - " 46433 80F 627 Change Password Attempt: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jun 26 03:42:34 kkkkk-knbmq2eu3 MSWinLog 2 63 Fri Jun 26 03:42:34 2009 627 SYSTEM KKKKK-KNBMQ2EU3 Gestion des comptes Tentative de changement de mot de passe : Nom du compte cible : test Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-1010} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : WORKGROUP Id. de la session appelante : (0x0,0x3E7) Privilèges : - 33 81 628 Win2000, password set: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Last <13>Jul 5 12:15:32 10.1.1.55 MSWinLog 0 security 702 Wed Jul 05 12:15:31 2006 628 qatest W2K3-LASSO " password set: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1125} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " 46309 52 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 81F 628 password set: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Last <13>May 21 09:47:07 kkkkk-knbmq2eu3 MSWinLog 2 20 Thu May 21 09:47:06 2009 628 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Établissement d'un mot de passe de compte d'utilisateur : Nom du compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-1004} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) 13 82 629 Win2000, Disabled: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 formation/ Last <13>Aug 9 18:11:46 10.116.28.102 MSWinLog 0 26835 Tue Aug 08 13:01:36 2006 629 Unknown N/A LOGLOGIC-SRV1 Disabled: Target Name: AAA$ Target Domain: LOGLOGIC Target : %{S-1-5-21-1454988305-2637349178-12 45076292-1113} Caller Name: administrator Caller Domain: LOGLOGIC Caller Logon : (0x0,0xC25B9) 25689 82F 629 Disabled: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 formation/ Last <13>Jun 26 03:36:33 kkkkk-knbmq2eu3 MSWinLog 2 43 Fri Jun 26 03:36:30 2009 629 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur désactivé : Nom du compte cible : test Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-1010} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x100D3) 24 83 630 Win2000, Deleted. Last <13>Jul 5 12:14:57 10.1.1.55 MSWinLog 0 security 693 Wed Jul 05 12:14:56 2006 630 qatest W2K3-LASSO " Deleted: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1121} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 46300 Microsoft Windows Server 2000/2003 Log Configuration Guide 53
# 83F 630 Deleted. Last <13>May 21 09:51:28 kkkkk-knbmq2eu3 MSWinLog 2 30 Thu May 21 09:51:13 2009 630 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur supprimé : Nom du compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-1004} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) Privilèges : - 22 84 631 Enabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 41 Thu Jun 29 14:54:32 2006 631 ANONYMOUS LOGON Well Known Group W2K3-LASSO " Enabled Global Group Created: New Name: Domain Computers New Domain: SQA New : %{S-1-5-21-1578117074-177915290-427 9395478-515} Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Attributes: Sam Name: Domain Computers Sid History: - " 125 84F 631 Enabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 22 Tue Jun 30 09:20:18 2009 631 ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée créé : Nouveau nom de compte : Ordinateurs du domaine Nouveau domaine : FORESTA Id. du nouveau compte : %{S-1-5-21-4199537000-1147309911-37 89607300-515} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs : Nom du compte SAM : Ordinateurs du domaine Historique S : - 21 54 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 85 631 Win2000 Enabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last 86 632 Win2000, Enabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 79 Thu Jun 29 14:54:37 2006 632 ANONYMOUS LOGON Well Known Group W2K3-LASSO " Enabled Global Group Member Added: Member Name: - Member : %{S-1-5-21-1578117074-177915290-427 9395478-500} Target Name: Domain Admins Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-512} Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - " 163 86F 632 Enabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>May 21 09:47:06 kkkkk-knbmq2eu3 MSWinLog 2 16 Thu May 21 09:47:06 2009 632 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe global de sécurité activée ajouté : Nom du membre : - Id. du membre : %{S-1-5-21-4199537000-1147309911-37 89607300-1004} Nom de compte cible : Aucun Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-513} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - 9 Microsoft Windows Server 2000/2003 Log Configuration Guide 55
# 87 633 Win2000, Enabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:30:12 10.1.1.55 MSWinLog 0 security 466 Thu Jun 29 15:30:11 2006 633 qatest W2K3-LASSO " Enabled Global Group Member Removed: Member Name: CN=tester,CN=s,DC=sqa,DC=loglogi c,dc=com Member : %{S-1-5-21-1578117074-177915290-427 9395478-1010} Target Name: test123 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1113} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 550 87F 633 Enabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>May 21 09:42:29 kkkkk-knbmq2eu3 MSWinLog 2 11 Thu May 21 09:42:29 2009 633 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe global de sécurité activée supprimé : Nom du membre : - Id. du membre : %{S-1-5-21-4199537000-1147309911-37 89607300-1003} Nom de compte cible : Aucun Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-513} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB1AE) Privilèges : - 4 88 634 Win2000, Enabled Global Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jun 29 15:35:27 10.1.1.55 MSWinLog 0 security 497 Thu Jun 29 15:35:26 2006 634 qatest W2K3-LASSO " Enabled Global Group Deleted: Target Name: test123 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1113} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 581 56 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 88F 634 Enabled Global Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 2 08:06:49 MSWinLog 4 3792 Thu Jul 02 08:06:49 2009 634 Administrateur B0324-FR2003 Gestion des comptes Groupe global de sécurité activée supprimé : Nom de compte cible : qdsfqd Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1119} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3628 89 635 Enabled Local Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 20 Thu Jun 29 14:54:30 2006 635 SYSTEM Well Known Group W2K3-LASSO " Enabled Local Group Created: New Name: Print Operators New Domain: Builtin New : %{S-1-5-32-550} Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Attributes: Sam Name: Print Operators Sid History: - " 104 89F 635 Enabled Local Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 25 09:24:48 kkkkk-knbmq2eu3 MSWinLog 2 85 Thu Jun 25 09:24:48 2009 635 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée créé : Nom du nouveau compte : qsdsqd Nouveau domaine : KKKKK-KNBMQ2EU3 Id. du nouveau compte : %{S-1-5-21-4199537000-1147309911-37 89607300-1006} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : - Attributs : Nom du compte SAM : qsdsqd Historique S : - 42 90 635 Win2000 Enabled Local Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Microsoft Windows Server 2000/2003 Log Configuration Guide 57
# 91 636 Win2000, Enabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 5 11:07:49 10.1.1.55 MSWinLog 0 security 300 Wed Jul 05 11:07:48 2006 636 qatest W2K3-LASSO " Enabled Local Group Member Added: Member Name: CN=testt,CN=s,DC=sqa,DC=loglogic,DC=com Member : %{S-1-5-21-1578117074-177915290-427 9395478-1121} Target Name: s Target Domain: Builtin Target : %{S-1-5-32-545} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 45907 91F 636 Enabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>May 21 09:49:36 kkkkk-knbmq2eu3 MSWinLog 2 24 Thu May 21 09:49:36 2009 636 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe local de sécurité activée ajouté : Nom du membre : - Id. du membre : %{S-1-5-21-4199537000-1147309911-37 89607300-1004} Nom de compte cible : Administrateurs Domaine cible : Builtin Id. du compte cible : %{S-1-5-32-544} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - 