LogLogic Microsoft Windows Server 2003 Log Configuration Guide Document Release: October 2011 Part Number: LL600029-00ELS090002 This manual supports LogLogic Microsoft Windows Server 2003 Release 2.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.
2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 www.loglogic.com
Contents Preface About This Guide.........................................................5 Technical Support........................................................5 Documentation Support.................................................... 5 Conventions............................................................. 6 Chapter 1 Configuring LogLogic s Microsoft Windows Server 2003 Log Collection Introduction to Microsoft Windows Server 2003................................. 7 Prerequisites............................................................ 7 Configuring Microsoft Windows Server 2003 for Operational s................. 8 Installing and Configuring Lasso Collector................................... 8 Enabling the LogLogic Appliance to Capture Log Data............................ 9 Automatically Identifying a Microsoft Windows Server 2003 Device............... 9 Adding Microsoft Windows Server 2003 Device.............................. 9 Verifying the Configuration................................................ 11 Chapter 2 How LogLogic Supports Microsoft Windows Server 2003 How LogLogic Captures Microsoft Windows Server 2003 Data.................... 12 LogLogic Real-Time............................................... 13 Chapter 3 Troubleshooting and FAQ Troubleshooting......................................................... 14 Frequently Asked Questions............................................... 15 Appendix A Reference LogLogic Support for Microsoft Windows Server 2003 s..................... 17 Appendix B Logon s and Descriptions Microsoft Windows Server 2003 Log Configuration Guide 3
4 Microsoft Windows Server 2003 Log Configuration Guide
Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft Windows enables LogLogic Appliances to capture logs from machines running Microsoft Windows Server 2003. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft Windows Server 2003 s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free 1-800-957-LOGS Local 1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Microsoft Windows Server 2003 Log Configuration Guide 5
Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Microsoft Windows Server 2003 Log Configuration Guide
Chapter 1 Configuring LogLogic s Microsoft Windows Server 2003 Log Collection This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft Windows Server 2003 logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft Windows Server 2003 log data. Introduction to Microsoft Windows Server 2003.................................. 7 Prerequisites............................................................. 7 Configuring Microsoft Windows Server 2003 for Operational s.................. 8 Enabling the LogLogic Appliance to Capture Log Data............................. 9 Verifying the Configuration.................................................. 11 Introduction to Microsoft Windows Server 2003 Microsoft Windows Server 2003 operational events appear within the Windows Viewer and are located within the host machine s Windows Log. The events are captured by Loglogic's Lasso Collector. The Lasso Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP. The configuration procedures for Microsoft Windows Server 2003 and the LogLogic Appliance depend upon your environment and how the Lasso Collector is configured. For more information, see How LogLogic Captures Microsoft Windows Server 2003 Data on page 12 and the LogLogic Lasso Collector Guide. Prerequisites Prior to configuring Microsoft Windows Server 2003 and the LogLogic Appliance, ensure that you meet the following prerequisites: Microsoft Windows Server 2003 Server installed Administrative access on the Windows server Microsoft Windows Server 2003 Server Microsoft Windows Server 2003 Server Note: Loglogic Universal Collector 2.2 or later is required for auto-detection of Windows sources. See Adding Microsoft Windows Server 2003 Device on page 9 for manual configuration. Lasso Collector Release 2.0 or later installed on the Windows server. For more information, see LogLogic Lasso Collector Guide. LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft Windows Server 2003 support Administrative access on LogLogic Appliance Microsoft Windows Server 2003 Log Configuration Guide 7
Configuring Microsoft Windows Server 2003 for Operational s Microsoft Windows operational events are posted in the Windows Viewer. The events are located in the Windows logs. These events can be captured by LogLogic Appliance using Lasso Collector. For more information about the Windows Viewer, see the Microsoft Windows Server 2003 Product Documentation. Installing and Configuring Lasso Collector Microsoft Windows Server 2003 logs are collected and transported using Lasso. Lasso is used to collect and transfer Windows logs to the LogLogic Appliance. By default, the Lasso program directory is located at: C:\Program Files\Lasso Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages: C:\Program Files\Lasso\LassoRepository\Spool You can change the host machine and event log identification information by editing the hostlist.ini configuration file in Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and configuration procedures for Lasso, including information on the Lasso.ini and hostlist.ini files, see the LogLogic Lasso Collector Guide. 8 Microsoft Windows Server 2003 Log Configuration Guide
Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Microsoft Windows Server 2003 log data. Automatically Identifying a Microsoft Windows Server 2003 Device With the auto-identification feature, the LogLogic Appliance recognizes Microsoft Windows Server 2003 log messages by default. As the log messages come into the Appliance, they are automatically identified and a new Microsoft Windows Server 2003 device type is added to the log source device list. Default values are used for certain properties, such as the device name. To enable auto-identification in the LogLogic Appliance: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Administration > Settings. The General tab appears. 3. For Auto-identify Log Sources, select Yes. 4. Click Update. Once the automatically identified device is added, you can edit its properties. IMPORTANT! Do not change the auto-identified Device and Host IP information. To edit an existing Microsoft Windows Server 2003 device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select > Devices. The Devices tab appears. 3. Click on an existing Microsoft Windows Server 2003 device in the list and click Modify Device. The Modify Device tab appears. 4. Edit the device fields as needed, then click Update Device. Adding Microsoft Windows Server 2003 Device If you do not want to utilize the auto-identification feature, you can manually add a Microsoft Windows Server 2003 device to the LogLogic Appliance before you redirect the logs. IMPORTANT! LogLogic highly recommends using the auto-identification feature for all supported devices. If you want to add devices manually, make sure that the Auto-identify Log Sources setting is not enabled on the LogLogic Appliance. If the auto-identification setting is enabled and you manually add devices, duplicate device entries might appear on the Appliance. Microsoft Windows Server 2003 Log Configuration Guide 9
To add Microsoft Windows Server 2003 as a new device 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. in the following information for the device: Name Name for the Microsoft Windows Server 2003 device Description (optional) Description of the Microsoft Windows Server 2003 device Device Select Microsoft Windows from the drop-down menu Host IP IP address of the Microsoft Windows Server 2003 appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Figure 1 Adding a Device to the LogLogic Appliance 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Microsoft Windows Server 2003 machine, the LogLogic Appliance uses the device you just added if the hostname or IP match. 10 Microsoft Windows Server 2003 Log Configuration Guide
Verifying the Configuration The section describes how to verify that the configuration changes made to Microsoft Windows Server 2003 and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Microsoft Windows Server 2003 device. If the device name (Microsoft Windows Server 2003) appears in the list of devices (Figure 2), then the configuration is correct. Figure 2 Log Source Status Tab If the device does not appear in the Log Source Status tab, check the Microsoft Windows Server 2003 logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft Windows Server 2003 configuration, the Lasso configuration, and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Microsoft Windows Server 2003 by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time on page 13. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 14 for more information. Microsoft Windows Server 2003 Log Configuration Guide 11
Chapter 2 How LogLogic Supports Microsoft Windows Server 2003 This chapter describes LogLogic's support for Microsoft Windows Server 2003. LogLogic enables you to capture Microsoft Windows Server 2003 log data to monitor Microsoft Windows Server 2003 events. LogLogic supports Microsoft Windows Server 2003 logs. How LogLogic Captures Microsoft Windows Server 2003 Data..................... 12 LogLogic Real-Time................................................ 13 How LogLogic Captures Microsoft Windows Server 2003 Data LogLogic's Lasso Collector is used to collect logs stored in the Windows Log. The Windows Collector is an open source application developed by LogLogic to collect and forward Windows event logs in Syslog format to the LogLogic Appliance. If the Windows Collector is in Agent Mode, logs are collected and forwarded from the Windows system where it is installed. If the Windows Collector is in Collector Mode, logs are collected and forwarded from Windows systems other than the system where it is installed. The Windows Collector can also run in both modes at the same time. In hybrid mode, the Collector captures and forwards messages from the Windows machine where it is installed and from other Windows systems it is configured to access. Regardless of the mode used, all collected logs are converted into text format by the collector and then forwarded to the LogLogic Appliance s Syslog Listener via UDP or TCP. Figure 3 Microsoft Windows Server 2003 with Lasso Collector (in Agent Mode) and the LogLogic Appliance Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Microsoft Windows Server 2003. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. 12 Microsoft Windows Server 2003 Log Configuration Guide
LogLogic Real-Time LogLogic provides pre-configured Real-Time for Microsoft Windows Server 2003 log data. The following Real-Time are available: All Unparsed s Displays data for all events retrieved from the Microsoft Windows Server 2003 log for a specified time interval Permission Modification Displays events related to permission modifications performed on user and server objects User Access Displays data access and changes done to data during a specified time interval User Authentication Displays identity and access related events during a specified time interval User Created/Deleted Displays user creation and deletion events Displays user specific details and used to track user activity during a specified time interval Windows s Displays Windows event information served during a specified time interval To access LMI 5 Real-Time : 1. In the top navigation pane, click. 2. Click Access Control. The following Real-Time are available: Permission Modification User Access User Authentication User Created/Deleted Windows s 3. ClickOperational. The following Real-Time are available: All Unparsed s You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. Microsoft Windows Server 2003 Log Configuration Guide 13
Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Microsoft Windows Server 2003. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting.......................................................... 14 Frequently Asked Questions................................................ 15 Troubleshooting Is your version of Microsoft Windows Server 2003 supported? For more information, see Prerequisites on page 7. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information. Are you running Lasso Collector 2.0 or later? If you are running an release prior to 2.0, you might require an upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Microsoft Windows Server 2003. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Microsoft Windows Server 2003 events are not appearing on the LogLogic Appliance... You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab. Make sure that you have properly installed and configured Lasso, and the no errors are present in Lasso s error log (LassoTrace.log). For more information, see the LogLogic Lasso Collector Guide. Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see Automatically Identifying a Microsoft Windows Server 2003 Device on page 9 and Adding Microsoft Windows Server 2003 Device on page 9. If events are not displaying on the LogLogic Appliance even after configuring Microsoft Windows Server 2003 and Lasso correctly... Microsoft Windows Server 2003 sends the logs, via UDP or TCP, in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Microsoft Windows Server 2003 machine. For more information on supported protocols and ports, see the LogLogic Administration Guide. 14 Microsoft Windows Server 2003 Log Configuration Guide
Frequently Asked Questions How does the LogLogic appliance collect logs from Microsoft Windows Server 2003? For log collection, Lasso Collector is required in order to read the.evt files from the Windows machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog server. For more information, see How LogLogic Captures Microsoft Windows Server 2003 Data on page 12. What access permissions are required? To configure logging on Microsoft Windows Server 2003, the Windows user must have administrative permissions. How do I configure logging on Microsoft Windows Server 2003? Follow the procedures on Configuring Microsoft Windows Server 2003 for Operational s on page 8. Also make sure that you have properly installed and configured Lasso. For more information, see Installing and Configuring Lasso Collector on page 8 and the LogLogic Lasso Collector Guide. Microsoft Windows Server 2003 Log Configuration Guide 15
16 Microsoft Windows Server 2003 Log Configuration Guide
Appendix A Reference This appendix lists the LogLogic-supported Microsoft Windows Server 2003 events. The Microsoft Windows Server 2003 event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Microsoft Windows Server 2003 s The following list describes the contents of each of the columns in the tables below. Item # Item numbers with the suffix F show sample logs in. Item # Item numbers with the suffix G show sample logs in. Microsoft Windows Server 2003 event identifier. Defines if the Microsoft Windows Server 2003 event is available through the LogLogic Report Engine or through the search capabilities. If the event is available through the Report Engine, then you can use LogLogic s Real-Time and Summary to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. (OS) where the event can be triggered. In some instances, duplicate s exist for different OSs. Title/Comments Description of the event of events such as, Application, etc. of event such as audit, Failure audit, etc. LogLogic-provided reports that the event appears in Sample Microsoft Windows Server 2003 log messages in text format Microsoft Windows Server 2003 Log Configuration Guide 17
Table 1 Microsoft Windows Server 2003 s # 1 512 Win2003 Windows is starting up. Security <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 Security 621 Fri Aug 04 12:59:22 2006 512 Security SYSTEM User LOGLOGIC-SRV1 Windows is starting up. 25 1F 512 Win2003 1G 512 Win2003 Windows is starting up. Security Windows is starting up. Security <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 Security 7 Thu May 21 10:31:06 2009 512 Security SYSTEM User KKKKK-KNBMQ2EU3 Événements système Windows démarre. 1 <13>1 2011-05-10T11:25:41.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Tue May 10 11:25:41 2011 512 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA ereignis Windows wird gestartet. 2381 2 513 Win2003 Windows is shutting down. All logon sessions will be terminated by this shutdown. Security <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 Security 621 Fri Aug 04 12:59:22 2006 513 Security SYSTEM User LOGLOGIC-SRV1 Windows is shutting down.all logon sessions will be terminated by this shutdown. 25 2F 513 Win2003 Windows is shutting down. All logon sessions will be terminated by this shutdown. Security <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 Security 6 Thu May 21 10:29:57 2009 513 SECURITY Unknown User N/A KKKKK-KNBMQ2EU3 Événements système Windows s'arrête. Toutes les sessions vont être fermées par cet arrêt. 0 2G 513 Win2003 Windows is shutting down. All logon sessions will be terminated by this shutdown. Security <13>1 2011-05-06T09:23:25.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Fri May 06 09:23:25 2011 513 SECURITY User SRV-W2003-GERMA ereignis Windows wird heruntergefahren. Alle Anmeldesitzungen werden durch den Vorgang des Herunterfahrens beendet. 2380 3 516 Win2003 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Number of audit messages discarded: %1 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 18 Microsoft Windows Server 2003 Log Configuration Guide