17 92 637 Win2000, Enabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 5 15:44:05 10.1.1.55 MSWinLog 0 security 1949 Wed Jul 05 15:44:05 2006 637 qatest W2K3-LASSO " Enabled Local Group Member Removed: Member Name: CN=hg ghf. gf,cn=s,dc=sqa,dc=loglogic,dc=c om Member : %{S-1-5-21-1578117074-177915290-427 9395478-1125} Target Name: Administrators Target Domain: Builtin Target : %{S-1-5-32-544} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x668A8) Privileges: - " 47556 58 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 92F 637 Enabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>May 21 09:50:00 kkkkk-knbmq2eu3 MSWinLog 2 25 Thu May 21 09:49:36 2009 637 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe local de sécurité activée supprimé : Nom du membre : - Id. du membre : %{S-1-5-21-4199537000-1147309911-37 89607300-1004} Nom de compte cible : Utilisateurs Domaine cible : Builtin Id. du compte cible : %{S-1-5-32-545} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - 18 93 638 Win2000, Enabled Local Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7. Last <13>Jun 29 16:10:01 10.1.1.55 MSWinLog 0 security 799 Thu Jun 29 16:09:59 2006 638 qatest W2K3-LASSO " Enabled Local Group Deleted: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1123} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 883 93F 638 Enabled Local Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7. Last <13>Jun 25 09:24:56 kkkkk-knbmq2eu3 MSWinLog 2 87 Thu Jun 25 09:24:52 2009 638 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Groupe local de sécurité activée supprimé : Nom de compte cible : qsdsqd Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-1006} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : - 44 94 639 Enabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 5 11:07:49 10.1.1.55 MSWinLog 0 security 299 Wed Jul 05 11:07:48 2006 639 qatest W2K3-LASSO " Enabled Local Group Changed: Target Name: s Target Domain: Builtin Target : %{S-1-5-32-545} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: - Sid History: - " 45906 Microsoft Windows Server 2000/2003 Log Configuration Guide 59
# 94F 639 Enabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 25 09:24:48 kkkkk-knbmq2eu3 MSWinLog 2 86 Thu Jun 25 09:24:48 2009 639 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Groupe local de sécurité activée modifié : Nom de compte cible : qsdsqd Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-1006} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 43 95 639 Win2000 Enabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last 96 640 Win2000, General Database Change. Last 96F 640 Modification de la base de données des comptes généraux audit Access / Last / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog035Mon Mar 01 16:59:55 2010640Administrator LOGLABS-2003FRA Suivi détaillémodification de la base de données des comptes généraux : de modification : %1 d'objet : %2 Nom d'objet : %3 Id. de l'objet : %4 Utilisateur appelant : %5 Domaine appelant : %6 Id. de la session appelante : %7 60 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 97 641 Enabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 42 Thu Jun 29 14:54:33 2006 641 ANONYMOUS LOGON Well Known Group W2K3-LASSO " Enabled Global Group Changed: Target Name: Domain Computers Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-515} Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Sam Name: - Sid History: - " 126 97F 641 Enabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 23 Tue Jun 30 09:20:18 2009 641 ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée modifié : Nom de compte cible : Ordinateurs du domaine Domaine cible : FORESTA Id. de compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-515} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 22 98 641 Win2000 Enabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Microsoft Windows Server 2000/2003 Log Configuration Guide 61
# 99 642 Changed: Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 Control: %23 Parameters: %24 Sid History: %25 Logon Hours: %26 Last <13>Jul 5 11:04:09 10.1.1.55 MSWinLog 0 security 165 Wed Jul 05 11:00:23 2006 642 qatest W2K3-LASSO " Changed: Target Name: testt Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1121} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: - Display Name: - Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - Workstations: - Password Last Set: - Expires: - Primary Group : - AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x10 Control: Parameters: - Sid History: - Logon Hours: - " 45772 99F 642 Changed: Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 Control: %23 Parameters: %24 Sid History: %25 Logon Hours: %26 Last <13>May 21 09:47:07 kkkkk-knbmq2eu3 MSWinLog 2 19 Thu May 21 09:47:06 2009 642 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur modifié : Nom de compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-1004} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - Attributs modifiés : Nom du compte SAM : loglogic Nom affiché : loglogic Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : 21/05/2009 09:47:06 Le compte expire le : %%1794 de groupe principal : 513 Délégué autorisé : - Précédente valeur UAC : 0x132180 Nouvelle valeur UAC : 0x132180 Contrôle du compte utilisateur (UAC) : - Paramètres utilisateurs : - Historique S : - Heures d'ouverture de session : %%1792 12 62 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 100 642 Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last 101 643 Domain Policy Changed: %1 modified Domain Name: %2 Domain : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Min. Password Age: %8 Max. Password Age: %9 Force Logoff: %10 Lockout Threshold: %11 Lockout Observation Window: %12 Lockout Duration: %13 Password Properties: %14 Min. Password Length: %15 Password History Length: %16 Machine Quota: %17 Mixed Domain Mode: %18 Domain Behavior Version: %19 OEM formation: %20 Last <13>Jul 5 12:27:43 10.1.1.55 MSWinLog 0 security 816 Wed Jul 05 12:27:43 2006 643 SYSTEM Well Known Group W2K3-LASSO "Domain Policy Changed: Lockout Policy modified Domain Name: SQA Domain : %{S-1-5-21-1578117074-177915290-427 9395478} Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Min. Password Age: - Max. Password Age: - Force Logoff: - Lockout Threshold: 5 Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: - Machine Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM formation: - " 46423 Microsoft Windows Server 2000/2003 Log Configuration Guide 63
# 101F 643 Domain Policy Changed: %1 modified Domain Name: %2 Domain : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Min. Password Age: %8 Max. Password Age: %9 Force Logoff: %10 Lockout Threshold: %11 Lockout Observation Window: %12 Lockout Duration: %13 Password Properties: %14 Min. Password Length: %15 Password History Length: %16 Machine Quota: %17 Mixed Domain Mode: %18 Domain Behavior Version: %19 OEM formation: %20 Last <13>Jun 30 09:27:33 kkkkk-knbmq2eu3.foresta MSWinLog 2 233 Tue Jun 30 09:27:24 2009 643 SYSTEM KKKKK-KNBMQ2EU3 Gestion des comptes Stratégie de domaine modifiée : Stratégie de mot de passe modifié Domaine : FORESTA Id. de domaine : %{S-1-5-21-4199537000-1147309911-37 89607300} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de la session appelante : (0x0,0x3E7) Privilèges : - Attributs modifiés : Âge minimal du mot de passe : 86400 Âge maximal du mot de passe : - Fermeture de session forcée : - Seuil de verrouillage : - Fenêtre d'observation du verrouillage : - Durée du verrouillage : - Propriétés du mot de passe : 1 Longueur minimale du mot de passe : 7 Longueur de l'historique de mot de passe : 24 Quota de comptes ordinateurs : - Mode domaine mixte : - Version de comportement du domaine : - formations OEM : - 200 102 643 Win2000 Domain Policy Changed: %1 modified Domain : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last 103 644 Win2000, Locked Out: Target Name: %1 Target : %3 Caller Machine Name: %2 Caller Name: %4 Caller Logon : %6 Last <13>Jul 5 12:28:43 10.1.1.55 MSWinLog 0 security 833 Wed Jul 05 12:28:43 2006 644 SYSTEM Well Known Group W2K3-LASSO " Locked Out: Target Name: test Target : %{S-1-5-21-1578117074-177915290-427 9395478-1125} Caller Machine Name: W2K3-LASSO Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) " 46440 64 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 103F 644 Locked Out: Target Name: %1 Target : %3 Caller Machine Name: %2 Caller Name: %4 Caller Logon : %6 Last <13>Jul 17 03:29:48 MSWinLog 4 192984 Fri Jul 17 03:29:45 2009 644 SYSTEM B0324-FR2003 Gestion des comptes Compte d'utilisateur verrouillé : Nom du compte cible : test du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1135} Nom de l'ordinateur appelant : B0324-MENGKJ Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) 192015 104 645 Computer Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 Control: %22 Parameters: %23 Sid History: %24 Logon Hours: %25 DNS Host Name: %26 Service Principal Names: %27 Last <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 33 Thu Jun 29 14:54:31 2006 645 ANONYMOUS LOGON Well Known Group W2K3-LASSO "Computer Created: New Name: W2K3-LASSO$ New Domain: SQA New : %{S-1-5-21-1578117074-177915290-427 9395478-1012} Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges - Attributes: Sam Name: W2K3-LASSO$ Display Name: <value not set> Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> Workstations: <value not set> Password Last Set: <never> Expires: <never> Primary Group : 516 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x105 Control: Parameters: <value changed, but not displayed> Sid History: -Logon Hours:- DNS Host Name:- Service Principal Names: -" 0 Microsoft Windows Server 2000/2003 Log Configuration Guide 65
# 104F 645 Computer Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 Control: %22 Parameters: %23 Sid History: %24 Logon Hours: %25 DNS Host Name: %26 Service Principal Names: %27 Last <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 14 Tue Jun 30 09:20:16 2009 645 ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'ordinateur créé : Nom du nouveau compte : KKKKK-KNBMQ2EU3$ Nouveau domaine : FORESTA Id. du nouveau compte : %{S-1-5-21-4199537000-1147309911-37 89607300-1016} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs : Nom du compte SAM : KKKKK-KNBMQ2EU3$ Nom affiché : %%1793 Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : %%1794 Le compte expire le : %%1794 de groupe principal : 516 Délégué autorisé : - Précédente valeur UAC : 0x0 Nouvelle valeur UAC : 0x105 Contrôle du compte utilisateur (UAC) : %%2080 %%2082 %%2088 Paramètres utilisateurs : %%1792 Historique S : - Heures d'ouverture de session : %% 13 105 645 Win2000 Computer Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges %7 Last 66 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 106 646 Win2000, Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 35 Thu Jun 29 14:54:31 2006 646 ANONYMOUS LOGON Well Known Group W2K3-LASSO "Computer Changed: - Target Name: W2K3-LASSO$ Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1012} Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Sam Name: - Display Name: - Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - Workstations: - Password Last Set: - Expires: - Primary Group : - AllowedToDelegateTo: - Old UAC Value: 0x105 New UAC Value: 0x2100 Control: Parameters: - Sid History: - Logon Hours: - DNS Host Name: - Service Principal Names: - " 119 106F 646 Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 16 Tue Jun 30 09:20:16 2009 646 ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'ordinateur modifié : - Nom de compte cible : KKKKK-KNBMQ2EU3$ Domaine cible : FORESTA Id. de compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-1016} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs modifiés : Nom du compte SAM : - Nom affiché : - Nom principal utilisateur : - Répertoire de base : - Lecteur de base : - Chemin d'accès au script : - Chemin d'accès au profil : - Stations de travail utilisateur : - Dernière modification du mot de passe le : - Le compte expire le : - de groupe principal : - Délégué autorisé : - Précédente valeur UAC : 0x105 Nouvelle valeur UAC : 0x2100 Contrôle du compte utilisateur (UAC) : %%2048 %%2050 %%2093 Paramètres utilisateurs : - Historique S : - Heures d'ouverture de session : - Nom d'hôte DNS : - Noms principaux d 15 Microsoft Windows Server 2000/2003 Log Configuration Guide 67
# 107 646 Win2000, Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 Control: %23 Parameters: %24 Sid History: %25 Logon Hours: %26 DNS Host Name: %27 Service Principal Names: %28 Last <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 35 Thu Jun 29 14:54:31 2006 646 ANONYMOUS LOGON Well Known Group W2K3-LASSO "Computer Changed: - Target Name: W2K3-LASSO$ Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1012} Caller Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Sam Name: - Display Name: - Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - Workstations: - Password Last Set: - Expires: - Primary Group : - AllowedToDelegateTo: - Old UAC Value: 0x105 New UAC Value: 0x2100 Control: Parameters: - Sid History: - Logon Hours: - DNS Host Name: - Service Principal Names: - " 119 108 647 Win2000, Computer Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 7 10:46:53 10.1.1.55 MSWinLog 0 security 57489 Thu Jul 06 15:52:50 2006 647 qatest W2K3-LASSO "Computer Deleted: Target Name: TEST$ Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1133} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x151CB1A) Privileges: - " 57489 108F 647 Computer Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 2 08:28:33 MSWinLog 4 4089 Thu Jul 02 08:28:33 2009 647 Administrateur B0324-FR2003 Gestion des comptes Compte d'ordinateur supprimé : Nom du compte cible : QSDFQDS$ Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1126} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de la session appelante : (0x0,0x36824) Privilèges : - 3923 68 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 109 648 Win2000 Disabled Local Group Created: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last 110 648 Disabled Local Group Created: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:41:50 10.1.1.55 MSWinLog 0 security 535 Thu Jun 29 15:41:49 2006 648 qatest W2K3-LASSO " Disabled Local Group Created: Target Name: testing Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1115} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: testing Sid History: - " 619 110F 648 Disabled Local Group Created: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 08:15:32 MSWinLog 4 3842 Thu Jul 02 08:15:32 2009 648 Administrateur B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée créé : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1122} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs : Nom du compte SAM : dfgdfqdfdqsfdqsfqsfdsqf Historique S : - 3678 111 649 Disabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:42:40 10.1.1.55 MSWinLog 0 security 536 Thu Jun 29 15:42:39 2006 649 qatest W2K3-LASSO " Disabled Local Group Changed: Target Name: testing1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1115} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: testing1 Sid History: - " 620 Microsoft Windows Server 2000/2003 Log Configuration Guide 69
# 111F 649 Disabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 08:15:49 MSWinLog 4 3844 Thu Jul 02 08:15:49 2009 649 Administrateur B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée modifié : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1122} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 3680 112 649 Win2000 Disabled Local Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last 113 650 Win2000, Disabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:43:57 10.1.1.55 MSWinLog 0 security 539 Thu Jun 29 15:43:56 2006 650 qatest W2K3-LASSO " Disabled Local Group Member Added: Member Name: CN=tester,CN=s,DC=sqa,DC=loglogi c,dc=com Member : %{S-1-5-21-1578117074-177915290-427 9395478-1010} Target Name: testing1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1115} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 623 70 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 113F 650 Disabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 08:15:49 MSWinLog 4 3845 Thu Jul 02 08:15:49 2009 650 Administrateur B0324-FR2003 Gestion des comptes Membre du groupe local de sécurité désactivée ajouté : Nom du membre : CN=DnsAdmins,CN=s,DC=domain,D C=symbio-group,DC=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-1104} Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1122} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3681 114 651 Win2000, Disabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:44:47 10.1.1.55 MSWinLog 0 security 542 Thu Jun 29 15:44:46 2006 651 qatest W2K3-LASSO " Disabled Local Group Member Removed: Member Name: CN=tester,CN=s,DC=sqa,DC=loglogi c,dc=com Member : %{S-1-5-21-1578117074-177915290-427 9395478-1010} Target Name: testing1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1115} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 626 114F 651 Disabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 08:16:00 MSWinLog 4 3847 Thu Jul 02 08:15:56 2009 651 Administrateur B0324-FR2003 Gestion des comptes Membre du groupe local de sécurité désactivée supprimé : Nom du membre : CN=DnsAdmins,CN=s,DC=domain,D C=symbio-group,DC=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-1104} Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1122} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3683 Microsoft Windows Server 2000/2003 Log Configuration Guide 71
# 115 652 Win2000, Disabled Local Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jun 29 15:45:32 10.1.1.55 MSWinLog 0 security 545 Thu Jun 29 15:45:31 2006 652 qatest W2K3-LASSO " Disabled Local Group Deleted: Target Name: testing1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1115} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 629 115F 652 Disabled Local Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 2 08:16:00 MSWinLog 4 3848 Thu Jul 02 08:15:59 2009 652 Administrateur B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée supprimé : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1122} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3684 116 653 Disabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:46:35 10.1.1.55 MSWinLog 0 security 558 Thu Jun 29 15:46:33 2006 653 qatest W2K3-LASSO " Disabled Global Group Created: New Name: test New Domain: SQA New : %{S-1-5-21-1578117074-177915290-427 9395478-1116} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: test Sid History: - " 642 72 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 116F 653 Disabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 04:18:33 MSWinLog 4 26794 Thu Jul 02 04:18:33 2009 653 Administrateur B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée créé : Nouveau nom de compte : test group Nouveau domaine : DOMAIN Id. du nouveau compte : %{S-1-5-21-30331043-1043570551-1080 916408-1106} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x66246) Privilèges : - Attributs : Nom du compte SAM : test group Historique S : - 26741 117 653 Win2000 Disabled Global Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last 118 654 Disabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 15:47:37 10.1.1.55 MSWinLog 0 security 563 Thu Jun 29 15:47:35 2006 654 qatest W2K3-LASSO " Disabled Global Group Changed: Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1116} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: test1 Sid History: - " 647 Microsoft Windows Server 2000/2003 Log Configuration Guide 73
# 118F 654 Disabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 08:09:15 MSWinLog 4 3798 Thu Jul 02 08:09:15 2009 654 Administrateur B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée modifié : Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1120} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 3634 119 654 Win2000 Disabled Global Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last 120 655 Win2000, Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:48:20 10.1.1.55 MSWinLog 0 security 567 Thu Jun 29 15:48:19 2006 655 qatest W2K3-LASSO " Disabled Global Group Member Added: Member Name: CN=tester,CN=s,DC=sqa,DC=loglogi c,dc=com Member : %{S-1-5-21-1578117074-177915290-427 9395478-1010} Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1116} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 651 74 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 120F 655 Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 08:09:15 MSWinLog 4 3799 Thu Jul 02 08:09:15 2009 655 Administrateur B0324-FR2003 Gestion des comptes Membre du groupe global de sécurité désactivée ajouté : Nom du membre : CN=Administrateurs de l'entreprise,cn=s,dc=domain,dc=sy mbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-519} Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1120} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3635 121 656 Win2000, Disabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 15:56:13 10.1.1.55 MSWinLog 0 security 581 Thu Jun 29 15:56:12 2006 656 qatest W2K3-LASSO " Disabled Global Group Member Removed: Member Name: CN=tester,CN=s,DC=sqa,DC=loglogi c,dc=com Member : %{S-1-5-21-1578117074-177915290-427 9395478-1010} Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1116} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 665 121F 656 Disabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 08:09:31 MSWinLog 4 3802 Thu Jul 02 08:09:31 2009 656 Administrateur B0324-FR2003 Gestion des comptes Membre du groupe global de sécurité désactivée supprimé : Nom du membre : CN=Administrateurs de l'entreprise,cn=s,dc=domain,dc=sy mbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-519} Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1120} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3638 Microsoft Windows Server 2000/2003 Log Configuration Guide 75
# 122 657 Win2000, Disabled Global Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jun 29 15:58:04 10.1.1.55 MSWinLog 0 security 605 Thu Jun 29 15:58:02 2006 657 qatest W2K3-LASSO " Disabled Global Group Deleted: Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1116} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 689 122F 657 Disabled Global Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 2 08:09:39 MSWinLog 4 3804 Thu Jul 02 08:09:34 2009 657 Administrateur B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée supprimé : Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1120} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3640 123 658 Enabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 7 11:52:26 169.254.113.169 MSWinLog 0 229007 Fri Jul 07 11:47:18 2006 658 administrator SUPPORT-SBS " Enabled Universal Group Created: New Name: univ658 New Domain: SUPPORT New : %{S-1-5-21-1428467443-1968098735-23 49626736-1179} Caller Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x5915053) Privileges: - Attributes: Sam Name: univ658 Sid History: - " 2601312 76 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 123F 658 Enabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 6 05:22:47 MSWinLog 4 566 Mon Jul 06 05:22:47 2009 658 Administrateur B0324-FR2003 Gestion des comptes Groupe universel de sécurité activée créé : Nom du nouveau compte : qfdqqdfdsq Nouveau domaine : DOMAIN Id. du nouveau compte : %{S-1-5-21-30331043-1043570551-1080 916408-1129} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : - Attributs : Nom du compte SAM : qfdqqdfdsq Historique S : - 525 124 658 Win2000 Enabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last 125 659 Win2000 Enabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last 126 659 Enabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 7 12:03:17 169.254.113.169 MSWinLog 0 313 Fri Jul 07 12:03:16 2006 659 administrator SUPPORT-SBS " Enabled Universal Group Changed: Target Name: univ658 Target