# 5F 516 Win2003 Les ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Security audit / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59:55 2010516SecurityAdministrator User LOGLABS-2003FRA Suivi détailléles ressources internes allouées pour la file d'attente des messages d'audit sont épuisées. Certains audits ont été perdus. Nombre de messages d'audit rejetés :%1 6 517 Win2003 The audit log was cleared Primary Primary Domain: %2 Primary Logon : %3 Client User Name: %4 Client Domain: %5 Client Logon : %6 Security <13>Jul 25 12:17:36 10.201.20.214 MSWinLog 0 Security 7727 Fri Jul 21 14:32:00 2006 517 Security SYSTEM User BLR-WSMTEST-DC1 The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon : (0x0,0x3E7) Client User Name: dmsopann Client Domain: WIPRO Client Logon : (0x0,0x44A885) 1 6F 517 Win2003 The audit log was cleared Primary Primary Domain: %2 Primary Logon : %3 Client User Name: %4 Client Domain: %5 Client Logon : %6 Security <13>Jul 7 05:25:53 10.8.0.39 MSWinLog 0 Security 1151 Tue Jul 07 05:15:00 2009 517 Security SYSTEM Well Known Group B0324-FR2003 Événements système Le journal d'audit a été effacé Utilisateur principal : SYSTEM Domaine principal : AUTORITE NT Id. de session principale : (0x0,0x3E7) Utilisateur client : Administrateur Domaine client : DOMAIN Id. de session client : (0x0,0x489A86) 1<13>Jul 6 05:37:34 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 608 Mon Jul 06 05:37:34 2009 520 Security Administrateur User B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/2009 567 Microsoft Windows Server 2003 Log Configuration Guide 19
# 6G 517 Win2003 The audit log was cleared Primary Primary Domain: %2 Primary Logon : %3 Client User Name: %4 Client Domain: %5 Client Logon : %6 Security <13>1 2011-05-16T13:40:56.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:40:56 2011 517 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA ereignis Das Überwachungsprotokoll wurde gelöscht. Primärer Benutzername: SYSTEM Primäre Domäne: NT-AUTORITÄT Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: administrator Clientdomäne: LL Clientanmeldekennung: (0x0,0x439BD) 1 7 520 Win2003 The system time was changed. Process : %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 Client User Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 Security <13>Jun 12 14:54:42 10.0.0.61 MSWinLog 0 Security 923 Sun Jun 12 14:52:47 2005 520 Security loglogic2 User IAM3 The system time was changed. Process : 2128 Process Name: C:\WINDOWS\system32\rundll32.exe Primary User Name: loglogic2 Primary Domain: SECTIS Primary Logon : (0x0,0xF15F58) Client User Name: loglogic2 Client Domain: SECTIS Client Logon : (0x0,0xF15F58) Previous Time: 2:51:48 PM 6/12/2005 New Time: 2:52:47 PM 6/12/2005 829 7F 520 Win2003 The system time was changed. Process : %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 Client User Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 Security <13>Jul 6 05:37:34 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 608 Mon Jul 06 05:37:34 2009 520 Security Administrateur User B0324-FR2003 Événements système L'heure système a été modifiée. Id. du processus : 3908 Nom du processus : C:\WINDOWS\system32\rundll32.exe Utilisateur principal : Administrateur Domaine principal : DOMAIN Id. d'ouv. de session principale : (0x0,0x22A20) Utilisateur client : Administrateur Domaine du client : DOMAIN Id. d'ouv. de session clnt : (0x0,0x22A20) Heure précédente : 05:27:36 07/07/2009 Nouvelle heure : 05:37:34 06/07/2009 567 20 Microsoft Windows Server 2003 Log Configuration Guide
# 7G 520 Win2003 The system time was changed. Process : %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 Client User Name: %6 Client Domain: %7 Client Logon : %8 Previous Time: %10 %9 New Time: %12 %11 Security <13>1 2011-05-10T11:26:40.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Tue May 10 11:26:40 2011 520 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA ereignis Die zeit wurde geändert. Prozesskennung: 1452 Prozessname: C:\Programme\VMware\VMware Tools\vmtoolsd.exe Primärer Benutzername: SRV-W2003-GERMA$ Primäre Benutzerdomäne: LL Primäre Benutzeranmeldekennung: (0x0,0x3E7) Clientbenutzername: SRV-W2003-GERMA$ Clientdomäne: LL Clientanmeldekennung: (0x0,0x3E7) Alte Zeit: 11:26:40 10.05.2011 Neue Zeit: 11:26:40 10.05.2011 2492 8 528 Win2003 ful Logon: Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff <13>Jul 5 11:04:09 10.1.1.55 MSWinLog 0 security 130 Wed Jul 05 10:54:02 2006 528 Security qatest User W2K3-LASSO Logon/ Logoff "ful Logon: User Name: qatest Domain: SQA Logon : (0x0,0xD72AEE) Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Logon GU: {4fa5f915-b6cf-cc49-b484-b7b61551b7d0} Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 396 Transited Services: - Source Network Address: 172.16.0.22 Source Port: 1133 " 45737 8F 528 Win2003 ful Logon: Logon/Logoff Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 <13>May 21 10:24:28 kkkkk-knbmq2eu3 MSWinLog 1 Security 40 Thu May 21 10:24:03 2009 528 Security SERVICE LOCAL Well Known Group KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : SERVICE LOCAL Domaine : AUTORITE NT Id. de la session : (0x0,0x3E5) de session : 5 Processus de session : Advapi Package d'authentification : Negotiate Station de travail : GU d'ouv. de session : - Nom de l'utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : WORKGROUP Id. de session de l'appelant : (0x0,0x3E7) de processus appelant : 868 Services en transit : - Adresse réseau source : - Port source : - 24 Microsoft Windows Server 2003 Log Configuration Guide 21
# 8G 528 Win2003 ful Logon: Logon/Logoff Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 <13>1 2011-05-10T11:25:41.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Tue May 10 11:25:41 2011 528 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA An-/Abmeldung Erfolgreiche Anmeldung: Benutzername: SYSTEM Domäne: NT-AUTORITÄT Anmeldekennung: (0x0,0x3E7) Anmeldetyp: 0 Anmeldevorgang: - Authentifizierungspaket: - Name der Arbeitsstation: - Anmelde-GU: - Aufruferbenutzername: - Aufruferdomäne: - Aufruferanmeldekennung: - Aufruferprozesskennung: 4 Dienste: - Quellnetzwerkadresse: - Quellport: - 2382 Übertragene 9 529 Win2003 Logon Failure: Reason: Unknown user name or bad password Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 5 16:23:52 10.1.1.55 MSWinLog 0 security 2566 Wed Jul 05 16:23:52 2006 529 Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: Unknown user name or bad password User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 724 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1443 " 48173 9F 529 Win2003 Logon Failure: Reason: Unknown user name or bad password Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 6 08:44:18 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1332 Mon Jul 06 08:44:14 2009 529 Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Nom d'utilisateur inconnu ou mot de passe incorrect Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1277 22 Microsoft Windows Server 2003 Log Configuration Guide
# 9G 529 Win2003 Logon Failure: Reason: Unknown user name or bad password Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>1 2011-05-16T13:55:29.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:55:29 2011 529 Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Unbekannter Benutzername oder falsches Kennwort Benutzername: administrator Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 502 Aufruferprozesskennung: 10 530 Win2003 Logon Failure: Reason: logon time restriction violation Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 5 16:42:13 10.1.1.55 MSWinLog 0 security 2904 Wed Jul 05 16:42:12 2006 530 Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: logon time restriction violation User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 3444 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1464 " 48511 10F 530 Win2003 Logon Failure: Reason: logon time restriction violation Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 6 09:16:06 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1850 Mon Jul 06 09:16:06 2009 530 Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Violation de la limite de temps d'accès au compte Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1792 Microsoft Windows Server 2003 Log Configuration Guide 23
# 10G 530 Win2003 Logon Failure: Reason: logon time restriction violation Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>1 2011-05-16T13:58:52.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:58:52 2011 530 Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Außerhalb der Anmeldezeiten des Kontos Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 622 Aufruferprozesskennung: 11 531 Win2003 Logon Failure: Reason: currently disabled Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 5 16:45:06 10.1.1.55 MSWinLog 0 security 2940 Wed Jul 05 16:45:06 2006 531 Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: currently disabled User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 3000 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1468 " 48547 11F 531 Win2003 Logon Failure: Reason: currently disabled Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 6 08:50:26 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1399 Mon Jul 06 08:50:18 2009 531 Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte actuellement désactivé Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1344 24 Microsoft Windows Server 2003 Log Configuration Guide
# 11G 531 Win2003 11F 532 Win2003 Logon Failure: Reason: currently disabled Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon Failure: Reason: The specified user account has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure Logon/Logoff Failure <13>1 2011-05-16T14:01:08.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:01:08 2011 531 Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Konto ist gegenwärtig deaktiviert Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 707 Aufruferprozesskennung: <13>Jul 18 04:17:27 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 193700 Sat Jul 18 04:17:24 2009 532 Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le compte d'utilisateur mentionné est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 192727 Microsoft Windows Server 2003 Log Configuration Guide 25
# 11G 532 Win2003 Logon Failure: Reason: The specified user account has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Logon/Logoff Failure <13>1 2011-05-16T14:03:11.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:03:11 2011 532 Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Das angegebene Benutzerkonto ist abgelaufen Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 790 Aufruferprozesskennung: 12 532 Win2003 Logon Failure: Reason: The specified user account has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 13 533 Win2003 Logon Failure: Reason: User not allowed to logon at this computer Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Logon/Logoff Failure <13>Jul 5 16:47:03 10.1.1.55 MSWinLog 0 security 2954 Wed Jul 05 16:47:02 2006 532 Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The specified user account has expired User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2960 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1470 " 48561 <13>Jul 5 16:48:07 10.1.1.55 MSWinLog 0 security 2976 Wed Jul 05 16:48:06 2006 533 Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: User not allowed to logon at this computer User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2996 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1472 " 48583 26 Microsoft Windows Server 2003 Log Configuration Guide
# 13F 533 Win2003 13G 533 Win2003 Logon Failure: Reason: User not allowed to logon at this computer Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon Failure: Reason: User not allowed to logon at this computer Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Logon/Logoff Failure <13>Jul 22 05:08:53 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1371 Wed Jul 22 05:08:53 2009 533 Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Utilisateur non autorisé à se connecter sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN de session : 2 Processus d'ouv. de session : User32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) de processus appelant : 308 Services en transit : - Adresse réseau source : 127.0.0.1 Port source : 0 1317 <13>1 2011-05-16T14:07:10.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:07:10 2011 533 Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Benutzer darf sich an diesem Computer nicht anmelden Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 1013 Aufruferprozesskennung: Microsoft Windows Server 2003 Log Configuration Guide 27
# 14 534 Win2003 Logon Failure: Reason: The user has not been granted the requested logon type at this machine Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 5 16:28:08 10.1.1.55 MSWinLog 0 security 2741 Wed Jul 05 16:28:07 2006 534 Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2480 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1447 " 48348 14F 534 Win2003 Logon Failure: Reason: The user has not been granted the requested logon type at this machine Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 22 04:39:40 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 913 Wed Jul 22 04:39:38 2009 534 Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Il n'a pas été accordé à l'utilisateur le type de session demandé sur cet ordinateur Nom de l'utilisateur : test Domaine : DOMAIN de session : 2 Processus d'ouv. de session : User32 Package d'authentification : Negotiate Nom de station de travail : B0324-FR2003 Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) de processus appelant : 308 Services en transit : - Adresse réseau source : 127.0.0.1 Port source : 0 862 28 Microsoft Windows Server 2003 Log Configuration Guide
# 14G 534 Win2003 Logon Failure: Reason: The user has not been granted the requested logon type at this machine Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>1 2011-05-16T14:05:43.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:05:43 2011 534 Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Dem Benutzer wurde der angeforderte Anmeldetyp an diesem Computer nicht gestattet. Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 942 Aufruferprozesskennung: 15 535 Win2003 Logon Failure: Reason: The specified account's password has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Sep 7 14:19:29 10.1.1.55 MSWinLog 0 security 67016 Thu Sep 07 14:19:28 2006 535 Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: The specified account's password has expired User Name: expire Domain: SQA Logon : 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 1344 Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 " 67016 15F 535 Win2003 Logon Failure: Reason: The specified account's password has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 6 08:52:46 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1422 Mon Jul 06 08:52:44 2009 535 Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le mot de passe spécifié pour ce compte est expiré Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 1366 Microsoft Windows Server 2003 Log Configuration Guide 29
# 15G 535 Win2003 Logon Failure: Reason: The specified account's password has expired Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>1 2011-05-16T14:10:12.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:10:12 2011 535 Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Das Kennwort des angegebenen Kontos ist abgelaufen Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 1125 Aufruferprozesskennung: 16 536 Win2003 Logon Failure: Reason: The NetLogon component is not active Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 16F 536 Win2003 Logon Failure: Reason: The NetLogon component is not active Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 16 10:37:58 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 177163 Thu Jul 16 10:37:21 2009 536 Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Le composant NetLogon n'est pas actif Nom de l'utilisateur : Meng Kangjian Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 10.8.0.45 Port source : 0 30 Microsoft Windows Server 2003 Log Configuration Guide
# 17 537 Win2003 Logon Failure: Reason: An error occurred during logon Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Failure The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 17F 537 Win2003 Logon Failure: Reason: An error occurred during logon Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Status code: %7 Substatus code: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff Failure <13>Jul 17 08:07:50 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 196324 Fri Jul 17 08:07:50 2009 537 Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Erreur lors de l'ouverture de session Nom de l'utilisateur : Domaine : d'ouverture de session : 3 Processus d'ouv. de session : Kerberos Package d'authentification : Kerberos Nom de station de travail : - Code du statut : 0xC0000133 Code du sous-statut : 0x0 Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : - Port source : - 195243 18 538 Win2003 User Logoff Logon/Logoff <13>1 2011-05-10T11:26:36.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Tue May 10 11:26:36 2011 538 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA An-/Abmeldung Benutzerabmeldung: Benutzername: SRV-W2003-GERMA$ Domäne: LL Anmeldekennung: (0x0,0x22421) Anmeldetyp: 3 2469 Microsoft Windows Server 2003 Log Configuration Guide 31
# 19 539 Win2003 Logon Failure: Reason: locked out Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure <13>Jul 5 16:34:07 10.1.1.55 MSWinLog 0 security 2803 Wed Jul 05 16:34:06 2006 539 Security SYSTEM Well Known Group Failure W2K3-LASSO Logon/Logoff "Logon Failure: Reason: locked out User Name: test Domain: SQA Logon : 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Caller Process : 2304 Transited Services: - Source Network Address: 172.16.0.225 Source Port: 1455 " 48410 19F 539 Win2003 19G 539 Win2003 Logon Failure: Reason: locked out Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon Failure: Reason: locked out Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon : %9 Caller Process : %10 Transited Services: %11 Source Network Address: %12 Source Port: %13 Logon/Logoff Failure Logon/Logoff Failure <13>Jul 17 03:30:03 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 193000 Fri Jul 17 03:30:03 2009 539 Security SYSTEM User Failure B0324-FR2003 Ouverture/Fermeture de session Échec de l'ouverture de session : Raison : Compte verrouillé Nom de l'utilisateur : test Domaine : B0324-MENGKJ de session : 3 Processus d'ouv. de session : NtLmSsp Package d'authentification : NTLM Nom de station de travail : B0324-MENGKJ Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : 0.8.0.45 Port source : 0 192031 <13>1 2011-05-16T14:24:51.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:24:51 2011 539 Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA An-/ Abmeldung Fehlgeschlagene Anmeldung: Grund: Konto gesperrt Benutzername: admin Domäne: LL Anmeldetyp: 2 Anmeldevorgang: User32 Authentifizierungspaket: Negotiate Name der Arbeitsstation: SRV-W2003-GERMA Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 548 Übertragene Dienste: - Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 1677 Aufruferprozesskennung: 32 Microsoft Windows Server 2003 Log Configuration Guide
# 20 540 Win2003 ful Network Logon: Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 Logon/Logoff <13>Jul 5 11:04:08 10.1.1.55 MSWinLog 0 security 3 Wed Jul 05 10:19:59 2006 540 Security SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "ful Network Logon: User Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0xD30C93) Logon : 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GU: {e6b578ec-aae0-9e50-b248-c2004fb821e 8} Caller User Name: - Caller Domain: - Caller Logon : - Caller Process : - Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 " 45610 20F 540 Win2003 ful Network Logon: Logon/Logoff Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 1 Security 15 Thu May 21 10:31:14 2009 540 Security ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Ouverture de session réseau réussie : Utilisateur : Domaine : Id. de la session : (0x0,0xA565) de session : 3 Processus de session : NtLmSsp Package d'authentification : NTLM Nom de la station de travail : GU d'ouv. de session : - Nom de l'utilisateur appelant : - Domaine appelant : - de session de l'appelant : - de processus appelant : - Services en transit : - Adresse réseau source : - Port source : - 9 20G 540 Win2003 ful Network Logon: Logon/Logoff Domain: %2 Logon : %3 Logon : %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GU: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon : %11 Caller Process : %12 Transited Services: %13 Source Network Address: %14 Source Port: %15 <13>1 2011-05-10T11:25:57.