Domain: SUPPORT Target : %{S-1-5-21-1428467443-1968098735-23 49626736-1179} Caller Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x5915053) Privileges: - Changed Attributes: Sam Name: - Sid History: - " 2602267 Microsoft Windows Server 2000/2003 Log Configuration Guide 77
# 126F 659 Enabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 30 09:51:22 kkkkk-knbmq2eu3.foresta MSWinLog 2 325 Tue Jun 30 09:50:32 2009 659 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes Groupe universel de sécurité activée modifié : Nom de compte cible : Administrateurs du schéma Domaine cible : FORESTA Id. de compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-518} Utilisateur appelant : Administrateur Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x260DD) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 287 127 660 Win2000, Enabled Universal Group Member Added. Last 127F 660 Enabled Universal Group Member Added. Last <13>Jul 6 05:23:41 MSWinLog 4 568 Mon Jul 06 05:23:41 2009 660 Administrateur B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité activée ajouté : Nom du membre : CN=Administrateur,CN=s,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-500} Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1129} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : - 527 78 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 128 661 Win2000, Enabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 11 11:25:16 169.254.113.169 MSWinLog 0 891571 Tue Jul 11 11:25:14 2006 661 administrator SUPPORT-SBS " Enabled Universal Group Member Removed: Member Name: CN=test628,CN=s,DC=support,DC=l ocal Member : %{S-1-5-21-1428467443-1968098735-23 49626736-1146} Target Name: tesater Target Domain: SUPPORT Target : %{S-1-5-21-1428467443-1968098735-23 49626736-1181} Caller Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x5915053) Privileges: - " 2657750 128F 661 Enabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 6 05:24:04 MSWinLog 4 571 Mon Jul 06 05:24:04 2009 661 Administrateur B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité activée supprimé : Nom du membre : CN=Administrateur,CN=s,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-500} Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1129} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : - 530 129 662 Win2000, Enabled Universal Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 7 12:04:58 169.254.113.169 MSWinLog 0 336 Fri Jul 07 12:04:58 2006 662 administrator SUPPORT-SBS " Enabled Universal Group Deleted: Target Name: univ658 Target Domain: SUPPORT Target : %{S-1-5-21-1428467443-1968098735-23 49626736-1179} Caller Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x5915053) Privileges: - " 2602290 Microsoft Windows Server 2000/2003 Log Configuration Guide 79
# 129F 662 Enabled Universal Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 6 05:24:19 MSWinLog 4 572 Mon Jul 06 05:24:19 2009 662 Administrateur B0324-FR2003 Gestion des comptes Groupe universel de sécurité activée supprimé : Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1129} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : - 531 130 663 Win2000 Disabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last 131 663 Disabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 16:03:19 10.1.1.55 MSWinLog 0 security 721 Thu Jun 29 16:03:17 2006 663 qatest W2K3-LASSO " Disabled Universal Group Created: New Name: test New Domain: SQA New : %{S-1-5-21-1578117074-177915290-427 9395478-1117} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: test Sid History: - " 805 131F 663 Disabled Universal Group Created: New Name: %1 New New : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 05:21:59 MSWinLog 4 1173 Thu Jul 02 05:21:58 2009 663 Administrateur B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée créé : Nom du nouveau compte : test un Nouveau domaine : DOMAIN Id. du nouveau compte : %{S-1-5-21-30331043-1043570551-1080 916408-1118} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs : Nom du compte SAM : test un Historique S : - 1082 80 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 132 664 Disabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jun 29 16:03:59 10.1.1.55 MSWinLog 0 security 722 Thu Jun 29 16:03:58 2006 664 qatest W2K3-LASSO " Disabled Universal Group Changed: Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1117} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: test1 Sid History: - " 806 132F 664 Disabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 Last <13>Jul 2 05:23:16 MSWinLog 4 1191 Thu Jul 02 05:23:16 2009 664 Administrateur B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée modifié : Nom de compte cible : test un Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1118} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 1095 133 664 Win2000 Disabled Universal Group Changed: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last Microsoft Windows Server 2000/2003 Log Configuration Guide 81
# 134 665 Win2000, Disabled Universal Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 16:05:22 10.1.1.55 MSWinLog 0 security 776 Thu Jun 29 16:05:21 2006 665 qatest W2K3-LASSO " Disabled Universal Group Member Added: Member Name: cn=testt,cn=s,dc=sqa,dc=loglogic, DC=com Member : %{S-1-5-21-1578117074-177915290-427 9395478-1121} Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1117} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 860 134F 665 Disabled Universal Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 05:24:02 MSWinLog 4 1193 Thu Jul 02 05:24:02 2009 665 Administrateur B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité désactivée ajouté : Nom du membre : CN=Administrateur,CN=s,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-500} Nom de compte cible : test un Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1118} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 1097 135 666 Win2000, Disabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jun 29 16:05:53 10.1.1.55 MSWinLog 0 security 778 Thu Jun 29 16:05:51 2006 666 qatest W2K3-LASSO " Disabled Universal Group Member Removed: Member Name: CN=testt,CN=s,DC=sqa,DC=loglogic,DC=com Member : %{S-1-5-21-1578117074-177915290-427 9395478-1121} Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1117} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 862 82 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 135F 666 Disabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last <13>Jul 2 05:24:49 MSWinLog 4 1212 Thu Jul 02 05:24:49 2009 666 Administrateur B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité désactivée supprimé : Nom du membre : CN=Administrateur,CN=s,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-500} Nom de compte cible : test un Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1118} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 1116 136 667 Win2000, Disabled Universal Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jun 29 16:06:15 10.1.1.55 MSWinLog 0 security 779 Thu Jun 29 16:06:14 2006 667 qatest W2K3-LASSO " Disabled Universal Group Deleted: Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-427 9395478-1117} Caller Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 863 136F 667 Disabled Universal Group Deleted: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 Last <13>Jul 2 08:02:00 MSWinLog 4 3768 Thu Jul 02 08:02:00 2009 667 Administrateur B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée supprimé : Nom de compte cible : test un Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1118} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3604 Microsoft Windows Server 2000/2003 Log Configuration Guide 83
# 137 668 Win2000, Group Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last <13>Jul 7 12:06:38 169.254.113.169 MSWinLog 0 361 Fri Jul 07 12:06:37 2006 668 administrator SUPPORT-SBS "Group Changed: Enabled Local Group Changed to Disabled Local Group. Target Name: newlocal635 Target Domain: SUPPORT Target : %{S-1-5-21-1428467443-1968098735-23 49626736-1173} Caller Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x5915053) Privileges: - " 2602315 137F 668 Group Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last <13>Jun 30 09:51:22 kkkkk-knbmq2eu3.foresta MSWinLog 2 326 Tue Jun 30 09:50:32 2009 668 Administrateur KKKKK-KNBMQ2EU3 Gestion des comptes de groupe modifié : Le groupe global activé par la sécurité est changé en groupe universel activé par la sécurité. Nom de compte cible : Administrateurs du schéma Domaine cible : FORESTA Id. de compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-518} Utilisateur appelant : Administrateur Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x260DD) Privilèges : - 288 138 669 Add S History: Source Name: %1 Source : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 SidList: %10 Last 84 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 138F 669 Add S History: Source Name: %1 Source : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 SidList: %10 Last <13>Aug 4 10:22:22 b0324-fr2.abc.com MSWinLog 1 1091 Tue Aug 04 10:21:58 2009 669 Administrateur B0324-FR2 Gestion des comptes Ajout d'un historique S : Nom de compte source : xyz.com\dev Id. de compte source : %{S-1-5-21-3196356739-3461092960-35 82852757-1108} Nom de compte cible : dev Domaine cible : ABC Id. de compte cible : %{S-1-5-21-859267090-1403449333-438 083377-1109} Utilisateur appelant : Administrateur Domaine appelant : ABC Id. de session de l'appelant : (0x0,0x1A388) Privilèges : - Liste S : - 1018 139 669 Win2000 Add S History: Source Name: %1 Source : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 Last 140 670 Win2000, Add S History: Source Name: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last 140F 670 Add S History: Source Name: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Last <13>Aug 4 10:22:22 b0324-fr2.abc.com MSWinLog 1 1092 Tue Aug 04 10:21:58 2009 670 Administrateur B0324-FR2 Gestion des comptes Ajout d'un historique S : Nom de compte source : xyz.com\dev Nom de compte cible : dev Domaine cible : ABC Id. de compte cible : %{S-1-5-21-859267090-1403449333-438 083377-1109} Utilisateur appelant : Administrateur Domaine appelant : ABC Id. de session de l'appelant : (0x0,0x1A388) Privilèges : - 1018 Microsoft Windows Server 2000/2003 Log Configuration Guide 85
# 141 671 Unlocked: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 formation/ Last <13>Jun 12 15:21:43 10.0.0.61 MSWinLog 0 1926 Sun Jun 12 15:18:48 2005 671 Administrator IAM3 Unlocked: Target Name: loglogic2 Target Domain: SECTIS Target : %{S-1-5-21-838449304-123981098-2628 009577-1150} Caller Name: Administrator Caller Domain: SECTIS Caller Logon : (0x0,0x170D3) 1655 141F 671 Unlocked: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 formation/ Last <13>Jul 22 09:01:28 MSWinLog 4 2641 Wed Jul 22 09:01:28 2009 671 Administrateur B0324-FR2003 Gestion des comptes Compte d'utilisateur désactivé : Nom du compte cible : test Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1145} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de la session appelante : (0x0,0x3EAB48) 2566 142 672 Authentication Ticket Request: Name: %1 Supplied Realm Name: %2 : %3 Service Name: %4 Service : %5 Ticket Options: %6 Result Code: %7 Ticket Encryption : %8 Pre-Authentication : %9 Client Address: %10 Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13 formation/ Last <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 743 Fri Aug 04 13:00:01 2006 672 SYSTEM LOGLOGIC-SRV1 Logon Authentication Ticket Request: Name: LOGLOGIC-SRV1$ Supplied Realm Name: LOGLOGIC.COM : %{S-1-5-21-2315716220-955307559-237 2290133-1005} Service Name: krbtgt Service : %{S-1-5-21-2315716220-955307559-237 2290133-502} Ticket Options: 0x40810010 Result Code: - Ticket Encryption : 0x17 Pre-Authentication : 2 Client Address: 127.0.0.1 Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: 147 86 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 142F 672 Authentication Ticket Request: Name: %1 Supplied Realm Name: %2 : %3 Service Name: %4 Service : %5 Ticket Options: %6 Result Code: %7 Ticket Encryption : %8 Pre-Authentication : %9 Client Address: %10 Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13 formation/ Last <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 1 80 Tue Jun 30 09:20:57 2009 672 SYSTEM KKKKK-KNBMQ2EU3 Connexion de compte Requête de ticket d'authentification : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine Kerberos fourni : FORESTA Id. de l'utilisateur : %{S-1-5-21-4199537000-1147309911-37 89607300-1016} Nom du service : krbtgt Id. du service : %{S-1-5-21-4199537000-1147309911-37 89607300-502} Options du ticket : 0x40810010 Code de résultat : - de cryptage du ticket : 0x17 de pré-authentification : 2 Adresse du client : 127.0.0.1 Nom de l'émetteur du certificat : Numéro de série du certificat : Empreinte digitale du certificat : 79 143 672 Win2000 Authentication Ticket Granted: Name: %1 Supplied Realm Name: %2 : %3 Service Name: %4 Service : %5 Ticket Options: %6 Ticket Encryption : %7 Pre-Authentication : %8 Client Address: %9 formation/ Last <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 743 Fri Aug 04 13:00:01 2006 672 SYSTEM LOGLOGIC-SRV1 Logon Authentication Ticket Granted: Name: LOGLOGIC-SRV1$ Supplied Realm Name: LOGLOGIC.COM : %{S-1-5-21-2315716220-955307559-237 2290133-1005} Service Name: krbtgt Service : %{S-1-5-21-2315716220-955307559-237 2290133-502} Ticket Options: 0x40810010 Ticket Encryption : 0x17 Pre-Authentication : 2 Client Address: 127.0.0.1 147 144 673 Service Ticket Request: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Code: %8 Logon GU: %9 Transited Services: %10 formation/ Last <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 752 Fri Aug 04 13:00:02 2006 673 SYSTEM LOGLOGIC-SRV1 Logon Service Ticket Request: Name: LOGLOGIC-SRV1$@LOGLOGIC.COM Domain: LOGLOGIC.COM Service Name: LOGLOGIC-SRV1$ Service : %{S-1-5-21-2315716220-955307559-237 2290133-1005} Ticket Options: 0x40800000 Ticket Encryption : 0x17 Client Address: 127.0.0.1 Code: - Logon GU: {74ebb9ef-d2d7-8d9a-b16c-91ff35b9f49a} Transited Services: - 156 Microsoft Windows Server 2000/2003 Log Configuration Guide 87
# 144F 673 Service Ticket Request: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Code: %8 Logon GU: %9 Transited Services: %10 formation/ Last <13>Jun 30 09:21:02 kkkkk-knbmq2eu3.foresta MSWinLog 1 91 Tue Jun 30 09:21:00 2009 673 SYSTEM KKKKK-KNBMQ2EU3 Connexion de compte Accord de la demande de ticket : Utilisateur : kkkkk-knbmq2eu3$@foresta Domaine de l'utilisateur : FORESTA Nom du service : KKKKK-KNBMQ2EU3$ Identificateur du service : %{S-1-5-21-4199537000-1147309911-37 89607300-1016} Options du ticket : 0x40800000 de cryptage du ticket : 0x17 Adresse du client : 127.0.0.1 Code d'échec : - GU d'ouv. de session : {93f0a387-5848-bd05-008e-2d3b54075ba e} Services en transit : - 90 145 673 Win2000 Service Ticket Granted: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 formation/ Last <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 752 Fri Aug 04 13:00:02 2006 673 SYSTEM LOGLOGIC-SRV1 Logon Service Ticket Granted: Name: LOGLOGIC-SRV1$@LOGLOGIC.COM Domain: LOGLOGIC.COM Service Name: LOGLOGIC-SRV1$ Service : %{S-1-5-21-2315716220-955307559-237 2290133-1005} Ticket Options: 0x40800000 Ticket Encryption : 0x17 Client Address: 127.0.0.1 Code: - Logon GU: {74ebb9ef-d2d7-8d9a-b16c-91ff35b9f49a} Transited Services: - 156 146 674 Service Ticket Renewed: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 formation/ Last <13>Aug 9 14:01:20 10.116.28.102 MSWinLog 0 6318 Sat Aug 05 04:16:36 2006 674 SYSTEM LOGLOGIC-SRV1 Logon Service Ticket Renewed: Name: Administrator@BLR-LOGLOGIC.COM Domain: BLR-LOGLOGIC.COM Service Name: krbtgt Service : %{S-1-5-21-2840343336-4043360270-26 59977581-502} Ticket Options: 0x2 Ticket Encryption : 0x17 Client Address: 127.0.0.1 5251 88 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 146F 674 Service Ticket Renewed: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 formation/ Last <13>Jun 30 10:06:59 