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Tue May 10 11:25:57 2011 540 Security NT-AUTORITÄT\ANONYMOUS-ANMELD UNG User SRV-W2003-GERMA An-/Abmeldung Erfolgreiche Netzwerkanmeldung: Benutzername: Domäne: Anmeldekennung: (0x0,0xF6DC) Anmeldetyp: 3 Anmeldevorgang: NtLmSsp Authentifizierungspaket: NTLM Arbeitsstationsname: Anmelde-GU: - Aufruferbenutzername: - Aufruferdomäne: - Aufruferanmeldekennung: - Aufruferprozesskennung: - Übertragene Dienste: - Quellnetzwerkadresse: - Quellport: - 2408 Microsoft Windows Server 2003 Log Configuration Guide 33
# 21 548 Win2003 Logon Failure: Reason: Domain sid inconsistent Domain: %2 Logon : %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Transited Services: %7 Security Failure /User Authentication The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 33F Win2003 Échec de l'ouverture de session Security audit User Authentication / / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59:55 2010548SecurityAdministrator User LOGLABS-2003FRA Suivi détaillééchec de l'ouverture de session : Raison : S du domaine incohérent Nom d'utilisateur : %1 Domaine : %2 d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de station de travail : %6 Services en transit : %7 34 549 Win2003 Logon Failure: Reason: All sids were filtered out Domain: %2 Logon : %3 Logon Process: %4 Authentication Package : %5 Workstation Name: %6 Security Failure / User Authentication The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 35F 549 Win2003 Échec de l'ouverture de session Security audit User Authentication / / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59:55 2010549SecurityAdministrator UserFailure LOGLABS-2003FRA Suivi détaillééchec de l'ouverture de session : Raison : Tous les S étaient épuisés Utilisateur : %1 Domaine : %2 d'ouverture de session : %3 Processus d'ouv. de session : %4 Package d'authentification : %5 Nom de la station de travail : %6 36 550 Win2003 Notification message that could indicate a possible denial-of-service attack. Security Logon / Logoff The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 34 Microsoft Windows Server 2003 Log Configuration Guide
# 37 551 Win2003 User initiated logoff: Domain: %2 Logon : %3 Security audit / Information / User Access <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 Security 619 Fri Aug 04 12:58:16 2006 551 Security Unknown User N/A LOGLOGIC-SRV1 Logon/Logoff User initiated logoff: User Name: Administrator Domain: LOGLOGIC-SRV1 Logon : (0x0,0x14d2b) 23 37F 551 Win2003 User initiated logoff: Domain: %2 Logon : %3 Security User Access <13>Jul 1 03:18:31 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 3252 Wed Jul 01 03:18:31 2009 551 Security Administrateur User KKKKK-KNBMQ2EU3 Ouverture/ Fermeture de session Fermeture de session initiée par l'utilisateur : Utilisateur : Administrateur Domaine : FORESTA Id. d'ouv. de session : (0x0,0x260dd) 3228 37G 551 Win2003 User initiated logoff: Domain: %2 Logon : %3 Security User Access <13>1 2011-05-16T13:54:25.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:54:25 2011 551 Security LL\Administrator User SRV-W2003-GERMA An-/Abmeldung Benutzerinitiierte Abmeldung: Benutzername: administrator Domäne: LL Anmeldekennung: (0x0,0x2194f8) 423 38 552 Win2003 Logon attempt using explicit credentials: Logged on user: Domain: %2 Logon : %3 Logon GU: %4 User whose credentials were used: Target User Name: %5 Target Domain: %6 Target Logon GU: %7 Target Server Name: %8 Target Server Info: %9 Caller Process : %10 Source Network Address: %11 Source Port: %12 Security / User Authentication <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 Security 614 Fri Aug 04 12:30:37 2006 552 Security SYSTEM User LOGLOGIC-SRV1 Logon/Logoff Logon attempt using explicit credentials: Logged on user: User Name: LOGLOGIC-SRV1$ Domain: WORKGROUP Logon : (0x0,0x3E7) Logon GU: - User whose credentials were used: Target User Name: Administrator Target Domain: LOGLOGIC-SRV1 Target Logon GU: - Target Server Name: localhost Target Server Info: localhost Caller Process : 568 Source Network Address: 127.0.0.1 Source Port: 0 18 Microsoft Windows Server 2003 Log Configuration Guide 35
# 38F 552 Win2003 Tentative d'ouverture de session en utilisant des informations d'identification explicites Security audit User Authentication / / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59:55 2010552SecurityAdministrator UserFailure LOGLABS-2003FRA Suivi détaillétentative d'ouverture de session en utilisant des informations d'identification explicites : Utilisateur connecté : Nom d'utilisateur : %1 Domaine : %2 d'ouv. de session : %3 GU d'ouv. de session : %4 Utilisateur dont les informations d'identification ont été utilisées : Nom d'utilisateur cible : %5 Domaine cible : %6 GU d'ouv. de session cible : %7 Nom du serveur cible : %8 Informations du serveur cible : %9 de processus appelant : %10 Adresse réseau source : %12 Port source : %13 38G 552 Win2003 Logon attempt using explicit credentials Security audit User Authentication / / Windows s <13>1 2011-05-16T12:54:43.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 12:54:43 2011 552 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA An-/Abmeldung Anmeldeversuch unter Verwendung expliziter Anmeldeinformationen: Angemeldeter Benutzer: Benutzername: SRV-W2003-GERMA$ Domäne: LL Anmeldekennung: (0x0,0x3E7) Anmelde-GU: - Benutzer, dessen Anmeldeinformationen verwendet wurden: Zielbenutzerame: administrator Zieldomäne: LL Zielanmelde-GU:{5baf06a3-3fff-c4f8-fa3 3-671f76700bd3} Zielservername: localhost Zielserverinfo: localhost Aufruferprozesskennung: 548 Quellnetzwerkadresse: 127.0.0.1 Quellport: 0 2717 36 Microsoft Windows Server 2003 Log Configuration Guide
# 39 560 Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Restricted Sid Count: %17 Access Mask: %18 Object Access <13>Jul 5 15:58:59 10.1.1.55 MSWinLog 0 security 2074 Wed Jul 05 15:58:58 2006 560 Security qatest User W2K3-LASSO Object Access "Object Open: Object Server: Security Object : Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlS et001\services\log\security Handle : 452 Operation : {0,17577785} Process : 3280 Image File Name: C:\WINDOWS\system32\mmc.exe Primary User Name: qatest Primary Domain: SQA Primary Logon : (0x0,0x668A8) Client User Name: - Client Domain: - Client Logon : - Accesses: Set key value Privileges: - Restricted Sid Count: 0 Access Mask: 0x2 " 47681 39F 560 Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Restricted Sid Count: %17 Access Mask: %18 Object Access <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 12 Tue Jun 30 10:42:33 2009 560 Security SYSTEM User KKKKK-KNBMQ2EU3 Accès aux objets Objet ouvert Serveur de l'objet : Security de l'objet : Key Nom de l'objet : \REGISTRY\MACHINE\SYSTEM\ControlS et001\services\log\security Identificateur du handle : 204 Identificateur de l'opération : {0,1577787} Id. du processus : 2404 Nom du fichier image : C:\Program Files\Snare\SnareCore.exe Utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA Id d'ouv. de session principale : (0x0,0x3E7) Utilisateur du client : - Domaine du client : - Id. d'ouv. de session client : - Accès : %%1538 %%4432 %%4433 %%4435 %%4436 Privilèges : - Nombre de S restreint : 0 Masque d'accès : 0x2001B 11 Microsoft Windows Server 2003 Log Configuration Guide 37
# 39G 560 Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Image File Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Restricted Sid Count: %17 Access Mask: %18 Object Access <13>1 2011-05-16T13:37:08.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:37:08 2011 560 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Objektzugriff Geöffnetes Objekt: Objektserver: Security Objekttyp: Key Objektname: \REGISTRY\MACHINE\SYSTEM\ControlS et001\services\log\security Handlekennung: 1612 Vorgangskennung: {0,1397050} Prozesskennung: 592 Abbilddateiname: C:\WINDOWS\system32\services.exe Primärer Benutzername: SRV-W2003-GERMA$ Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: - Clientdomäne: - Clientanmeldekennung: - Zugriffe: READ_CONTROL Schlüsselwert abfragen Schlüsselwert festlegen Unterschlüssel auflisten Änderungen an Schlüssel benachrichtigen Rechte: - Beschränkte S-Anzahl: 0 Zugriffsmaske: 0x2001B 3102 40 562 Win2003 The handle to an object was closed. Object Access Special Multi-use Subcategory MSWinLog 0 Security 0 Tue Jul 21 8 59 57 2010 4658 Microsoft-Windows-Security-ing Unknown hayward.loglabs08native.lab File The handle to an object was closed. Subject : Security : S-1-5-18 Name: HAYWARD$ Domain: LOGLABS08NATIVE Logon : 0x3e7 Object: Object Server: Security Handle : 0x1c0 Process Information: Process : 0x7e8 Process Name: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 51813549 40G 562 Win2003 The handle to an object was closed. Object Access Special Multi-use Subcategory <13>1 2011-05-16T13:18:56.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:18:56 2011 562 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Objektzugriff Geschlossenes Handle: Objektserver: Security Manager Handlekennung: 653312 Prozesskennung: 604 Abbilddateiname: C:\WINDOWS\system32\lsass.exe 2936 38 Microsoft Windows Server 2003 Log Configuration Guide
# 41 563 Win2003 Object Open for Delete: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Primary User Name: %8 Primary Domain: %9 Primary Logon : %10 Client User Name: %11 Client Domain: %12 Client Logon : %13 Accesses: %14 Privileges: %15 Access Mask: %16 Object Access The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 43F 563 Win2003 Objet ouvert pour suppression Security audit / Failure audit / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59:55 2010563SecurityAdministrator User LOGLABS-2003FRA Suivi détailléobjet ouvert pour suppression : Serveur d'objet : %1 d'objet : %2 Nom de l'objet : %3 Identificateur du handle : %4 Identificateur de l'opération : {%5,%6} Id. du processus : %7 Utilisateur principal : %8 Domaine principal : %9 Id d'ouv. de session principale : %10 Utilisateur client : %11 Domaine client : %12 Id. d'ouv. de session client : %13 Accès : %14 Privilèges : %15 Masque d'accès : %16 17 44 564 Win2003 Object Deleted: Object Server: %1 Handle : %2 Process : %3 Image File Name: %4 Object Access The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 44F 564 Win2003 Object Deleted: Object Server: %1 Handle : %2 Process : %3 Image File Name: %4 Object Access <13>Jul 23 09:21:20 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 8498 Thu Jul 23 09:21:14 2009 564 Security Administrateur User B0324-FR2003 Accès aux objets Objet supprimé : Serveur d'objet : Security Id. de handle : 1516 Id. de processus : 2544 Nom du fichier d'image : C:\WINDOWS\explorer.exe 8338 Microsoft Windows Server 2003 Log Configuration Guide 39
# 45 565 Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Process Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service <13>Jul 5 11:04:09 10.1.1.55 MSWinLog 0 security 132 Wed Jul 05 10:54:02 2006 565 Security qatest User W2K3-LASSO Directory Service Access "Object Open: Object Server: Security Manager Object : SAM_DOMAIN Object Name: DC=sqa,DC=loglogic,DC=com Handle : 88255624 Operation : {0,14101324} Process : 1424 Process Name: C:\WINDOWS\system32\lsass.exe Primary User Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client User Name: qatest Client Domain: SQA Client Logon : (0x0,0xD72AEE) Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership Lists Privileges: - Properties: Access Mask: 0 " 45739 45F 565 Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Process Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service <13>Jun 30 10:43:21 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 34 Tue Jun 30 10:43:14 2009 565 Security Unknown User N/A KKKKK-KNBMQ2EU3 Accès Active Directory Security Manager 30 40 Microsoft Windows Server 2003 Log Configuration Guide
# 45G 565 Win2003 Object Open: Object Server: %1 Object : %2 Object Name: %3 Handle : %4 Operation : {%5,%6} Process : %7 Process Name: %8 Primary User Name: %9 Primary Domain: %10 Primary Logon : %11 Client User Name: %12 Client Domain: %13 Client Logon : %14 Accesses: %15 Privileges: %16 Properties:%17 Access Mask: %18 Directory Service <13>1 2011-05-10T11:26:30.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Tue May 10 11:26:30 2011 565 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Verzeichnisdienstzugriff Geöffnetes Objekt: Objektserver: Security Manager Objekttyp: SAM_DOMAIN Objektname: CN=Builtin,DC=ll,DC=local Handlekennung: 652464 Vorgangskennung: {0,72007} Prozesskennung: 556 Prozessname: C:\WINDOWS\system32\lsass.exe Primärer Benutzername: SRV-W2003-GERMA$ Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: SRV-W2003-GERMA$ Clientdomäne: LL Clientanmeldekennung: (0x0,0x3E7) Zugriffe DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Kennwortparameter lesen Kennwortparameter schreiben Andere Parameter lesen Andere Parameter schreiben Benutzer erstellen Globale Gruppe erstellen Lokale Gruppe erstellen Lokale Gruppenmitgliedschaft erhalten Konten auflisten Berechtigungen - Eigenschaften: --- domain DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Kennwortparameter lesen Kennwortparameter schreiben Andere Parameter lesen Andere Parameter schreiben Benutzer erstellen Globale Gruppe erstellen Lokale Gruppe erstellen Lokale Gruppenmitgliedschaft erhalten Konten auflisten Domain Password & Lockout Policies lockoutobservationwindow lockoutduration lockoutthreshold maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties Other Domain Parameters (for use by SAM) serverstate serverrole modifiedcount uascompat forcelogoff domainreplica oeminformation Domain Administer Server Zugriffsmaske: 0 2420 Microsoft Windows Server 2003 Log Configuration Guide 41
# 46 566 Win2003 Object Operation: Object Server: %1 Operation : %2 Object : %3 Object Name: %4 Handle : %5 Primary User Name: %6 Primary Domain: %7 Primary Logon : %8 Client User Name: %9 Client Domain: %10 Client Logon : %11 Accesses: %12 Properties: %13 Additional Info: %14 Additional Info2: %15 Access Mask: %16 Directory Service <13>Jul 5 11:09:53 10.1.1.55 MSWinLog 0 security 306 Wed Jul 05 11:09:53 2006 566 Security SYSTEM Well Known Group W2K3-LASSO Directory Service Access "Object Operation: Object Server: DS Operation : Object Access Object : %{19195a5b-6da0-11d0-afd3-00c04fd930 c9} Object Name: %{0d374542-7f4a-4f11-acdb-5a70b025bc 6b} Handle : - Primary User Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client User Name: W2K3-LASSO$ Client Domain: SQA Client Logon : (0x0,0x59DBA) Accesses: Control Access Properties: Control Access Additional Info: Additional Info2: Access Mask: 0x100 " 45913 46F 566 Win2003 Object Operation: Object Server: %1 Operation : %2 Object : %3 Object Name: %4 Handle : %5 Primary User Name: %6 Primary Domain: %7 Primary Logon : %8 Client User Name: %9 Client Domain: %10 Client Logon : %11 Accesses: %12 Properties: %13 Additional Info: %14 Additional Info2: %15 Access Mask: %16 Directory Service <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 16 Tue Jun 30 10:42:33 2009 566 Security SYSTEM User KKKKK-KNBMQ2EU3 Accès Active Directory Opération d'objet : Serveur d'objet : DS d'opération : Object Access d'objet : %{f30e3bc2-9ff0-11d1-b603-0000f80367c 1} Nom d'objet : %{4e9f93a1-5253-4632-be3c-781ee698fa 35} de handle : - Nom d'utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA d'ouv de session principale : (0x0,0x3E7) Nom d'utilisateur client : KKKKK-KNBMQ2EU3$ Domaine client : FORESTA d'ouv de session client : (0x0,0x1813EA) Accès : %%7685 Propriétés : %%7685 %{771727b1-31b8-4cdf-ae62-4fe39fadf89 e} %{bf967a76-0de6-11d0-a285-00aa00304 9e2} %{f30e3bc2-9ff0-11d1-b603-0000f80367c 1} Informations additionnelles : Informations additionnelles 2 : Masque d'accès : 0x20 15 42 Microsoft Windows Server 2003 Log Configuration Guide
# 46G 566 Win2003 Object Operation: Object Server: %1 Operation : %2 Object : %3 Object Name: %4 Handle : %5 Primary User Name: %6 Primary Domain: %7 Primary Logon : %8 Client User Name: %9 Client Domain: %10 Client Logon : %11 Accesses: %12 Properties: %13 Additional Info: %14 Additional Info2: %15 Access Mask: %16 Directory Service <13>1 2011-05-10T11:40:48.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Tue May 10 11:40:48 2011 566 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Verzeichnisdienstzugriff Objektvorgang: Objektserver: DS Vorgangstyp Object Access Objekttyp: domaindns Objektname: DC=ll,DC=local Handlekennung: - Primärer Benutzername: SRV-W2003-GERMA$ Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: SRV-W2003-GERMA$ Clientdomäne: LL Clientanmeldekennung: (0x0,0x7EFCC) Zugriffe Zugriff steuern Eigenschaften: Zugriff steuern Replicating Directory Changes domaindns Weitere Info: Weitere Info2: Zugriffsmaske: 0x100 2560 47 567 Win2003 An attempt was made to access an object Object Access audit / Failure audit <13>Aug 8 09:26:00 10.116.29.15 MSWinLog 0 Security 530 Fri Aug 04 12:08:23 2006 567 SecurityLOCAL SERVICEWell Known Group MACHINENAME Logon/Logoff Object Access Attempt: Object Server: Security Handle : 9780 Object : File Process : 904 Image File Name: C:\WINDOWS\system32\svchost.exe Accesses: WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) Access Mask: 0x6 2 48 576 Win2003 Special privileges assigned to new logon: Domain: %2 Logon : %3 Privileges: %4 Privilege Use / Permission Modification <13>Jul 5 11:04:08 10.1.1.55 MSWinLog 0 security 2 Wed Jul 05 10:19:59 2006 576 Security SYSTEM Well Known Group W2K3-LASSO Logon/Logoff "Special privileges assigned to new logon: User Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0xD30C93) Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeEnableDelegationPrivilege " 45609 Microsoft Windows Server 2003 Log Configuration Guide 43
# 48F 576 Win2003 Special privileges assigned to new logon: Domain: %2 Logon : %3 Assigned: %4 Privilege Use / Permission Modification <13>Jun 30 10:42:40 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 5 Tue Jun 30 10:42:33 2009 576 Security SYSTEM User KKKKK-KNBMQ2EU3 Utilisation d'un privilège Privilèges spéciaux assignés à la nouvelle session : Utilisateur : KKKKK-KNBMQ2EU3$ Domaine : FORESTA Id. de la session : (0x0,0x18126D) Privilèges : SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeChangeNotifyPrivilege 4 48G 576 Win2003 Special privileges assigned to new logon: Domain: %2 Logon : %3 Assigned: %4 Privilege Use / Permission Modification <13>1 2011-05-10T11:25:41.