kkkkk-knbmq2eu3.foresta MSWinLog 1 376 Tue Jun 30 10:06:43 2009 674 SYSTEM KKKKK-KNBMQ2EU3 Connexion de compte Ticket de service renouvelé : Nom utilisateur : Administrateur@FORESTA Domaine utilisateur : FORESTA Nom du service : krbtgt Id. du service : %{S-1-5-21-4199537000-1147309911-37 89607300-502} Options du ticket : 0x2 de cryptage du ticket : 0x17 Adresse du client : 127.0.0.1 338 147 674 Win2000 Ticket Granted Renewed: Name: %1 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 formation/ Last <13>Aug 9 14:01:20 10.116.28.102 MSWinLog 0 6318 Sat Aug 05 04:16:36 2006 674 SYSTEM LOGLOGIC-SRV1 Logon Ticket Granted Renewed: Name: Administrator@BLR-LOGLOGIC.COM Domain: BLR-LOGLOGIC.COM Service Name: krbtgt Service : %{S-1-5-21-2840343336-4043360270-26 59977581-502} Ticket Options: 0x2 Ticket Encryption : 0x17 Client Address: 127.0.0.1 5251 148 675 Win2000, Pre-authentication failed. Logon Last <13>Jul 5 16:23:52 10.1.1.55 MSWinLog 0 security 2565 Wed Jul 05 16:23:52 2006 675 SYSTEM Well Known Group W2K3-LASSO Logon Pre-authentication failed: Name: test : %{S-1-5-21-1578117074-177915290-427 9395478-1125} Service Name: krbtgt/sqa Pre-Authentication : 0x2 Code: 0x18 Client Address: 127.0.0.1 48172 148F 675 Pre-authentication failed. Logon Last <13>Jul 22 04:36:29 MSWinLog 4 803 Wed Jul 22 04:36:29 2009 675 SYSTEM B0324-FR2003 Connexion de compte Échec de la pré-authentification : Utilisateur : test Id. de l'utilisateur : %{S-1-5-21-30331043-1043570551-1080 916408-1136} Nom du service : krbtgt/ DOMAIN de pré-authentification : 0x2 Code d'échec : 0x18 Adresse du client : 127.0.0.1 752 Microsoft Windows Server 2000/2003 Log Configuration Guide 89
# 149 678 Win2000, An account was mapped for logon Logon Authenticat ion/ Last <13>Jul 25 12:23:44 10.201.20.214 MSWinLog 0 158101 Tue Jul 25 12:05:39 2006 678 SYSTEM BBC-WSMTEST-DC1 Logon/Logoff Mapped for Logon by: NTLM1 Client Name: SQA Mapped Name:abc 546 150 679 Win2000 An account could not be mapped for logon Logon Authenticat ion/ Last <13>Jul 25 12:23:44 10.201.20.214 MSWinLog 0 158101 Tue Jul 25 12:05:39 2006 679 SYSTEM BBC-WSMTEST-DC1 Logon/Logoff The name:abc could not be mapped for logon by: NTLM 420 151 680 Logon attempt by: %1 Logon account: %2 Source Workstation: %3 Code: %4 formation/ Last / Authenticat ion <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 609 Fri Aug 04 12:20:19 2006 680 Unknown N/A LOGLOGIC-SRV1 Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Logon account: Administrator Source Workstation: LOGLOGIC-SRV1 Code: 0x0 13 151F 680 Used for Logon by: %1 Name: %2 Workstation: %3 formation/ Last / Authenticat ion <13>May 21 09:43:08 kkkkk-knbmq2eu3 MSWinLog 1 14 Thu May 21 09:43:08 2009 680 Administrateur KKKKK-KNBMQ2EU3 Connexion de compte Tentative d'ouverture de session par : MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Compte d'ouverture de session : Administrateur Station de travail source : KKKKK-KNBMQ2EU3 Code erreur : 0x0 7 152 680 Win2000 Used for Logon by: %1 Name: %2 Workstation: %3 formation/ Last / Authenticat ion <13>May 21 09:43:08 kkkkk-knbmq2eu3 MSWinLog 1 14 Thu May 21 09:43:08 2009 680 Administrateur KKKKK-KNBMQ2EU3 Connexion de compte Tentative d'ouverture de session par : MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Compte d'ouverture de session : Administrateur Station de travail source : KKKKK-KNBMQ2EU3 Code erreur : 0x0 7 90 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 153 681 Win2000, The logon to account: %2 by: %1 from workstation: %3 failed. The error code was: %4 audit Last / Authenticat ion <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 609 Fri Aug 04 12:20:19 2006 681 Unknown N/A LOGLOGIC-SRV1 Logon The logon to account: Administrator by: MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 from Workstation: LOGLOGIC-SRV1 failed. The error code was: 0x0 13 154 682 Win2000, Session reconnected to winstation: Name: %1 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 formation/ Last <13>Jul 25 12:20:50 10.201.20.224 MSWinLog 0 125955 Thu Jun 22 10:44:55 2006 682 SYSTEM BLR-WIPTEST-DC1 Logon/Logoff Session reconnected to winstation: Name: dmsopann Domain: WIPRO Logon : (0x0,0x5EEA9) Session Name: RDP-Tcp#2 Client Name: BLR-TEST-RMS01 Client Address: 10.201.20.102 916836 154F 682 Session reconnected to winstation: Name: %1 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 formation/ Last <13>Jul 22 10:06:58 MSWinLog 4 3092 Wed Jul 22 10:06:51 2009 682 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Session reconnectée à la station Windows : Utilisateur : Administrateur Domaine : DOMAIN Id. de session : (0x0,0x45E43C) Nom de session : RDP-Tcp#7 Nom de client : B0324-MENGKJ Adresse de client : 10.8.0.45 3010 155 683 Win2000, Session disconnected from winstation: Name: %1 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 formation/ Last <13>Jul 25 12:20:13 10.201.20.224 MSWinLog 0 109478 Wed Jun 21 14:29:16 2006 683 SYSTEM BLR-WIPTEST-DC1 Logon/Logoff Session disconnected from winstation: Name: dmsopann Domain: WIPRO Logon : (0x0,0x5EEA9) Session Name: RDP-Tcp#1 Client Name: BLR-TEST-RMS04 Client Address: 10.201.20.104 900359 155F 683 Session disconnected from winstation: Name: %1 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 formation/ Last <13>Jul 22 09:58:49 MSWinLog 4 2995 Wed Jul 22 09:58:49 2009 683 SYSTEM B0324-FR2003 Ouverture/Fermeture de session Session déconnectée de la station Windows : Utilisateur : Administrateur Domaine : DOMAIN Id. de session : (0x0,0x45E43C) Nom de session : RDP-Tcp#4 Nom de client : B0324-MENGKJ Adresse de client : 10.8.0.45 2918 Microsoft Windows Server 2000/2003 Log Configuration Guide 91
# 156 684 Set ACLs of members in administrators groups: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 formation/ Last <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 1029 Fri Aug 04 13:14:31 2006 684 ANONYMOUS LOGON Well Known Group LOGLOGIC-SRV1 Set ACLs of members in administrators groups: Target Name: Domain Admins Target Domain: DC=loglogic,DC=com Target : %{S-1-5-21-2315716220-955307559-237 2290133-512} Caller Name: LOGLOGIC-SRV1$ Caller Domain: LOGLOGIC Caller Logon : (0x0,0x3E7) Privileges: - 433 156F 684 Set ACLs of members in administrators groups: Target Name: %1 Target Target : %3 Caller Name: %4 Caller Logon : %6 Privileges: %7 formation/ Last <13>Jul 2 04:17:46 MSWinLog 4 25641 Thu Jul 02 04:17:42 2009 684 ANONYMOUS LOGON Well Known Group B0324-FR2003 Gestion des comptes Définir les listes ACL des membres des groupes administrateurs : Nom du compte destination : Administrateurs du schéma Domaine destination : DC=domain,DC=symbio-group,DC=com Id. du compte destination : %{S-1-5-21-30331043-1043570551-1080 916408-518} Utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN Id. d'ouv. de session de l'appelant : (0x0,0x3E7) Privilèges : - 25592 157 685 The name of an account was changed Authenticat ion/ Last <13>Aug 8 09:26:00 10.116.29.15 MSWinLog 0 981 Fri Aug 04 12:08:23 2006 685 LOCAL SERVICEWell Known Group MACHINENAME Logon/Logoff Name Changed: Old Name:SQA New Name:SQA_NEW Target Domain:test Target : testac Caller Name: admin Caller Domain:test Caller Logon :test Privileges:test 896 92 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 157F 685 The name of an account was changed Authenticat ion/ Last <13>Jul 17 04:25:57 MSWinLog 4 193820 Fri Jul 17 04:25:57 2009 685 Administrateur B0324-FR2003 Gestion des comptes Nom du compte modifié : Ancien nom de compte : test Nouveau nom de compte : test1 Domaine cible : DOMAIN Identificateur du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1135} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x3EEA5) Privilèges : - 192843 158 769 Trusted Forest formation Entry Added: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Added by : Client Name: %11 Client Domain: %12 Client Logon : %13 Last 158F 769 Trusted Forest formation Entry Added: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Added by : Client Name: %11 Client Domain: %12 Client Logon : %13 Last <13>Jul 22 07:37:13 MSWinLog 4 2077 Wed Jul 22 07:37:08 2009 769 Administrateur B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été ajoutée : Racine de la forêt : abc.com S de la racine de la forêt : %{S-1-5-21-1893538592-169538710-372 8419160} Id. de l'opération : {0,4298359} d'entrée : 0 dicateurs : 0 Nom du niveau le plus élevé : abc.com Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) 2010 Microsoft Windows Server 2000/2003 Log Configuration Guide 93
# 159 770 Trusted Forest formation Entry Removed: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client Name: %11 Client Domain: %12 Client Logon : %13 formation/ Last 159F 770 Trusted Forest formation Entry Removed: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client Name: %11 Client Domain: %12 Client Logon : %13 formation/ Last <13>Jul 23 05:06:09 MSWinLog 4 7380 Thu Jul 23 05:06:09 2009 770 Administrateur B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été supprimée : Racine de la forêt : abc.com S de la racine de la forêt : %{S-1-5-21-1893538592-169538710-372 8419160} Id. de l'opération : {0,5313893} d'entrée : 1 dicateurs : 0 Nom du niveau le plus élevé : xzy.abc.com Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) 7234 160 771 Trusted Forest formation Entry Modified: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client Name: %11 Client Domain: %12 Client Logon : %13 formation/ Last 94 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 160F 771 Trusted Forest formation Entry Modified: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client Name: %11 Client Domain: %12 Client Logon : %13 formation/ Last <13>Jul 22 07:39:51 MSWinLog 4 2092 Wed Jul 22 07:39:51 2009 771 Administrateur B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été modifiée : Racine de la forêt : abc.com S de la racine de la forêt : %{S-1-5-21-1893538592-169538710-372 8419160} Id. de l'opération : {0,4306236} d'entrée : 0 dicateurs : 2 Nom du niveau le plus élevé : - Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) 2024 161 807 Per user auditing policy set for user. Policy Change Last 161F 807 Per user auditing policy set for user. Policy Change Last <13>Jul 23 08:46:53 MSWinLog 4 8268 Thu Jul 23 08:46:47 2009 807 SYSTEM B0324-FR2003 Changement de stratégie Stratégie d'audit par utilisateur définie pour l'utilisateur : Utilisateur cible : %{S-1-5-21-30331043-1043570551-1080 916408-1145} Id de stratégie : (0x0,0x53E953) Paramètres de catégorie : Système : 0x0 Ouverture de session : 0x0 Accès de l'objet 0x2 Utilisation d'un privilège : 0x0 Suivi détaillé : 0x0 Modification de stratégie : 0x0 Gestion de compte : 0x0 Accès DS : 0x0 Ouverture de session du compte : 0x0 8109 162 1000 Win2000, Windows is unable to load or access an object, registry or file. Application formation/ Last Microsoft Windows Server 2000/2003 Log Configuration Guide 95
# 163 5805 The session setup from the computer %1 failed to authenticate. The following error occurred: %2 Directory Service formation/ Last <13>Aug 8 10: 53: 29 10.116.9.202 MSWinLog 0 Directory Service 2507 Tue Aug 08 10: 53: 27 2006 5805 ADS loglogic N/A formation M2-0W55 None The session setup from the computer %1 failed to authenticate. The following error occurred: %2 2512 163F 5805 The session setup from the computer %1 failed to authenticate. The following error occurred: %2 Directory Service formation/ Last <13>Jul 22 08:15:53 MSWinLog 4 2334 Wed Jul 22 08:15:52 2009 5805 NETLOGON Unknown N/A B0324-FR2003 None 0000: 22 00 00 c0 90 b3 82 00... L'installation de la session à partir de l'ordinateur LOGLOGIC-LVROFF n'a pas pu être authentifiée. L'erreur suivante s'est produite : %%5 42 164 6005 Win2000, The log service was started. formation/ Last <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 143 Fri Aug 04 17:34:16 2006 6005 Log Unknown N/A formation MACHINENAME None The log service was started. 2 164F 6005 The log service was started. formation/ Last <13>May 21 10:31:17 kkkkk-knbmq2eu3 MSWinLog 1 4 Thu May 21 10:31:04 2009 6005 Log Unknown N/A formation KKKKK-KNBMQ2EU3 None 0000: 31 00 2e 00 31 00 00 00... 0008: 30 00 00 00 4d 00 69 00... 0010: 63 00 72 00 6f 00 73 00... 018: 6f 00 66 00 74 00 20 00... 0020: 57 00 69 00 6e 00 64 00... 0028: 6f 00 77 00 73 00 20 00... 0030: 53 00 65 00 72 00 76 00... 0038: 65 00 72 00 20 00 32 00... 0040: 30 00 30 00 33 00 00 00... 0048: 35 00 2e 00 32 00 2e 00... 0050: 33 00 37 00 39 00 30 00... 0058: 20 00 42 00 75 00 69 00... 0060: 6c 00 64 00 20 00 33 00... 0068: 37 00 39 00 30 00 20 00... 0070: 20 00 00 00 55 00 6e 00... 0078: 69 00 70 00 72 00 6f 00... 0080: 63 00 65 00 73 00 73 00... 0088: 6f 00 72 00 20 00 46 00... 0090: 72 00 65 00 65 00 00 00... 0098: 33 00 37 00 39 00 30 00... 00a0: 2e 00 73 00 72 00 76 00... 00a8: 30 00 33 00 5f 00 72 00... 00b0: 74 00 6d 00 2e 00 30 00... 00b8: 33 00 30 00 33 00 32 00... 00c0: 34 00 2d 00 32 00 30 00... 00c8: 34 00 38 00 00 00 34 00... 00d0: 61 00 31 00 32 00 37 Le service d'enregistrement d'événement a démarré. 3 96 Microsoft Windows Server 2000/2003 Log Configuration Guide
# 165 6006 Win2000, The log service was stopped. formation/ Last <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 143 Fri Aug 04 17:34:16 2006 6005 Log Unknown N/A formation MACHINENAME None The log service was stopped. 2 165F 6006 The log service was stopped. formation/ Last <13>May 21 10:31:17 kkkkk-knbmq2eu3 MSWinLog 1 2 Thu May 21 10:29:57 2009 6006 Log Unknown N/A formation KKKKK-KNBMQ2EU3 None 0000: 31 00 2e 00 31 00 00 00... 008: 30 00 00 00 4d 00 69 00... 0010: 63 00 72 00 6f 00 73 00... 0018: 6f 00 66 00 74 00 20 00... 0020: 57 00 69 00 6e 00 64 00... 0028: 6f 00 77 00 73 00 20 00... 0030: 53 00 65 00 72 00 76 00... 0038: 65 00 72 00 20 00 32 00... 0040: 30 00 30 00 33 00 00 00... 0048: 35 00 2e 00 32 00 2e 00... 0050: 33 00 37 00 39 00 30 00... 0058: 20 00 42 00 75 00 69 00... 0060: 6c 00 64 00 20 00 33 00... 0068: 37 00 39 00 30 00 20 00... 0070: 20 00 00 00 55 00 6e 00... 0078: 69 00 70 00 72 00 6f 00... 0080: 63 00 65 00 73 00 73 00... 0088: 6f 00 72 00 20 00 46 00... 0090: 72 00 65 00 65 00 00 00... 0098: 33 00 37 00 39 00 30 00... 00a0: 2e 00 73 00 72 00 76 00... 00a8: 30 00 33 00 5f 00 72 00... 00b0: 74 00 6d 00 2e 00 30 00... 00b8: 33 00 30 00 33 00 32 00... 00c0: 34 00 2d 00 32 00 30 00... 00c8: 34 00 38 00 00 00 34 00... 00d0: 61 00 31 00 32 00 37 Le service d'enregistrement d'événement a été arrêté. 1 166 6008 Win2000, The previous system shutdown at %1 on %2 was unexpected. formation/ Last <13>Aug 9 18:10:52 10.116.28.102 MSWinLog 0 1106 Wed Aug 09 15:21:51 2006 6008 Log Unknown N/A LOGLOGIC-SRV1 None 0000: d6 07 08 00 03 00 09 00 Ö... 0008: 0f 00 14 00 2b 00 d8 03..+.Ø 0010: d6 07 08 00 03 00 09 00 Ö... 0018: 09 00 32 00 2b 00 d8 03.2.+.Ø The previous system shutdown at 3:20:43 PM on 8/9/2006 was unexpected. 736 166F 6008 The previous system shutdown at %1 on %2 was unexpected. formation/ Last <13>Jul 6 08:05:21 MSWinLog 4 486 Mon Jul 06 08:04:05 2009 6008 Log Unknown N/A B0324-FR2003 None 0000: d9 07 07 00 01 00 06 00... 0008: 08 00 01 00 12 00 ab 00... 010: d9 07 07 00 01 00 06 00... 0018: 06 00 01 00 12 00 ab 00... L'arrêt système précédant à 08:01:18 le 06/07/2009 n'était pas prévu. 0 Microsoft Windows Server 2000/2003 Log Configuration Guide 97
Appendix B Logon s and Descriptions Table 2 Logon s and Descriptions Logon Logon Title Description 1 teractive A user logged on to this computer at the console. 2 Network A user or computer logged on to this computer from the network. 3 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention. 4 Service A service was started by the Service Control Manager. 5 Unlock This workstation was unlocked. 6 NetworkCleartext A user logged on to a network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). 7 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections. 8 Remoteteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection. 9 Cachedteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. 98 Microsoft Windows Server 2000/2003 Log Configuration Guide