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Tue May 10 11:25:41 2011 576 Security NT-AUTORITÄT\NETZWERKDIENST User SRV-W2003-GERMA An-/Abmeldung Besondere Rechte bei neuer Anmeldung: Benutzername: NETZWERKDIENST Domäne: NT-AUTORITÄT Anmeldekennung: (0x0,0x3E4) Berechtigungen: SePrivilege SeAssignPrimaryTokenPrivilege SeImpersonatePrivilege 2402 49 577 Win2003 Privileged Service Called. Privilege Use <13>Jul 5 15:58:05 10.1.1.55 MSWinLog 0 security 2054 Wed Jul 05 15:58:04 2006 577 Security SYSTEM Well Known Group W2K3-LASSO Privilege Use "Privileged Service Called: Server: NT Local Security Authority / Authentication Service Service: LsaRegisterLogonProcess() Primary User Name: W2K3-LASSO$ Primary Domain: SQA Primary Logon : (0x0,0x3E7) Client User Name: W2K3-LASSO$ Client Domain: SQA Client Logon : (0x0,0x3E7) Privileges: SeTcbPrivilege " 47661 44 Microsoft Windows Server 2003 Log Configuration Guide
# 49F 577 Win2003 Privileged Service Called. Privilege Use <13>Jun 30 10:43:21 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 37 Tue Jun 30 10:43:14 2009 577 Security SYSTEM User KKKKK-KNBMQ2EU3 Utilisation d'un privilège Service privilégié appelé : Serveur : NT Local Security Authority / Authentication Service Service : LsaRegisterLogonProcess() Utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA Id. de session principale : (0x0,0x3E7) Utilisateur client : KKKKK-KNBMQ2EU3$ Domaine client : FORESTA Id. de la session cliente : (0x0,0x3E7) Privilèges : SeTcbPrivilege 33 49G 577 Win2003 Privileged Service Called. Privilege Use <13>1 2011-05-16T13:27:09.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:27:09 2011 577 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Berechtigungen Aufgerufener privilegierter Dienst: Server: NT Local Security Authority / Authentication Service Dienst: LsaRegisterLogonProcess() Primärer Benutzername: SRV-W2003-GERMA$ Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x3E7) Clientbenutzername: SRV-W2003-GERMA$ Clientdomäne: LL Clientanmeldekennung: (0x0,0x3E7) Rechte: SeTcbPrivilege 3055 50 578 Win2003 Privileged object operation: Object Server: %1 Object Handle: %2 Process : %3 Primary User Name: %4 Primary Domain: %5 Primary Logon : %6 Client User Name: %7 Client Domain: %8 Client Logon : %9 Privileges: %10 Privilege Use The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. Microsoft Windows Server 2003 Log Configuration Guide 45
# 50F 578 Win2003 Privileged object operation: Object Server: %1 Object Handle: %2 Process : %3 Primary User Name: %4 Primary Domain: %5 Primary Logon : %6 Client User Name: %7 Client Domain: %8 Client Logon : %9 Privileges: %10 Privilege Use <13>Jul 1 10:20:25 10.8.0.39 MSWinLog 0 Security 255 Wed Jul 01 09:51:14 2009 578 Security Administrateur User B0324-FR2003 Utilisation d'un privilège Opération sur objet privilégié : Serveur objet : Security Handle d'objet : 224 Id. de processus : 1084 Utilisateur principal : Administrateur Domaine principal : B0324-FR2003 Id. de session principale : (0x0,0xC08C) Utilisateur client : - Domaine client : - Id. de la session cliente : - Privilèges : SeTakeOwnershipPrivilege 104 50G 578 Win2003 Privileged object operation: Object Server: %1 Object Handle: %2 Process : %3 Primary User Name: %4 Primary Domain: %5 Primary Logon : %6 Client User Name: %7 Client Domain: %8 Client Logon : %9 Privileges: %10 Privilege Use <13>1 2011-05-16T13:43:12.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:43:12 2011 578 Security LL\Administrator User SRV-W2003-GERMA Berechtigungen Privilegiertes-Objekt-Vorgang: Objektserver: Security Objekthandle: 228 Prozesskennung: 1212 Primärer Benutzername: administrator Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x439BD) Clientbenutzername: - Clientdomäne: - Clientanmeldekennung: - Rechte: SeTakeOwnershipPrivilege 33 51 592 Win2003 A new process has been created. Detailed Tracking <13>Jul 5 15:57:48 10.1.1.55 MSWinLog 0 security 2050 Wed Jul 05 15:57:46 2006 592 Security SYSTEM Well Known Group W2K3-LASSO Detailed Tracking "A new process has been created: New Process : 4040 Image File Name: C:\WINDOWS\system32\userinit.exe Creator Process : 1344 User Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0x3E7) " 47657 51F 592 Win2003 A new process has been created. Detailed Tracking <13>May 21 09:39:35 kkkkk-knbmq2eu3 MSWinLog 0 Security 2 Thu May 21 09:39:35 2009 592 Security Administrateur User KKKKK-KNBMQ2EU3 Suivi détaillé Un nouveau processus a été créé : Id. du nouveau processus : 948 Nom du fichier image : C:\WINDOWS\system32\cmd.exe Id. du processus créateur : 1536 Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. de la session : (0x0,0xB1AE) 0 46 Microsoft Windows Server 2003 Log Configuration Guide
# 51G 592 Win2003 A new process has been created. Detailed Tracking <13>1 2011-05-16T13:18:55.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:18:55 2011 592 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Detaillierte Überwachung Ein neuer Vorgangs wurde erstellt: Neue Prozesskennung: 2432 Bilddateiname: C:\WINDOWS\system32\userinit.exe Erstellte Prozesskennung: 548 Benutzername: SRV-W2003-GERMA$ Domäne: LL Anmeldekennung: (0x0,0x3E7) 2913 52 593 Win2003 A process has exited: Process : %1 Image File Name: %2 User Name: %3 Domain: %4 Logon : %5 Detailed Tracking <13>Jul 5 15:57:48 10.1.1.55 MSWinLog 0 security 2051 Wed Jul 05 15:57:46 2006 593 Security SYSTEM Well Known Group W2K3-LASSO Detailed Tracking "A process has exited: Process : 4040 Image File Name: C:\WINDOWS\system32\userinit.exe User Name: W2K3-LASSO$ Domain: SQA Logon : (0x0,0x3E7) " 47658 52F 593 Win2003 A process has exited: Process : %1 Image File Name: %2 User Name: %3 Domain: %4 Logon : %5 Detailed Tracking <13>May 21 09:39:44 kkkkk-knbmq2eu3 MSWinLog 0 Security 3 Thu May 21 09:39:37 2009 593 Security Administrateur User KKKKK-KNBMQ2EU3 Suivi détaillé Un processus est terminé : Id. du processus : 948 Nom du fichier image : C:\WINDOWS\system32\cmd.exe Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. d'ouv. de session : (0x0,0xB1AE) 1 52G 593 Win2003 A process has exited: Process : %1 Image File Name: %2 User Name: %3 Domain: %4 Logon : %5 Detailed Tracking <13>1 2011-05-16T13:18:55.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:18:55 2011 593 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Detaillierte Überwachung Ein Vorgang wurde beendet: Prozesskennung: 2432 Abbilddateiname: C:\WINDOWS\system32\userinit.exe Benutzername: SRV-W2003-GERMA$ Domäne: LL Anmeldekennung: (0x0,0x3E7) 2914 53 594 Win2003 An attempt was made to duplicate a handle to an object Process Tracking <13>Aug 8 09:26:00 10.116.29.15 MSWinLog4Security1768Wed Feb 14 02:12:23 2007594Security AdministratorUser ll-a155d4 Logon/LogoffA handle to an object has been duplicated Source Handle : 345 Source Process : 345 Target Handle : 3453 Target Process : 34512 Microsoft Windows Server 2003 Log Configuration Guide 47
# 54 595 Win2003 Indirect access to an object has been obtained: Object : %1 Object Name: %2 Process : %3 Primary User Name: %4 Primary Domain: %5 Primary Logon : %6 Client User Name: %7 Client Domain: %8 Client Logon : %9 Accesses: %10 Access Mask: %11 Detailed Tracking The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 59F 595 Win2003 Un accès indirect à un objet a été obtenu Security Failure audit / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59:55 2010595SecurityAdministrator User LOGLABS-2003FRA Suivi détailléun accès indirect à un objet a été obtenu : d'objet : %1 Nom d'objet : %2 Id. de processus : %3 Utilisateur principal : %4 Domaine principal : %5 Id. de session principale : %6 Utilisateur client : %7 Domaine client : %8 Id. de la session cliente : %9 Accès : %10 Masque d'accès : %11 60 600 Win2003 A process was assigned a primary token. Assigning Process Information: Process : %1 Image File Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 New Process Information: Process : %6 Image File Name: %7 Target User Name: %8 Target Domain: %9 Target Logon : %10 Security <13>Aug 9 14:01:41 10.116.28.102 MSWinLog 0 Security 27691 Tue Aug 08 14:26:07 2006 600 Security SYSTEM User LOGLOGIC-SRV1 Detailed Tracking A process was assigned a primary token. Assigning Process Information: Process : 840 Image File Name: C:\WINDOWS\system32\svchost.exe Primary User Name: LOGLOGIC-SRV1$ Primary Domain: LOGLOGIC Primary Logon : (0x0,0x3E7) New Process Information: Process : 2824 Image File Name: C:\WINDOWS\system32\wbem\wmiprvse. exe Target User Name: NETWORK SERVICE Target Domain: NT AUTHORITY Target Logon : (0x0,0x3E4) 26624 48 Microsoft Windows Server 2003 Log Configuration Guide
# 60F 600 Win2003 A process was assigned a primary token. Assigning Process Information: Process : %1 Image File Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 New Process Information: Process : %6 Image File Name: %7 Target User Name: %8 Target Domain: %9 Target Logon : %10 Security <13>Jun 30 10:54:59 kkkkk-knbmq2eu3.foresta MSWinLog 4 Security 90 Tue Jun 30 10:54:59 2009 600 Security SYSTEM User KKKKK-KNBMQ2EU3 Suivi détaillé Un jeton principal a été attribué à un processus. Informations sur l'attribution de processus : Id. du processus : 392 Nom du fichier image : C:\WINDOWS\system32\winlogon.exe Nom d'utilisateur principal : KKKKK-KNBMQ2EU3$ Domaine principal : FORESTA d'ouv de session principale : (0x0,0x3E7) Informations de nouveau processus : de processus : 2692 Nom du fichier image : C:\WINDOWS\system32\logon.scr Nom d'utilisateur cible : Administrateur Domaine cible : FORESTA d'ouv de session : (0x0,0x260DD) 82 60G 600 Win2003 A process was assigned a primary token. Assigning Process Information: Process : %1 Image File Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon : %5 New Process Information: Process : %6 Image File Name: %7 Target User Name: %8 Target Domain: %9 Target Logon : %10 Security <13>1 2011-05-16T13:19:46.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:19:46 2011 600 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Detaillierte Überwachung Einem Prozess wurde ein primäres Token zugewiesen. Prozessinformationen: Prozesskennung: 1152 Abbilddateiname: C:\WINDOWS\system32\svchost.exe Primärer Benutzername: SRV-W2003-GERMA$ Primäre Domäne: LL Primäre Anmeldekennung: (0x0,0x3E7) Neue Prozessinformationen: Prozesskennung: 2440 Abbilddateiname: C:\WINDOWS\system32\wuauclt.exe Zielbenutzername: administrator Zieldomäne: LL Zielanmeldekennung: (0x0,0x439BD) 3013 61 608 Win2003 User Right Assigned: User Right: %1 Assigned To: %2 Assigned By: User Name: %3 Domain: %4 Logon : %5 Policy Change <13>Jul 6 16:22:33 10.1.1.55 MSWinLog 0 security 12161 Thu Jul 06 16:22:31 2006 608 Security qatest User W2K3-LASSO Policy Change "User Right Assigned: User Right: SeCreateGlobalPrivilege Assigned To: %{S-1-5-21-1578117074-177915290-4279 395478-1132} Assigned By: User Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " 57768 Microsoft Windows Server 2003 Log Configuration Guide 49
# 61F 608 Win2003 User Right Assigned: User Right: %1 Assigned To: %2 Assigned By: User Name: %3 Domain: %4 Logon : %5 Policy Change <13>Jun 30 08:30:37 kkkkk-knbmq2eu3 MSWinLog 3 Security 246 Tue Jun 30 08:30:32 2009 608 Security Administrateur User KKKKK-KNBMQ2EU3 Changement de stratégie Droit assigné à l'utilisateur : Droit assigné à l'utilisateur : SeAssignPrimaryTokenPrivilege Assigné à : %{S-1-5-21-4199537000-1147309911-378 9607300-1013} Assigné par : Utilisateur : Administrateur Domaine : KKKKK-KNBMQ2EU3 Id. de la session : (0x0,0x13261) 45 61 608 Win2003 User Right Assigned: User Right: %1 Assigned To: %2 Assigned By: User Name: %3 Domain: %4 Logon : %5 Policy Change <13>1 2011-05-16T13:18:54.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:18:54 2011 612 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Richtlinienänderung Änderung der Überwachungsrichtlinien: Neue Richtlinie: Erfolg Fehlschlag + + Anmeldung/Abmeldung + + Objektzugriff + + Rechteverwendung + + Kontenverwaltung + + Richtlinienänderung + + + + Ausführliche Überwachung + + Verzeichnisdienstzugriff + + Kontoanmeldung Geändert von: Benutzername: SRV-W2003-GERMA$ Domänenname: LL Anmeldekennung: (0x0,0x3E7) 2912 62 609 Win2003 User Right Removed. Policy Change <13>Jul 6 16:22:55 10.1.1.55 MSWinLog 0 security 12165 Thu Jul 06 16:22:54 2006 609 Security qatest User W2K3-LASSO Policy Change "User Right Removed: User Right: SeCreateGlobalPrivilege Removed From: %{S-1-5-21-1578117074-177915290-4279 395478-1132} Removed By: User Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " 57772 50 Microsoft Windows Server 2003 Log Configuration Guide
# 62F 609 Win2003 User Right Removed. Policy Change <13>Jun 30 08:49:01 kkkkk-knbmq2eu3 MSWinLog 3 Security 52 Tue Jun 30 08:48:56 2009 609 Security SYSTEM User KKKKK-KNBMQ2EU3 Changement de stratégie Droit de l'utilisateur supprimé : Droit de l'utilisateur : SetimePrivilege SeShutdownPrivilege SeProfileSingleProcessPrivilege SeChangeNotifyPrivilege SeUndockPrivilege Supprimé de : %{S-1-5-32-547} Supprimé par : Utilisateur : KKKKK-KNBMQ2EU3$ Domaine : WORKGROUP Id. de la session : (0x0,0x3E7) 22 63 610 Win2003 New Trusted Domain: Domain Name: %1 Domain : %2 Established By: User Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change <13>Jul 6 16:48:51 10.1.1.55 MSWinLog 0 security 12350 Thu Jul 06 16:48:50 2006 610 Security qatest User W2K3-LASSO Policy Change "New Trusted Domain: Domain Name: loglogic.sbs Domain : - Established By: User Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) Trust : 3 Trust Direction: 3 Trust Attributes: 1 S Filtering: Disabled " 57957 63F 610 Win2003 New Trusted Domain: Domain Name: %1 Domain : %2 Established By: User Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change <13>Jul 22 07:32:28 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2039 Wed Jul 22 07:32:23 2009 610 Security Administrateur User B0324-FR2003 Changement de stratégie Nouveau domaine approuvé : Nom du domaine : abc.com Id. du domaine : %{S-1-5-21-1893538592-169538710-372 8419160} Établi par : Utilisateur : Administrateur Domaine : DOMAIN Id. de la session : (0x0,0x3EAB48) d'approbation : 2 Direction de l'approbation : 1 Attributs de l'approbation : 0 Filtrage S : %%1796 1974 64 611 Win2003 Trusted Domain Removed: Domain Name: %1 Domain : %2 Removed By: User Name: %3 Domain: %4 Logon : %5 Policy Change <13>Jul 6 16:59:13 10.1.1.55 MSWinLog 0 security 12438 Thu Jul 06 16:59:12 2006 611 Security qatest User W2K3-LASSO Policy Change "Trusted Domain Removed: Domain Name: loglogic.sbs Domain : - Removed By: User Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) " 58045 Microsoft Windows Server 2003 Log Configuration Guide 51
# 64F 611 Win2003 Trusted Domain Removed: Domain Name: %1 Domain : %2 Removed By: User Name: %3 Domain: %4 Logon : %5 Policy Change <13>Jul 22 07:35:25 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2053 Wed Jul 22 07:35:17 2009 611 Security Administrateur User B0324-FR2003 Changement de stratégie Domaine approuvé supprimé : Nom du domaine : ABC Id. du domaine : %{S-1-5-21-1893538592-169538710-372 8419160} Supprimé par : Utilisateur : Administrateur Domaine : DOMAIN Id. de la session : (0x0,0x3EAB48) 1988 65 612 Win2003 Policy Change Failure. Policy Change / Permission Modification <13>Jul 5 15:57:48 10.1.1.55 MSWinLog 0 security 2049 Wed Jul 05 15:57:46 2006 612 Security SYSTEM Well Known Group W2K3-LASSO Policy Change " Policy Change: New Policy: Failure + + Logon/Logoff + + Object Access + + Privilege Use + + + + Policy Change + + + + Detailed Tracking + + Directory Service Access + + Logon Changed By: User Name: W2K3-LASSO$ Domain Name: SQA Logon : (0x0,0x3E7) " 47656 65F 612 Win2003 Policy Change Failure. Policy Change / Permission Modification <13>May 21 10:31:20 kkkkk-knbmq2eu3 MSWinLog 3 Security 8 Thu May 21 10:31:06 2009 612 Security SYSTEM User KKKKK-KNBMQ2EU3 Changement de stratégie Modification de la stratégie d'audit : Nouvelle stratégie : Succès Échec + - Ouvertures/Fermetures de session - - Accès aux objets - - Utilisation d'un privilège + + Gestion des comptes + + Changement de stratégie + + Système + + Suivi détaillé - - Accès Active Directory + - Connexion au compte Modifié par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom du domaine : WORKGROUP Id. de la session : (0x0,0x3E7) 2 52 Microsoft Windows Server 2003 Log Configuration Guide
# 65G 612 Win2003 Policy Change Failure. Policy Change / Permission Modification <13>1 2011-05-16T13:18:54.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:18:54 2011 612 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Richtlinienänderung Änderung der Überwachungsrichtlinien: Neue Richtlinie: Erfolg Fehlschlag + + Anmeldung/Abmeldung + + Objektzugriff + + Rechteverwendung + + Kontenverwaltung + + Richtlinienänderung + + + + Ausführliche Überwachung + + Verzeichnisdienstzugriff + + Kontoanmeldung Geändert von: Benutzername: SRV-W2003-GERMA$ Domänenname: LL Anmeldekennung: (0x0,0x3E7) 2912 66 617 Win2003 Kerberos Policy Changed: Changed By: Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4. Policy Change <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 170 Thu Jun 29 14:56:31 2006 617 Security SYSTEM Well Known Group W2K3-LASSO Policy Change "Kerberos Policy Changed: Changed By: User Name: W2K3-LASSO$ Domain Name: SQA Logon : (0x0,0x3E7) Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0xa09b800000000 (none); " 254 66F 617 Win2003 Kerberos Policy Changed: Changed By: Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4. Policy Change <13>Jun 30 09:27:33 kkkkk-knbmq2eu3.foresta MSWinLog 3 Security 236 Tue Jun 30 09:27:24 2009 617 Security SYSTEM User KKKKK-KNBMQ2EU3 Changement de stratégie Stratégie Kerberos modifiée : Modifiée par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine : FORESTA Id. d'ouv. de session : (0x0,0x3E7) Modifications effectuées : ('--' signifie aucune modification, sinon chaque modification est affichée sous la forme : <NomParamètre> : <nouvelle valeur> (<ancienne valeur>)) KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0xa05b000000000 (none); 203 Microsoft Windows Server 2003 Log Configuration Guide 53
# 67 618 Win2003 Encrypted Data Recovery Policy Changed: Changed By: Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4 Policy Change The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 67F 618 Win2003 Encrypted Data Recovery Policy Changed: Changed By: Domain Name: %2 Logon : %3 Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) %4 Policy Change <13>Jun 26 04:33:24 kkkkk-knbmq2eu3 MSWinLog 3 Security 132 Fri Jun 26 04:33:24 2009 618 Security SYSTEM User KKKKK-KNBMQ2EU3 Changement de stratégie Stratégie de récupération de données cryptées modifiée : Modifiée par : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine : WORKGROUP Id. d'ouv. de session : (0x0,0x3E7) Modifications effectuées : ('--' signifie aucune modification, sinon chaque modification est affichée sous la forme : <NomParamètre> : <nouvelle valeur> (<ancienne valeur>)) -- 88 68 619 Win2003 Quality of Service Policy Changed Changed By. Policy Change The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 69 620 Win2003 Trusted Domain Information Modified: Domain Name: %1 Domain : %2 Modified By: User Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change <13>Jul 7 14:11:30 10.1.1.55 MSWinLog 0 security 58041 Thu Jul 06 16:59:10 2006 620 Security qatest User W2K3-LASSO Policy Change "Trusted Domain Information Modified: Domain Name: - Domain : - Modified By: User Name: qatest Domain: SQA Logon : (0x0,0x151CB1A) Trust : - Trust Direction: 1 Trust Attributes: - S Filtering: - " 58041 54 Microsoft Windows Server 2003 Log Configuration Guide
# 69F 620 Win2003 Trusted Domain Information Modified: Domain Name: %1 Domain : %2 Modified By: User Name: %3 Domain: %4 Logon : %5 Trust : %6 Trust Direction: %7 Trust Attributes: %8 S Filtering: %9 Policy Change <13>Jul 22 08:07:47 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2297 Wed Jul 22 08:07:40 2009 620 Security Administrateur User B0324-FR2003 Changement de stratégie Informations sur le domaine approuvé modifiées : Nom de domaine : - Id. de domaine : %{S-1-5-21-1893538592-169538710-372 8419160} Modifié par : Utilisateur : Administrateur Domaine : DOMAIN Id. d'ouv. de session : (0x0,0x3EAB48) d'approbation : - Direction de l'approbation : 3 Attributs de l'approbation : - Filtrage S: - 2228 70 621 Win2003 Security Access Granted: Access Granted: %4 Modified: %5 Assigned By: Domain: %2 Logon : %3 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 70F 621 Win2003 Security Access Granted: Access Granted: %4 Modified: %5 Assigned By: Domain: %2 Logon : %3 Security <13>Jul 1 10:20:50 10.8.0.39 MSWinLog 0 Security 7891 Wed Jul 01 10:18:46 2009 621 Security Administrateur User B0324-FR2003 Changement de stratégie Accès sécurité système accordé : Accès accordé : SeServiceLogonRight Compte modifié : %{S-1-5-21-30331043-1043570551-1080 916408-500} Attribué par : Utilisateur : Administrateur Domaine : B0324-FR2003 d'ouv. de session : (0x0,0xAFD9) 7740 71 622 Win2003 Security Access Removed: Access Removed: %4 Modified: %5 Removed By: Domain: %2 Logon : %3 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 71F 622 Win2003 Security Access Removed: Access Removed: %4 Modified: %5 Removed By: Domain: %2 Logon : %3 Security <13>Jul 1 09:58:39 b0324-fr2003 MSWinLog 4 Security 61 Wed Jul 01 09:58:39 2009 622 Security Administrateur User B0324-FR2003 Changement de stratégie Accès de sécurité système supprimé : Accès supprimé : SeNetworkLogonRight Compte modifié : %{S-1-1-0} Supprimé par : Utilisateur : Administrateur Domaine : B0324-FR2003 Id. d'ouv. de session : (0x0,0xAFD9) 43 Microsoft Windows Server 2003 Log Configuration Guide 55
# 72 624 Win2003 User Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 / Permission Modification <13>Jul 5 12:15:31 10.1.1.55 MSWinLog 0 security 698 Wed Jul 05 12:15:31 2006 624 Security qatest User W2K3-LASSO "User Created: New Name: test New Domain: SQA New : %{S-1-5-21-1578117074-177915290-4279 395478-1125} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges - Attributes: Sam Name: test Display Name: hg ghf. gf User Principal Name: test@sqa.loglogic.com Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: <never> Expires: <never> Primary Group : 513 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x15 User Control: User Parameters: - Sid History: - Logon Hours: <value not set> " 46305 72F 624 Win2003 User Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 / Permission Modification <13>May 21 09:47:06 kkkkk-knbmq2eu3 MSWinLog 2 Security 17 Thu May 21 09:47:06 2009 624 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur créé : Nom du nouveau compte : loglogic Nouveau domaine : KKKKK-KNBMQ2EU3 Id. du nouveau compte : %{S-1-5-21-4199537000-1147309911-37 89607300-1004} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) Privilèges : - Attributs : Nom du compte SAM : loglogic Nom affiché : %%1793 Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : %%1794 Le compte expire le : %%1794 de groupe principal : 513 Délégué autorisé : - Précédente valeur UAC : 0x132180 Nouvelle valeur UAC : 0x132180 Contrôle du compte utilisateur (UAC) : - Paramètres utilisateurs : %%1793 Historique S : - Heures d'ouverture de session : %%1792 10 56 Microsoft Windows Server 2003 Log Configuration Guide
# 72G 624 Win2003 User Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 / Permission Modification <13>1 2011-05-16T13:57:29.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:57:29 2011 624 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Benutzerkonto wurde erstellt: Neuer Kontenname: admin Neue Domäne: LL Neue Kontokennung: %{S-1-5-21-2596240490-1182617669-312 2350813-1112} Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2A1414) Rechte: - Attribute: SAM-Kontoname: admin Anzeigename: Admin Benutzerprinzipalname: admin@ll.local Stammverzeichnis: - Stammlaufwerk: - Skriptpfad: - Profilpfad: - Benutzerworkstations: - Kennwort zuletzt gesetzt: <nie> Konto läuft ab: <nie> Primäre Gruppenkennung: 513 DelegierenAnZulässig: - Alter UAC Wert: 0x0 Neuer UAC Wert: 0x15 Benutzerkontensteuerung: Konto Deaktiviert "Kennwort nicht benötigt" - Aktiviert "Normales Konto" - Aktiviert Benutzerparameter: - Sid-Verlauf: - Anmeldestunden: <Wert nicht gesetzt> 565 73 626 Win2003 User Enabled: Target Name: %1 Target : %3 Caller Logon : %6 <13>Jul 5 11:04:09 10.1.1.55 MSWinLog 0 security 166 Wed Jul 05 11:00:23 2006 626 Security qatest User W2K3-LASSO "User Enabled: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1121} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " 45773 73F 626 Win2003 User Enabled: Target Name: %1 Target : %3 Caller Logon : %6 <13>Jul 5 11:04:09 10.1.1.55 MSWinLog 0 security 166 Wed Jul 05 11:00:23 2006 626 Security qatest User W2K3-LASSO "User Enabled: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1121} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " 45773 Microsoft Windows Server 2003 Log Configuration Guide 57
# 73G 626 Win2003 User Enabled: Target Name: %1 Target : %3 Caller Logon : %6 <13>1 2011-05-16T13:57:47.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:57:47 2011 626 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Aktiviertes Benutzerkonto: Zielkontenname: admin Zieldomäne: LL Zielkontokennung: LL\admin Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2A1414) 589 74 627 Win2003 Change Password Attempt: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 5 12:28:01 10.1.1.55 MSWinLog 0 security 826 Wed Jul 05 12:28:01 2006 627 Security SYSTEM Well Known Group W2K3-LASSO "Change Password Attempt: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1125} Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - " 46433 74F 627 Win2003 Change Password Attempt: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jun 26 03:42:34 kkkkk-knbmq2eu3 MSWinLog 2 Security 63 Fri Jun 26 03:42:34 2009 627 Security SYSTEM User KKKKK-KNBMQ2EU3 Gestion des comptes Tentative de changement de mot de passe : Nom du compte cible : test Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-1010} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : WORKGROUP Id. de la session appelante : (0x0,0x3E7) Privilèges : - 33 74G 627 Win2003 Change Password Attempt: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>1 2011-05-16T14:10:18.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:10:18 2011 627 Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA Kontenverwaltung Versuch, Kennwort zu ändern: Zielkontenname: admin Zieldomäne: LL Zielkontokennung: LL\admin Benutzername des Aufrufers: SRV-W2003-GERMA$ Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x3E7) Rechte: - 1126 58 Microsoft Windows Server 2003 Log Configuration Guide
# 75 628 Win2003 User password set: Target Name: %1 Target : %3 Caller Logon : %6 / Permission Modification <13>Jul 5 12:15:32 10.1.1.55 MSWinLog 0 security 702 Wed Jul 05 12:15:31 2006 628 Security qatest User W2K3-LASSO "User password set: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1125} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) " 46309 75F 628 Win2003 User password set: Target Name: %1 Target : %3 Caller Logon : %6 / Permission Modification <13>May 21 09:47:07 kkkkk-knbmq2eu3 MSWinLog 2 Security 20 Thu May 21 09:47:06 2009 628 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Établissement d'un mot de passe de compte d'utilisateur : Nom du compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-1004} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) 13 75G 628 Win2003 User password set: Target Name: %1 Target : %3 Caller Logon : %6 / Permission Modification <13>1 2011-05-16T13:57:29.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:57:29 2011 628 Security LL\Administrator User Failure SRV-W2003-GERMA Kontenverwaltung Kennwort für Benutzerkonto gesetzt: Zielkontenname: Zieldomäne: LL Zielkontokennung: %{S-1-5-21-2596240490-1182617669-312 2350813-1112} Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2A1414) 568 76 629 Win2003 User Disabled: Target Name: %1 Target : %3 Caller Logon : %6 Security <13>Aug 9 18:11:46 10.116.28.102 MSWinLog 0 Security 26835 Tue Aug 08 13:01:36 2006 629 Security Unknown User N/A LOGLOGIC-SRV1 User Disabled: Target Name: AAA$ Target Domain: LOGLOGIC Target : %{S-1-5-21-1454988305-2637349178-12 45076292-1113} Caller User Name: administrator Caller Domain: LOGLOGIC Caller Logon : (0x0,0xC25B9) 25689 Microsoft Windows Server 2003 Log Configuration Guide 59
# 76F 629 Win2003 User Disabled: Target Name: %1 Target : %3 Caller Logon : %6 Security <13>Jun 26 03:36:33 kkkkk-knbmq2eu3 MSWinLog 2 Security 43 Fri Jun 26 03:36:30 2009 629 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur désactivé : Nom du compte cible : test Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-1010} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x100D3) 24 76G 629 Win2003 User Disabled: Target Name: %1 Target : %3 Caller Logon : %6 Security <13>1 2011-05-16T14:00:57.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:00:57 2011 629 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Deaktiviertes Benutzerkonto: Zielkontenname: admin Zieldomäne: LL Zielkontokennung: LL\admin Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2EE9BA) 690 77 630 Win2003 User Deleted. / Permission Modification <13>Jul 5 12:14:57 10.1.1.55 MSWinLog 0 security 693 Wed Jul 05 12:14:56 2006 630 Security qatest User W2K3-LASSO "User Deleted: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1121} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 46300 77F 630 Win2003 User Deleted. / Permission Modification <13>May 21 09:51:28 kkkkk-knbmq2eu3 MSWinLog 2 Security 30 Thu May 21 09:51:13 2009 630 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur supprimé : Nom du compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. du compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-1004} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de la session appelante : (0x0,0x65B96) Privilèges : - 22 60 Microsoft Windows Server 2003 Log Configuration Guide
# 77G 630 Win2003 User Deleted. / Permission Modification <13>1 2011-05-16T13:57:32.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:57:32 2011 630 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschtes Benutzerkonto: Zielkontenname: admin Zieldomäne: LL Zielkontokennung: %{S-1-5-21-2596240490-1182617669-312 2350813-1112} Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2A1414) Rechte: - 572 78 631 Win2003 Security Enabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 41 Thu Jun 29 14:54:32 2006 631 Security ANONYMOUS LOGON Well Known Group W2K3-LASSO "Security Enabled Global Group Created: New Name: Domain Computers New Domain: SQA New : %{S-1-5-21-1578117074-177915290-4279 395478-515} Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Attributes: Sam Name: Domain Computers Sid History: - " 125 78F 631 Win2003 Security Enabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 22 Tue Jun 30 09:20:18 2009 631 Security ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée créé : Nouveau nom de compte : Ordinateurs du domaine Nouveau domaine : FORESTA Id. du nouveau compte : %{S-1-5-21-4199537000-1147309911-378 9607300-515} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs : Nom du compte SAM : Ordinateurs du domaine Historique S : - 21 Microsoft Windows Server 2003 Log Configuration Guide 61
# 78G 631 Win2003 Security Enabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>1 2011-05-16T14:47:38.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:47:38 2011 631 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Erstellte globale Gruppe mit aktivierter Sicherheit: Neuer Kontoname: test Neue Domäne: LL Neue Kontokennung: LL\test Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Attribute: SAM-Kontoname: test Sid-Verlauf: - 1845 79 632 Win2003 Security Enabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 79 Thu Jun 29 14:54:37 2006 632 Security ANONYMOUS LOGON Well Known Group W2K3-LASSO "Security Enabled Global Group Member Added: Member Name: - Member : %{S-1-5-21-1578117074-177915290-4279 395478-500} Target Name: Domain Admins Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-512} Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - " 163 79F 632 Win2003 Security Enabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13>May 21 09:47:06 kkkkk-knbmq2eu3 MSWinLog 2 Security 16 Thu May 21 09:47:06 2009 632 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe global de sécurité activée ajouté : Nom du membre : - Id. du membre : %{S-1-5-21-4199537000-1147309911-378 9607300-1004} Nom de compte cible : Aucun Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-513} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - 9 62 Microsoft Windows Server 2003 Log Configuration Guide
# 79G 632 Win2003 Security Enabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13>1 2011-05-16T13:58:04.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:58:04 2011 632 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Hinzugefügtes globales Gruppenmitglied mit aktivierter Sicherheit: Mitgliedname: cn=admin,cn=users,dc=ll,dc=local Mitgliedkennung: LL\admin Zielkontoname: Domänen-Admins Zieldomäne: LL Zielkontokennung: LL\Domänen-Admins Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x2A1414) Rechte: - 592 80 633 Win2003 Security Enabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13>Jun 29 15:30:12 10.1.1.55 MSWinLog 0 security 466 Thu Jun 29 15:30:11 2006 633 Security qatest User W2K3-LASSO "Security Enabled Global Group Member Removed: Member Name: CN=tester,CN=Users,DC=sqa,DC=loglogi c,dc=com Member : %{S-1-5-21-1578117074-177915290-4279 395478-1010} Target Name: test123 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1113} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 550 80F 633 Win2003 Security Enabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13>May 21 09:42:29 kkkkk-knbmq2eu3 MSWinLog 2 Security 11 Thu May 21 09:42:29 2009 633 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe global de sécurité activée supprimé : Nom du membre : - Id. du membre : %{S-1-5-21-4199537000-1147309911-378 9607300-1003} Nom de compte cible : Aucun Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-513} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB1AE) Privilèges : - 4 Microsoft Windows Server 2003 Log Configuration Guide 63
# 80G 633 Win2003 Security Enabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 / Permission Modification <13>1 2011-05-16T14:04:51.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:04:51 2011 633 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Entferntes globale Gruppenmitglied mit aktivierter Sicherheit: ymitgliedname: CN=Admin,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\admin Zielkontoname: Domänen-Admins Zieldomäne: LL Zielkontokennung: LL\Domänen-Admins Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3801FF) Rechte: - 857 81 634 Win2003 Security Enabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 / Permission Modification <13>Jun 29 15:35:27 10.1.1.55 MSWinLog 0 security 497 Thu Jun 29 15:35:26 2006 634 Security qatest User W2K3-LASSO "Security Enabled Global Group Deleted: Target Name: test123 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1113} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 581 81F 634 Win2003 Security Enabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 / Permission Modification <13>Jul 2 08:06:49 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3792 Thu Jul 02 08:06:49 2009 634 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe global de sécurité activée supprimé : Nom de compte cible : qdsfqd Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1119} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3628 64 Microsoft Windows Server 2003 Log Configuration Guide
# 81G 634 Win2003 Security Enabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 / Permission Modification <13>1 2011-05-16T14:49:20.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:49:20 2011 634 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschte globale Gruppe mit aktivierter Sicherheit: Zielkontoname: test Zieldomäne: LL Zielkontokennung: LL\test Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1850 82 635 Win2003 Security Enabled Local Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 20 Thu Jun 29 14:54:30 2006 635 Security SYSTEM Well Known Group W2K3-LASSO "Security Enabled Local Group Created: New Name: Print Operators New Domain: Builtin New : %{S-1-5-32-550} Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Attributes: Sam Name: Print Operators Sid History: - " 104 82F 635 Win2003 Security Enabled Local Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jun 25 09:24:48 kkkkk-knbmq2eu3 MSWinLog 2 Security 85 Thu Jun 25 09:24:48 2009 635 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée créé : Nom du nouveau compte : qsdsqd Nouveau domaine : KKKKK-KNBMQ2EU3 Id. du nouveau compte : %{S-1-5-21-4199537000-1147309911-378 9607300-1006} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : - Attributs : Nom du compte SAM : qsdsqd Historique S : - 42 Microsoft Windows Server 2003 Log Configuration Guide 65
# 82G 635 Win2003 Security Enabled Local Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>1 2011-05-16T14:50:36.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:50:36 2011 635 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Erstellte lokale Gruppe mit aktivierter Sicherheit: Neuer Kontoname: local-security-group Neue Domäne: LL Neue Kontokennung: LL\local-security-group Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Attribute: SAM-Kontoname: local-security-group Sid-Verlauf: - 1874 83 636 Win2003 Security Enabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 5 11:07:49 10.1.1.55 MSWinLog 0 security 300 Wed Jul 05 11:07:48 2006 636 Security qatest User W2K3-LASSO "Security Enabled Local Group Member Added: Member Name: CN=testt,CN=Users,DC=sqa,DC=loglogic, DC=com Member : %{S-1-5-21-1578117074-177915290-4279 395478-1121} Target Name: Users Target Domain: Builtin Target : %{S-1-5-32-545} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 45907 83F 636 Win2003 Security Enabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>May 21 09:49:36 kkkkk-knbmq2eu3 MSWinLog 2 Security 24 Thu May 21 09:49:36 2009 636 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe local de sécurité activée ajouté : Nom du membre : - Id. du membre : %{S-1-5-21-4199537000-1147309911-378 9607300-1004} Nom de compte cible : Administrateurs Domaine cible : Builtin Id. du compte cible : %{S-1-5-32-544} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - 17 66 Microsoft Windows Server 2003 Log Configuration Guide
# 83G 636 Win2003 Security Enabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>1 2011-05-16T14:41:34.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:41:34 2011 636 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Hinzugefügtes lokales Gruppenmitglied mit aktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: DnsAdmins Zieldomäne: LL Zielkontokennung: LL\DnsAdmins Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1818 84 637 Win2003 Security Enabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 5 15:44:05 10.1.1.55 MSWinLog 0 security 1949 Wed Jul 05 15:44:05 2006 637 Security qatest User W2K3-LASSO "Security Enabled Local Group Member Removed: Member Name: CN=hg ghf. gf,cn=users,dc=sqa,dc=loglogic,dc=co m Member : %{S-1-5-21-1578117074-177915290-4279 395478-1125} Target Name: Administrators Target Domain: Builtin Target : %{S-1-5-32-544} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x668A8) Privileges: - " 47556 84F 637 Win2003 Security Enabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>May 21 09:50:00 kkkkk-knbmq2eu3 MSWinLog 2 Security 25 Thu May 21 09:49:36 2009 637 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Membre du groupe local de sécurité activée supprimé : Nom du membre : - Id. du membre : %{S-1-5-21-4199537000-1147309911-378 9607300-1004} Nom de compte cible : Utilisateurs Domaine cible : Builtin Id. du compte cible : %{S-1-5-32-545} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - 18 Microsoft Windows Server 2003 Log Configuration Guide 67
# 84G 637 Win2003 Security Enabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>1 2011-05-16T14:50:47.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:50:47 2011 637 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Entferntes lokales Gruppenmitglied mit aktivierter Sicherheit: Mitgliedname: CN=Admin,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\admin Zielkontoname: local-security-group Zieldomäne: LL Zielkontokennung: LL\local-security-group Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1878 85 638 Win2003 Security Enabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7. <13>Jun 29 16:10:01 10.1.1.55 MSWinLog 0 security 799 Thu Jun 29 16:09:59 2006 638 Security qatest User W2K3-LASSO "Security Enabled Local Group Deleted: Target Name: test Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1123} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 883 85F 638 Win2003 Security Enabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7. <13>Jun 25 09:24:56 kkkkk-knbmq2eu3 MSWinLog 2 Security 87 Thu Jun 25 09:24:52 2009 638 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Groupe local de sécurité activée supprimé : Nom de compte cible : qsdsqd Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-1006} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : - 44 85G 638 Win2003 Security Enabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7. <13>1 2011-05-16T14:50:50.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:50:50 2011 638 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschte lokale Gruppe mit aktivierter Sicherheit: Zielkontoname: local-security-group Zieldomäne: LL Zielkontokennung: LL\local-security-group Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1879 68 Microsoft Windows Server 2003 Log Configuration Guide
# 86 639 Win2003 Enabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jul 5 11:07:49 10.1.1.55 MSWinLog 0 security 299 Wed Jul 05 11:07:48 2006 639 Security qatest User W2K3-LASSO "Security Enabled Local Group Changed: Target Name: Users Target Domain: Builtin Target : %{S-1-5-32-545} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: - Sid History: - " 45906 86F 639 Win2003 Enabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 25 09:24:48 kkkkk-knbmq2eu3 MSWinLog 2 Security 86 Thu Jun 25 09:24:48 2009 639 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Groupe local de sécurité activée modifié : Nom de compte cible : qsdsqd Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-1006} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0xB773) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 43 86G 639 Win2003 Enabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>1 2011-05-16T14:41:34.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:41:34 2011 639 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geänderte lokale Gruppe mit aktivierter Sicherheit: Zielkontoname: DnsAdmins Zieldomäne: LL Zielkontokennung: LL\DnsAdmins Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Geänderte Attribute: SAM-Kontoname: - Sid-Verlauf: - 1817 87 640 Win2003 General Database Change. The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. Microsoft Windows Server 2003 Log Configuration Guide 69
# 96F 640 Win2003 Modification de la base de données des comptes généraux Security audit / Windows s <13>Mar 1 17:00:38 loglabs-2003fra.loglabs.lab MSWinLog0Security35Mon Mar 01 16:59:55 2010640SecurityAdministrator User LOGLABS-2003FRA Suivi détaillémodification de la base de données des comptes généraux : de modification : %1 d'objet : %2 Nom d'objet : %3 Id. de l'objet : %4 Utilisateur appelant : %5 Domaine appelant : %6 Id. de la session appelante : %7 97 641 Win2003 Security Enabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 42 Thu Jun 29 14:54:33 2006 641 Security ANONYMOUS LOGON Well Known Group W2K3-LASSO "Security Enabled Global Group Changed: Target Name: Domain Computers Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-515} Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Sam Name: - Sid History: - " 126 97F 641 Win2003 Security Enabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 23 Tue Jun 30 09:20:18 2009 641 Security ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Groupe global de sécurité activée modifié : Nom de compte cible : Ordinateurs du domaine Domaine cible : FORESTA Id. de compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-515} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 22 70 Microsoft Windows Server 2003 Log Configuration Guide
# 97G 641 Win2003 Security Enabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>1 2011-05-16T13:58:03.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:58:03 2011 641 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geänderte globale Gruppe mit aktivierter Sicherheit: Zielkontoname: Domänen-Admins Zieldomäne: LL Zielkontokennung: LL\Domänen-Admins Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x2A1414) Rechte: - Geänderte Attribute: SAM-Kontoname: - Sid-Verlauf: - 591 98 642 Win2003 User Changed: Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 User Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 User Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 User Control: %23 User Parameters: %24 Sid History: %25 Logon Hours: %26 / Permission Modification <13>Jul 5 11:04:09 10.1.1.55 MSWinLog 0 security 165 Wed Jul 05 11:00:23 2006 642 Security qatest User W2K3-LASSO "User Changed: Target Name: testt Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1121} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Expires: - Primary Group : - AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x10 User Control: User Parameters: - Sid History: - Logon Hours: - " 45772 Microsoft Windows Server 2003 Log Configuration Guide 71
# 98F 642 Win2003 User Changed: Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 User Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 User Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 User Control: %23 User Parameters: %24 Sid History: %25 Logon Hours: %26 / Permission Modification <13>May 21 09:47:07 kkkkk-knbmq2eu3 MSWinLog 2 Security 19 Thu May 21 09:47:06 2009 642 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'utilisateur modifié : Nom de compte cible : loglogic Domaine cible : KKKKK-KNBMQ2EU3 Id. de compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-1004} Utilisateur appelant : Administrateur Domaine appelant : KKKKK-KNBMQ2EU3 Id. de session de l'appelant : (0x0,0x65B96) Privilèges : - Attributs modifiés : Nom du compte SAM : loglogic Nom affiché : loglogic Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : 21/05/2009 09:47:06 Le compte expire le : %%1794 de groupe principal : 513 Délégué autorisé : - Précédente valeur UAC : 0x132180 Nouvelle valeur UAC : 0x132180 Contrôle du compte utilisateur (UAC) : - Paramètres utilisateurs : - Historique S : - Heures d'ouverture de session : %%1792 12 98G 642 Win2003 User Changed: Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 Changed Attributes: Sam Name: %9 Display Name: %10 User Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 User Workstations: %16 Password Last Set: %17 Expires: %18 Primary Group : %19 AllowedToDelegateTo: %20 Old UAC Value: %21 New UAC Value: %22 User Control: %23 User Parameters: %24 Sid History: %25 Logon Hours: %26 / Permission Modification <13>1 2011-05-16T13:57:47.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:57:47 2011 642 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Benutzerkonto wurde geändert: Neuer Kontenname: admin Neue Domäne: LL Neue Kontokennung: LL\admin Benutzername des Aufrufers: administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x2A1414) Rechte: - Geänderte Attribute: SAM-Kontoname: - Anzeigename: - Benutzerprinzipalname: - Stammverzeichnis: - Stammlaufwerk: - Skriptpfad: - Profilpfad: - Benutzerworkstations: - Kennwort zuletzt gesetzt: 16.05.2011 13:57:47 Konto läuft ab: - Primäre Gruppenkennung: - DelegierenAnZulässig: - Alter UAC Wert: - Neuer UAC Wert: - Benutzerkontensteuerung: - Benutzerparameter: - Sid-Verlauf: - Anmeldestunden: - 583 72 Microsoft Windows Server 2003 Log Configuration Guide
# 99 642 Win2003 User Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 / Permission Modification The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 100 643 Win2003 Domain Policy Changed: %1 modified Domain Name: %2 Domain : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Min. Password Age: %8 Max. Password Age: %9 Force Logoff: %10 Lockout Threshold: %11 Lockout Observation Window: %12 Lockout Duration: %13 Password Properties: %14 Min. Password Length: %15 Password History Length: %16 Machine Quota: %17 Mixed Domain Mode: %18 Domain Behavior Version: %19 OEM Information: %20 / Permission Modification <13>Jul 5 12:27:43 10.1.1.55 MSWinLog 0 security 816 Wed Jul 05 12:27:43 2006 643 Security SYSTEM Well Known Group W2K3-LASSO "Domain Policy Changed: Lockout Policy modified Domain Name: SQA Domain : %{S-1-5-21-1578117074-177915290-4279 395478} Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Min. Password Age: - Max. Password Age: - Force Logoff: - Lockout Threshold: 5 Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: - Machine Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: - " 46423 Microsoft Windows Server 2003 Log Configuration Guide 73
# 100F 643 Win2003 Domain Policy Changed: %1 modified Domain Name: %2 Domain : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Min. Password Age: %8 Max. Password Age: %9 Force Logoff: %10 Lockout Threshold: %11 Lockout Observation Window: %12 Lockout Duration: %13 Password Properties: %14 Min. Password Length: %15 Password History Length: %16 Machine Quota: %17 Mixed Domain Mode: %18 Domain Behavior Version: %19 OEM Information: %20 / Permission Modification <13>Jun 30 09:27:33 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 233 Tue Jun 30 09:27:24 2009 643 Security SYSTEM User KKKKK-KNBMQ2EU3 Gestion des comptes Stratégie de domaine modifiée : Stratégie de mot de passe modifié Domaine : FORESTA Id. de domaine : %{S-1-5-21-4199537000-1147309911-378 9607300} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de la session appelante : (0x0,0x3E7) Privilèges : - Attributs modifiés : Âge minimal du mot de passe : 86400 Âge maximal du mot de passe : - Fermeture de session forcée : - Seuil de verrouillage : - Fenêtre d'observation du verrouillage : - Durée du verrouillage : - Propriétés du mot de passe : 1 Longueur minimale du mot de passe : 7 Longueur de l'historique de mot de passe : 24 Quota de comptes ordinateurs : - Mode domaine mixte : - Version de comportement du domaine : - Informations OEM : - 200 100G 643 Win2003 Domain Policy Changed: %1 modified Domain Name: %2 Domain : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Min. Password Age: %8 Max. Password Age: %9 Force Logoff: %10 Lockout Threshold: %11 Lockout Observation Window: %12 Lockout Duration: %13 Password Properties: %14 Min. Password Length: %15 Password History Length: %16 Machine Quota: %17 Mixed Domain Mode: %18 Domain Behavior Version: %19 OEM Information: %20 / Permission Modification <13>1 2011-05-16T14:24:14.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:24:14 2011 643 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Kontenverwaltung Domänenrichtlinien geändert: Sperrrichtlinie geändert Domänenname: LL Domänenkennung: LL\ Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) Berechtigungen: - Geänderte Attribute: Min. Kennwortalter: - Max. Kennwortalter: - Abmeldung erzwingen: - Sperrschwelle: 5 Sperrüberwachungsfenster: - Sperrdauer: - Kennworteigenschaften: - Min. Kennwortlänge: - Kennwortverlaufslänge: - Computerkontokontingent: - Gemischter Domänenmodus: - Domänenverhaltensversion: - OEM-Information: - 1609 74 Microsoft Windows Server 2003 Log Configuration Guide
# 101 644 Win2003 User Locked Out: Target Name: %1 Target : %3 Caller Machine Name: %2 Caller Logon : %6 / Permission Modification <13>Jul 5 12:28:43 10.1.1.55 MSWinLog 0 security 833 Wed Jul 05 12:28:43 2006 644 Security SYSTEM Well Known Group W2K3-LASSO "User Locked Out: Target Name: test Target : %{S-1-5-21-1578117074-177915290-4279 395478-1125} Caller Machine Name: W2K3-LASSO Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) " 46440 101F 644 Win2003 User Locked Out: Target Name: %1 Target : %3 Caller Machine Name: %2 Caller Logon : %6 / Permission Modification <13>Jul 17 03:29:48 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 192984 Fri Jul 17 03:29:45 2009 644 Security SYSTEM User B0324-FR2003 Gestion des comptes Compte d'utilisateur verrouillé : Nom du compte cible : test du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1135} Nom de l'ordinateur appelant : B0324-MENGKJ Nom de l'utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN de session de l'appelant : (0x0,0x3E7) 192015 101G 644 Win2003 User Locked Out: Target Name: %1 Target : %3 Caller Machine Name: %2 Caller Logon : %6 / Permission Modification <13>1 2011-05-16T14:24:50.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:24:50 2011 644 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Kontenverwaltung Gesperrtes Benutzerkonto: Zielkontoname: admin Zieldomäne: SRV-W2003-GERMA Aufrufercomputername: LL\admin Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) 1674 Microsoft Windows Server 2003 Log Configuration Guide 75
# 102 645 Win2003 Computer Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 DNS Host Name: %26 Service Principal Names: %27 / Permission Modification <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 33 Thu Jun 29 14:54:31 2006 645 Security ANONYMOUS LOGON Well Known Group W2K3-LASSO "Computer Created: New Name: W2K3-LASSO$ New Domain: SQA New : %{S-1-5-21-1578117074-177915290-4279 395478-1012} Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges - Attributes: Sam Name: W2K3-LASSO$ Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Expires: <never> Primary Group : 516 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x105 User Control: User Parameters: <value changed, but not displayed> Sid History: -Logon Hours:- DNS Host Name:- Service Principal Names: -" 0 76 Microsoft Windows Server 2003 Log Configuration Guide
# 102F 645 Win2003 Computer Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 DNS Host Name: %26 Service Principal Names: %27 / Permission Modification <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 14 Tue Jun 30 09:20:16 2009 645 Security ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'ordinateur créé : Nom du nouveau compte : KKKKK-KNBMQ2EU3$ Nouveau domaine : FORESTA Id. du nouveau compte : %{S-1-5-21-4199537000-1147309911-378 9607300-1016} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs : Nom du compte SAM : KKKKK-KNBMQ2EU3$ Nom affiché : %%1793 Nom principal utilisateur : - Répertoire de base : %%1793 Lecteur de base : %%1793 Chemin d'accès au script : %%1793 Chemin d'accès au profil : %%1793 Stations de travail utilisateur : %%1793 Dernière modification du mot de passe le : %%1794 Le compte expire le : %%1794 de groupe principal : 516 Délégué autorisé : - Précédente valeur UAC : 0x0 Nouvelle valeur UAC : 0x105 Contrôle du compte utilisateur (UAC) : %%2080 %%2082 %%2088 Paramètres utilisateurs : %%1792 Historique S : - Heures d'ouverture de session : %% 13 Microsoft Windows Server 2003 Log Configuration Guide 77
# 102G 645 Win2003 Computer Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges %7 Attributes: Sam Name: %8 Display Name: %9 User Principal Name: %10 Home Directory: %11 Home Drive: %12 Script Path: %13 Profile Path: %14 User Workstations: %15 Password Last Set: %16 Expires: %17 Primary Group : %18 AllowedToDelegateTo: %19 Old UAC Value: %20 New UAC Value: %21 User Control: %22 User Parameters: %23 Sid History: %24 Logon Hours: %25 DNS Host Name: %26 Service Principal Names: %27 / Permission Modification <13>1 2011-05-16T14:23:43.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:23:43 2011 645 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Computerkonto wurde erstellt: Neuer Kontenname: XP-CLIENT$ Neue Domäne: LL Neue Kontokennung: LL\XP-CLIENT$ Benutzername des Aufrufers: Administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x59D681) Rechte: - Attribute: SAM-Kontoname: XP-CLIENT$ Anzeigename: <Wert nicht gesetzt> Benutzerprinzipalname: - Stammverzeichnis: <Wert nicht gesetzt> Stammlaufwerk: <Wert nicht gesetzt> Skriptpfad: <Wert nicht gesetzt> Profilpfad: <Wert nicht gesetzt> Benutzerworkstations: <Wert nicht gesetzt> Kennwort zuletzt gesetzt: <nie> Konto läuft ab: <nie> Primäre Gruppenkennung: 515 DelegierenAnZulässig: - Alter UAC-Wert: 0x0 Neuer UAC-Wert: 0x85 Benutzerkontensteuerung: Konto Deaktiviert "Kennwort nicht benötigt" - Aktiviert "Arbeitsstationvertrauenskonto" - Aktiviert Benutzerparameter: <Wert geändert, aber nicht angezeigt> Sid-Verlauf: - Anmeldestunden: <Wert nicht gesetzt> DNS-Hostname: - Dienstprinzipalnamen: - 1572 103 646 Win2003 Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 / Permission Modification <13>Jun 29 15:01:51 10.1.1.55 MSWinLog 0 security 35 Thu Jun 29 14:54:31 2006 646 Security ANONYMOUS LOGON Well Known Group W2K3-LASSO "Computer Changed: - Target Name: W2K3-LASSO$ Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1012} Caller User Name: W2K3-LASSO$ Caller Domain: SQA Caller Logon : (0x0,0x3E7) Privileges: - Changed Attributes: Sam Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Expires: - Primary Group : - AllowedToDelegateTo: - Old UAC Value: 0x105 New UAC Value: 0x2100 User Control: User Parameters: - Sid History: - Logon Hours: - DNS Host Name: - Service Principal Names: - " 119 78 Microsoft Windows Server 2003 Log Configuration Guide
# 103F 646 Win2003 Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 / Permission Modification <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 16 Tue Jun 30 09:20:16 2009 646 Security ANONYMOUS LOGON Well Known Group KKKKK-KNBMQ2EU3 Gestion des comptes Compte d'ordinateur modifié : - Nom de compte cible : KKKKK-KNBMQ2EU3$ Domaine cible : FORESTA Id. de compte cible : %{S-1-5-21-4199537000-1147309911-37 89607300-1016} Utilisateur appelant : KKKKK-KNBMQ2EU3$ Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x3E7) Privilèges : - Attributs modifiés : Nom du compte SAM : - Nom affiché : - Nom principal utilisateur : - Répertoire de base : - Lecteur de base : - Chemin d'accès au script : - Chemin d'accès au profil : - Stations de travail utilisateur : - Dernière modification du mot de passe le : - Le compte expire le : - de groupe principal : - Délégué autorisé : - Précédente valeur UAC : 0x105 Nouvelle valeur UAC : 0x2100 Contrôle du compte utilisateur (UAC) : %%2048 %%2050 %%2093 Paramètres utilisateurs : - Historique S : - Heures d'ouverture de session : - Nom d'hôte DNS : - Noms principaux d 15 Microsoft Windows Server 2003 Log Configuration Guide 79
# 103G 646 Win2003 Computer Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 / Permission Modification <13>1 2011-05-16T14:23:43.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:23:43 2011 646 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geändertes Computerkonto: - Neuer Kontenname: XP-CLIENT$ Neue Domäne: LL Neue Kontokennung: LL\XP-CLIENT$ Benutzername des Aufrufers: Administrator Domäne des Aufrufers: LL Anmeldekennung des Aufrufers: (0x0,0x59D681) Rechte: - Geänderte Attribute: SAM-Kontoname: - Anzeigename: XP-CLIENT$ Benutzerprinzipalname: - Stammverzeichnis: - Stammlaufwerk: - Skriptpfad: - Profilpfad: - Benutzerworkstations: - Kennwort zuletzt gesetzt: 16.05.2011 14:23:43 Konto läuft ab: - Primäre Gruppenkennung: - DelegierenAnZulässig: - Alter UAC Wert: 0x85 Neuer UAC Wert: 0x80 Benutzerkontensteuerung: Konto aktiviert "Kennwort nicht benötigt" - Deaktiviert Benutzerparameter: - Sid-Verlauf: - Anmeldestunden: - DNS-Hostname: - Dienstprinzipalnamen: - 1575 104 647 Win2003 Computer Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 7 10:46:53 10.1.1.55 MSWinLog 0 security 57489 Thu Jul 06 15:52:50 2006 647 Security qatest User W2K3-LASSO "Computer Deleted: Target Name: TEST$ Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1133} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x151CB1A) Privileges: - " 57489 104F 647 Win2003 Computer Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 2 08:28:33 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 4089 Thu Jul 02 08:28:33 2009 647 Security Administrateur User B0324-FR2003 Gestion des comptes Compte d'ordinateur supprimé : Nom du compte cible : QSDFQDS$ Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1126} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de la session appelante : (0x0,0x36824) Privilèges : - 3923 80 Microsoft Windows Server 2003 Log Configuration Guide
# 104G 647 Win2003 Computer Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>1 2011-05-16T14:56:32.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:56:32 2011 647 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschtes Computerkonto: Zielkontoname: ASDF$ Zieldomäne: LL Zielkontokennung: LL\ASDF$ Aufruferbenutzername: administrator Aufruferdomäne: LL Aufrufer Anmeldekennung: (0x0,0x5B8D3E) Rechte: - 1923 105 648 Win2003 Security Disabled Local Group Created: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jun 29 15:41:50 10.1.1.55 MSWinLog 0 security 535 Thu Jun 29 15:41:49 2006 648 Security qatest User W2K3-LASSO "Security Disabled Local Group Created: Target Name: testing Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1115} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: testing Sid History: - " 619 105F 648 Win2003 Security Disabled Local Group Created: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>Jul 2 08:15:32 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3842 Thu Jul 02 08:15:32 2009 648 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée créé : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1122} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs : Nom du compte SAM : dfgdfqdfdqsfdqsfqsfdsqf Historique S : - 3678 Microsoft Windows Server 2003 Log Configuration Guide 81
# 105G 648 Win2003 Security Disabled Local Group Created: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 / Permission Modification <13>1 2011-05-16T14:58:09.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:58:09 2011 648 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Erstellte lokale Gruppe mit deaktivierter Sicherheit: Zielkontoname: asdf Zieldomäne: LL Zielkontokennung: LL\asdf Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Attribute: Sam-Kontoname: asdf Sid-Verlauf: - 1933 106 649 Win2003 Security Disabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 15:42:40 10.1.1.55 MSWinLog 0 security 536 Thu Jun 29 15:42:39 2006 649 Security qatest User W2K3-LASSO "Security Disabled Local Group Changed: Target Name: testing1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1115} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: testing1 Sid History: - " 620 106F 649 Win2003 Security Disabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jul 2 08:15:49 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3844 Thu Jul 02 08:15:49 2009 649 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée modifié : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1122} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 3680 82 Microsoft Windows Server 2003 Log Configuration Guide
# 106G 649 Win2003 Security Disabled Local Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>1 2011-05-16T14:59:43.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:59:43 2011 649 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geänderte lokale Gruppe mit deaktivierter Sicherheit: Zielkontoname: local Zieldomäne: LL Zielkontokennung: LL\local Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Geänderte Attribute: Sam-Kontoname: - Sid-Verlauf: - 1947 107 650 Win2003 Security Disabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 15:43:57 10.1.1.55 MSWinLog 0 security 539 Thu Jun 29 15:43:56 2006 650 Security qatest User W2K3-LASSO "Security Disabled Local Group Member Added: Member Name: CN=tester,CN=Users,DC=sqa,DC=loglogi c,dc=com Member : %{S-1-5-21-1578117074-177915290-4279 395478-1010} Target Name: testing1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1115} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 623 107F 650 Win2003 Security Disabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 08:15:49 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3845 Thu Jul 02 08:15:49 2009 650 Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe local de sécurité désactivée ajouté : Nom du membre : CN=DnsAdmins,CN=Users,DC=domain,D C=symbio-group,DC=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-1104} Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1122} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3681 Microsoft Windows Server 2003 Log Configuration Guide 83
# 107G 650 Win2003 Security Disabled Local Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>1 2011-05-16T14:59:43.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:59:43 2011 650 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Hinzugefügtes lokales Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: local Zieldomäne: LL Zielkontokennung: LL\local Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1948 108 651 Win2003 Security Disabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 15:44:47 10.1.1.55 MSWinLog 0 security 542 Thu Jun 29 15:44:46 2006 651 Security qatest User W2K3-LASSO "Security Disabled Local Group Member Removed: Member Name: CN=tester,CN=Users,DC=sqa,DC=loglogi c,dc=com Member : %{S-1-5-21-1578117074-177915290-4279 395478-1010} Target Name: testing1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1115} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 626 108F 651 Win2003 Security Disabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 08:16:00 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3847 Thu Jul 02 08:15:56 2009 651 Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe local de sécurité désactivée supprimé : Nom du membre : CN=DnsAdmins,CN=Users,DC=domain,D C=symbio-group,DC=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-1104} Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1122} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3683 84 Microsoft Windows Server 2003 Log Configuration Guide
# 108G 651 Win2003 Security Disabled Local Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>1 2011-05-16T14:59:48.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:59:48 2011 651 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Entferntes lokales Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: local Zieldomäne: LL Zielkontokennung: LL\local Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1951 109 652 Win2003 Security Disabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jun 29 15:45:32 10.1.1.55 MSWinLog 0 security 545 Thu Jun 29 15:45:31 2006 652 Security qatest User W2K3-LASSO "Security Disabled Local Group Deleted: Target Name: testing1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1115} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 629 109F 652 Win2003 Security Disabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 2 08:16:00 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3848 Thu Jul 02 08:15:59 2009 652 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe local de sécurité désactivée supprimé : Nom de compte cible : dfgdfqdfdqsfdqsfqsfdsqf Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1122} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3684 109G 652 Win2003 Security Disabled Local Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>1 2011-05-16T14:59:52.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:59:52 2011 652 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschte lokale Gruppe mit deaktivierter Sicherheit: Zielkontoname: local Zieldomäne: LL Zielkontokennung: LL\local Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1953 Microsoft Windows Server 2003 Log Configuration Guide 85
# 110 653 Win2003 Security Disabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 15:46:35 10.1.1.55 MSWinLog 0 security 558 Thu Jun 29 15:46:33 2006 653 Security qatest User W2K3-LASSO "Security Disabled Global Group Created: New Name: test New Domain: SQA New : %{S-1-5-21-1578117074-177915290-4279 395478-1116} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: test Sid History: - " 642 110F 653 Win2003 Security Disabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jul 2 04:18:33 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 26794 Thu Jul 02 04:18:33 2009 653 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée créé : Nouveau nom de compte : test group Nouveau domaine : DOMAIN Id. du nouveau compte : %{S-1-5-21-30331043-1043570551-1080 916408-1106} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x66246) Privilèges : - Attributs : Nom du compte SAM : test group Historique S : - 26741 110G 653 Win2003 Security Disabled Global Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>1 2011-05-16T15:02:00.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:02:00 2011 653 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Erstellte globale Gruppe mit deaktivierter Sicherheit: Neuer Kontoname: test1 Neue Domäne: LL Neue Kontokennung: LL\test1 Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Attribute: Sam-Kontoname: test1 Sid-Verlauf: - 1962 86 Microsoft Windows Server 2003 Log Configuration Guide
# 111 654 Win2003 Security Disabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 15:47:37 10.1.1.55 MSWinLog 0 security 563 Thu Jun 29 15:47:35 2006 654 Security qatest User W2K3-LASSO "Security Disabled Global Group Changed: Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1116} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: test1 Sid History: - " 647 111F 654 Win2003 Security Disabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jul 2 08:09:15 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3798 Thu Jul 02 08:09:15 2009 654 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée modifié : Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1120} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 3634 111G 654 Win2003 Security Disabled Global Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>1 2011-05-16T15:02:05.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:02:05 2011 654 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geänderte globale Gruppe mit deaktivierter Sicherheit: azielkontoname: test1 Zieldomäne: LL Zielkontokennung: LL\test1 Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Geänderte Attribute: Sam-Kontoname: - Sid-Verlauf: - 1963 Microsoft Windows Server 2003 Log Configuration Guide 87
# 112 655 Win2003 Security Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 15:48:20 10.1.1.55 MSWinLog 0 security 567 Thu Jun 29 15:48:19 2006 655 Security qatest User W2K3-LASSO "Security Disabled Global Group Member Added: Member Name: CN=tester,CN=Users,DC=sqa,DC=loglogi c,dc=com Member : %{S-1-5-21-1578117074-177915290-4279 395478-1010} Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1116} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 651 112F 655 Win2003 Security Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 08:09:15 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3799 Thu Jul 02 08:09:15 2009 655 Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe global de sécurité désactivée ajouté : Nom du membre : CN=Administrateurs de l'entreprise,cn=users,dc=domain,dc=sy mbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-519} Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1120} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3635 112G 655 Win2003 Security Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>1 2011-05-16T15:02:05.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:02:05 2011 655 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Hinzugefügtes globales Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: test1 Zieldomäne: LL Zielkontokennung: LL\test1 Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1964 88 Microsoft Windows Server 2003 Log Configuration Guide
# 113 655 Win2003 Security Disabled Global Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 15:56:13 10.1.1.55 MSWinLog 0 security 581 Thu Jun 29 15:56:12 2006 656 Security qatest User W2K3-LASSO "Security Disabled Global Group Member Removed: Member Name: CN=tester,CN=Users,DC=sqa,DC=loglogi c,dc=com Member : %{S-1-5-21-1578117074-177915290-4279 395478-1010} Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1116} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 665 113F 656 Win2003 Security Disabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 08:09:31 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3802 Thu Jul 02 08:09:31 2009 656 Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe global de sécurité désactivée supprimé : Nom du membre : CN=Administrateurs de l'entreprise,cn=users,dc=domain,dc=sy mbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-519} Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1120} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3638 113G 656 Win2003 Security Disabled Global Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>1 2011-05-16T15:02:08.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:02:08 2011 656 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Entferntes globales Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: test1 Zieldomäne: LL Zielkontokennung: LL\test1 Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1966 Microsoft Windows Server 2003 Log Configuration Guide 89
# 114 657 Win2003 Security Disabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jun 29 15:58:04 10.1.1.55 MSWinLog 0 security 605 Thu Jun 29 15:58:02 2006 657 Security qatest User W2K3-LASSO "Security Disabled Global Group Deleted: Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1116} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 689 114F 657 Win2003 Security Disabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 2 08:09:39 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3804 Thu Jul 02 08:09:34 2009 657 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe global de sécurité désactivée supprimé : Nom de compte cible : qsdsqqsdsqd Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1120} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3640 114G 657 Win2003 Security Disabled Global Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>1 2011-05-16T15:02:11.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:02:11 2011 657 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschte globale Gruppe mit deaktivierter Sicherheit: Zielkontoname: test1 Zieldomäne: LL Zielkontokennung: LL\test1 Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1967 115 658 Win2003 Security Enabled Universal Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jul 7 11:52:26 169.254.113.169 MSWinLog 0 Security 229007 Fri Jul 07 11:47:18 2006 658 Security administrator User SUPPORT-SBS "Security Enabled Universal Group Created: New Name: univ658 New Domain: SUPPORT New : %{S-1-5-21-1428467443-1968098735-23 49626736-1179} Caller User Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x5915053) Privileges: - Attributes: Sam Name: univ658 Sid History: - " 2601312 90 Microsoft Windows Server 2003 Log Configuration Guide
# 115F 658 Win2003 Security Enabled Universal Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jul 6 05:22:47 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 566 Mon Jul 06 05:22:47 2009 658 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe universel de sécurité activée créé : Nom du nouveau compte : qfdqqdfdsq Nouveau domaine : DOMAIN Id. du nouveau compte : %{S-1-5-21-30331043-1043570551-1080 916408-1129} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : - Attributs : Nom du compte SAM : qfdqqdfdsq Historique S : - 525 116 659 Win2003 Security Enabled Universal Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jul 7 12:03:17 169.254.113.169 MSWinLog 0 Security 313 Fri Jul 07 12:03:16 2006 659 Security administrator User SUPPORT-SBS "Security Enabled Universal Group Changed: Target Name: univ658 Target Domain: SUPPORT Target : %{S-1-5-21-1428467443-1968098735-23 49626736-1179} Caller User Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x5915053) Privileges: - Changed Attributes: Sam Name: - Sid History: - " 2602267 116F 659 Win2003 Security Enabled Universal Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jun 30 09:51:22 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 325 Tue Jun 30 09:50:32 2009 659 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes Groupe universel de sécurité activée modifié : Nom de compte cible : Administrateurs du schéma Domaine cible : FORESTA Id. de compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-518} Utilisateur appelant : Administrateur Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x260DD) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 287 Microsoft Windows Server 2003 Log Configuration Guide 91
# 116F 660 Win2003 Security Enabled Universal Group Member Added. <13>Jul 6 05:23:41 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 568 Mon Jul 06 05:23:41 2009 660 Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité activée ajouté : Nom du membre : CN=Administrateur,CN=Users,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-500} Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1129} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : - 527 117 661 Win2003 Security Enabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 11 11:25:16 169.254.113.169 MSWinLog 0 Security 891571 Tue Jul 11 11:25:14 2006 661 Security administrator User SUPPORT-SBS "Security Enabled Universal Group Member Removed: Member Name: CN=test628,CN=Users,DC=support,DC=l ocal Member : %{S-1-5-21-1428467443-1968098735-23 49626736-1146} Target Name: tesater Target Domain: SUPPORT Target : %{S-1-5-21-1428467443-1968098735-23 49626736-1181} Caller User Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x5915053) Privileges: - " 2657750 92 Microsoft Windows Server 2003 Log Configuration Guide
# 117F 661 Win2003 Security Enabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 6 05:24:04 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 571 Mon Jul 06 05:24:04 2009 661 Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité activée supprimé : Nom du membre : CN=Administrateur,CN=Users,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-500} Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1129} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : - 530 118 662 Win2003 Security Enabled Universal Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 7 12:04:58 169.254.113.169 MSWinLog 0 Security 336 Fri Jul 07 12:04:58 2006 662 Security administrator User SUPPORT-SBS "Security Enabled Universal Group Deleted: Target Name: univ658 Target Domain: SUPPORT Target : %{S-1-5-21-1428467443-1968098735-23 49626736-1179} Caller User Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x5915053) Privileges: - " 2602290 118F 662 Win2003 Security Enabled Universal Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 6 05:24:19 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 572 Mon Jul 06 05:24:19 2009 662 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe universel de sécurité activée supprimé : Nom de compte cible : qfdqqdfdsq Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1129} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x22A20) Privilèges : - 531 Microsoft Windows Server 2003 Log Configuration Guide 93
# 119 663 Win2003 Security Disabled Universal Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 16:03:19 10.1.1.55 MSWinLog 0 security 721 Thu Jun 29 16:03:17 2006 663 Security qatest User W2K3-LASSO "Security Disabled Universal Group Created: New Name: test New Domain: SQA New : %{S-1-5-21-1578117074-177915290-4279 395478-1117} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Attributes: Sam Name: test Sid History: - " 805 119F 663 Win2003 Security Disabled Universal Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>Jul 2 05:21:59 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1173 Thu Jul 02 05:21:58 2009 663 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée créé : Nom du nouveau compte : test un Nouveau domaine : DOMAIN Id. du nouveau compte : %{S-1-5-21-30331043-1043570551-1080 916408-1118} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs : Nom du compte SAM : test un Historique S : - 1082 119G 663 Win2003 Security Disabled Universal Group Created: New Name: %1 New Domain: %2 New : %3 Caller Logon : %6 Privileges: %7 Attributes: Sam Name: %8 Sid History: %9 <13>1 2011-05-16T15:05:12.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:05:12 2011 663 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Erstellte universelle Gruppe mit deaktivierter Sicherheit: Neuer Kontoname: test-universal Neue Domäne: LL Neue Kontokennung: LL\test-universal Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Attribute: Sam-Kontoname: test-universal Sid-Verlauf: - 1987 94 Microsoft Windows Server 2003 Log Configuration Guide
# 120 664 Win2003 Security Disabled Universal Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jun 29 16:03:59 10.1.1.55 MSWinLog 0 security 722 Thu Jun 29 16:03:58 2006 664 Security qatest User W2K3-LASSO "Security Disabled Universal Group Changed: Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1117} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - Changed Attributes: Sam Name: test1 Sid History: - " 806 120F 664 Win2003 Security Disabled Universal Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>Jul 2 05:23:16 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1191 Thu Jul 02 05:23:16 2009 664 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée modifié : Nom de compte cible : test un Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1118} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - Attributs modifiés : Nom du compte SAM : - Historique S : - 1095 120G 664 Win2003 Security Disabled Universal Group Changed: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Changed Attributes: Sam Name: %8 Sid History: %9 <13>1 2011-05-16T15:05:22.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:05:22 2011 664 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Geänderte universelle Gruppe mit deaktiverter Sicherheit: Zielkontoname: test-universal Zieldomäne: LL Zielkontokennung: LL\test-universal Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - Geänderte Attribute: Sam-Kontoname: - Sid-Verlauf: - 1988 Microsoft Windows Server 2003 Log Configuration Guide 95
# 121 665 Win2003 Security Disabled Universal Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 16:05:22 10.1.1.55 MSWinLog 0 security 776 Thu Jun 29 16:05:21 2006 665 Security qatest User W2K3-LASSO "Security Disabled Universal Group Member Added: Member Name: cn=testt,cn=users,dc=sqa,dc=loglogic, DC=com Member : %{S-1-5-21-1578117074-177915290-4279 395478-1121} Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1117} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 860 121F 665 Win2003 Security Disabled Universal Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 05:24:02 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1193 Thu Jul 02 05:24:02 2009 665 Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité désactivée ajouté : Nom du membre : CN=Administrateur,CN=Users,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-500} Nom de compte cible : test un Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1118} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 1097 121G 665 Win2003 Security Disabled Universal Group Member Added: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>1 2011-05-16T15:05:22.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:05:22 2011 665 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Hinzugefügtes universelles Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: test-universal Zieldomäne: LL Zielkontokennung: LL\test-universal Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1989 96 Microsoft Windows Server 2003 Log Configuration Guide
# 122 666 Win2003 Security Disabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jun 29 16:05:53 10.1.1.55 MSWinLog 0 security 778 Thu Jun 29 16:05:51 2006 666 Security qatest User W2K3-LASSO "Security Disabled Universal Group Member Removed: Member Name: CN=testt,CN=Users,DC=sqa,DC=loglogic, DC=com Member : %{S-1-5-21-1578117074-177915290-4279 395478-1121} Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1117} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 862 122F 666 Win2003 Security Disabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>Jul 2 05:24:49 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 1212 Thu Jul 02 05:24:49 2009 666 Security Administrateur User B0324-FR2003 Gestion des comptes Membre du groupe universel de sécurité désactivée supprimé : Nom du membre : CN=Administrateur,CN=Users,DC=domai n,dc=symbio-group,dc=com Id. du membre : %{S-1-5-21-30331043-1043570551-1080 916408-500} Nom de compte cible : test un Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1118} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 1116 122G 666 Win2003 Security Disabled Universal Group Member Removed: Member Name: %1 Member : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 <13>1 2011-05-16T15:05:25.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:05:25 2011 666 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Entferntes universelles Gruppenmitglied mit deaktivierter Sicherheit: Mitgliedname: CN=bob,CN=Users,DC=ll,DC=local Mitgliedkennung: LL\bob Zielkontoname: test-universal Zieldomäne: LL Zielkontokennung: LL\test-universal Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1991 Microsoft Windows Server 2003 Log Configuration Guide 97
# 123 667 Win2003 Security Disabled Universal Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jun 29 16:06:15 10.1.1.55 MSWinLog 0 security 779 Thu Jun 29 16:06:14 2006 667 Security qatest User W2K3-LASSO "Security Disabled Universal Group Deleted: Target Name: test1 Target Domain: SQA Target : %{S-1-5-21-1578117074-177915290-4279 395478-1117} Caller User Name: qatest Caller Domain: SQA Caller Logon : (0x0,0x3CF45) Privileges: - " 863 123F 667 Win2003 Security Disabled Universal Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>Jul 2 08:02:00 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3768 Thu Jul 02 08:02:00 2009 667 Security Administrateur User B0324-FR2003 Gestion des comptes Groupe universel de sécurité désactivée supprimé : Nom de compte cible : test un Domaine cible : DOMAIN Id. de compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1118} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x36824) Privilèges : - 3604 123G 667 Win2003 Security Disabled Universal Group Deleted: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 <13>1 2011-05-16T15:05:30.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:05:30 2011 667 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Gelöschte universelle Gruppe mit deaktivierter Sicherheit: Zielkontoname: test-universal Zieldomäne: LL Zielkontokennung: LL\test-universal Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x5B8D3E) Rechte: - 1992 124 668 Win2003 Group Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 <13>Jul 7 12:06:38 169.254.113.169 MSWinLog 0 Security 361 Fri Jul 07 12:06:37 2006 668 Security administrator User SUPPORT-SBS "Group Changed: Security Enabled Local Group Changed to Security Disabled Local Group. Target Name: newlocal635 Target Domain: SUPPORT Target : %{S-1-5-21-1428467443-1968098735-23 49626736-1173} Caller User Name: administrator Caller Domain: SUPPORT Caller Logon : (0x0,0x5915053) Privileges: - " 2602315 98 Microsoft Windows Server 2003 Log Configuration Guide
# 124F 668 Win2003 Group Changed: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 <13>Jun 30 09:51:22 kkkkk-knbmq2eu3.foresta MSWinLog 2 Security 326 Tue Jun 30 09:50:32 2009 668 Security Administrateur User KKKKK-KNBMQ2EU3 Gestion des comptes de groupe modifié : Le groupe global activé par la sécurité est changé en groupe universel activé par la sécurité. Nom de compte cible : Administrateurs du schéma Domaine cible : FORESTA Id. de compte cible : %{S-1-5-21-4199537000-1147309911-378 9607300-518} Utilisateur appelant : Administrateur Domaine appelant : FORESTA Id. de session de l'appelant : (0x0,0x260DD) Privilèges : - 288 125 669 Win2003 Add S History: Source Name: %1 Source : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 SidList: %10 The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 125F 669 Win2003 Add S History: Source Name: %1 Source : %2 Target Name: %3 Target Domain: %4 Target : %5 Caller User Name: %6 Caller Domain: %7 Caller Logon : %8 Privileges: %9 SidList: %10 <13>Aug 4 10:22:22 b0324-fr2.abc.com MSWinLog 1 Security 1091 Tue Aug 04 10:21:58 2009 669 Security Administrateur User B0324-FR2 Gestion des comptes Ajout d'un historique S : Nom de compte source : xyz.com\dev Id. de compte source : %{S-1-5-21-3196356739-3461092960-35 82852757-1108} Nom de compte cible : dev Domaine cible : ABC Id. de compte cible : %{S-1-5-21-859267090-1403449333-438 083377-1109} Utilisateur appelant : Administrateur Domaine appelant : ABC Id. de session de l'appelant : (0x0,0x1A388) Privilèges : - Liste S : - 1018 126 670 Win2003 Add S History: Source Name: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. Microsoft Windows Server 2003 Log Configuration Guide 99
# 126F 670 Win2003 Add S History: Source Name: %1 Target Name: %2 Target Domain: %3 Target : %4 Caller User Name: %5 Caller Domain: %6 Caller Logon : %7 Privileges: %8 <13>Aug 4 10:22:22 b0324-fr2.abc.com MSWinLog 1 Security 1092 Tue Aug 04 10:21:58 2009 670 Security Administrateur User B0324-FR2 Gestion des comptes Ajout d'un historique S : Nom de compte source : xyz.com\dev Nom de compte cible : dev Domaine cible : ABC Id. de compte cible : %{S-1-5-21-859267090-1403449333-438 083377-1109} Utilisateur appelant : Administrateur Id. de session de l'appelant : (0x0,0x1A388) Privilèges : - 1018 Domaine appelant : ABC 127 671 Win2003 User Unlocked: Target Name: %1 Target : %3 Caller Logon : %6 Security <13>Jun 12 15:21:43 10.0.0.61 MSWinLog 0 Security 1926 Sun Jun 12 15:18:48 2005 671 Security Administrator User IAM3 User Unlocked: Target Name: loglogic2 Target Domain: SECTIS Target : %{S-1-5-21-838449304-123981098-2628 009577-1150} Caller User Name: Administrator Caller Domain: SECTIS Caller Logon : (0x0,0x170D3) 1655 127F 671 Win2003 User Unlocked: Target Name: %1 Target : %3 Caller Logon : %6 Security <13>Jul 22 09:01:28 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2641 Wed Jul 22 09:01:28 2009 671 Security Administrateur User B0324-FR2003 Gestion des comptes Compte d'utilisateur désactivé : Nom du compte cible : test Domaine cible : DOMAIN Id. du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1145} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de la session appelante : (0x0,0x3EAB48) 2566 127G 671 Win2003 User Unlocked: Target Name: %1 Target : %3 Caller Logon : %6 Security <13>1 2011-05-16T15:32:24.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:32:24 2011 671 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Sperrung des Benutzerkontos aufgehoben: Zielkontoname: admin Zieldomäne: LL Zielkontokennung: LL\admin Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x6BD92C) 2437 100 Microsoft Windows Server 2003 Log Configuration Guide
# 128 672 Win2003 Authentication Ticket Request: Supplied Realm Name: %2 User : %3 Service Name: %4 Service : %5 Ticket Options: %6 Result Code: %7 Ticket Encryption : %8 Pre-Authentication : %9 Client Address: %10 Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13 Security <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 Security 743 Fri Aug 04 13:00:01 2006 672 Security SYSTEM User LOGLOGIC-SRV1 Logon Authentication Ticket Request: User Name: LOGLOGIC-SRV1$ Supplied Realm Name: LOGLOGIC.COM User : %{S-1-5-21-2315716220-955307559-237 2290133-1005} Service Name: krbtgt Service : %{S-1-5-21-2315716220-955307559-237 2290133-502} Ticket Options: 0x40810010 Result Code: - Ticket Encryption : 0x17 Pre-Authentication : 2 Client Address: 127.0.0.1 Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: 147 128F 672 Win2003 Authentication Ticket Security Request: Supplied Realm Name: %2 User : %3 Service Name: %4 Service : %5 Ticket Options: %6 Result Code: %7 Ticket Encryption : %8 Pre-Authentication : %9 Client Address: %10 Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13 <13>Jun 30 09:21:01 kkkkk-knbmq2eu3.foresta MSWinLog 1 Security 80 Tue Jun 30 09:20:57 2009 672 Security SYSTEM User KKKKK-KNBMQ2EU3 Connexion de compte Requête de ticket d'authentification : Utilisateur : KKKKK-KNBMQ2EU3$ Nom de domaine Kerberos fourni : FORESTA Id. de l'utilisateur : %{S-1-5-21-4199537000-1147309911-378 9607300-1016} Nom du service : krbtgt Id. du service : %{S-1-5-21-4199537000-1147309911-378 9607300-502} Options du ticket : 0x40810010 Code de résultat : - de cryptage du ticket : 0x17 de pré-authentification : 2 Adresse du client : 127.0.0.1 Nom de l'émetteur du certificat : Numéro de série du certificat : Empreinte digitale du certificat : 79 Microsoft Windows Server 2003 Log Configuration Guide 101
# 128G 672 Win2003 Authentication Ticket Security Request: Supplied Realm Name: %2 User : %3 Service Name: %4 Service : %5 Ticket Options: %6 Result Code: %7 Ticket Encryption : %8 Pre-Authentication : %9 Client Address: %10 Certificate Issuer Name: %11 Certificate Serial Number: %12 Certificate Thumbprint: %13 audit / Failure <13>1 2011-05-10T11:26:29.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Tue May 10 11:26:29 2011 672 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Kontoanmeldung Authentifizierungsticketanforderung: Benutzername: SRV-W2003-GERMA$ Angegebener Bereichsname: LL.LOCAL Benutzerkennung: LL\SRV-W2003-GERMA$ Dienstname: krbtgt Dienstkennung: LL\krbtgt Ticketoptionen: 0x40810010 Ergebniscode: - Ticketverschlüsselungstyp: 0x17 Vorauthentifizierungstyp: 2 Clientadresse: 127.0.0.1 Zertifikatherausgebername: Zertifikatseriennummer: Zertifikatfingerabdruck: 2409 129 673 Win2003 Service Ticket Request: User Domain: %2 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Failure Code: %8 Logon GU: %9 Transited Services: %10 Security <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 Security 752 Fri Aug 04 13:00:02 2006 673 Security SYSTEM User LOGLOGIC-SRV1 Logon Service Ticket Request: User Name: LOGLOGIC-SRV1$@LOGLOGIC.COM User Domain: LOGLOGIC.COM Service Name: LOGLOGIC-SRV1$ Service : %{S-1-5-21-2315716220-955307559-237 2290133-1005} Ticket Options: 0x40800000 Ticket Encryption : 0x17 Client Address: 127.0.0.1 Failure Code: - Logon GU: {74ebb9ef-d2d7-8d9a-b16c-91ff35b9f49a} Transited Services: - 156 129F 673 Win2003 Service Ticket Request: User Domain: %2 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Failure Code: %8 Logon GU: %9 Transited Services: %10 Security <13>Jun 30 09:21:02 kkkkk-knbmq2eu3.foresta MSWinLog 1 Security 91 Tue Jun 30 09:21:00 2009 673 Security SYSTEM User KKKKK-KNBMQ2EU3 Connexion de compte Accord de la demande de ticket : Utilisateur : kkkkk-knbmq2eu3$@foresta Domaine de l'utilisateur : FORESTA Nom du service : KKKKK-KNBMQ2EU3$ Identificateur du service : %{S-1-5-21-4199537000-1147309911-378 9607300-1016} Options du ticket : 0x40800000 de cryptage du ticket : 0x17 Adresse du client : 127.0.0.1 Code d'échec : - GU d'ouv. de session : {93f0a387-5848-bd05-008e-2d3b54075ba e} Services en transit : - 90 102 Microsoft Windows Server 2003 Log Configuration Guide
# 129G 673 Win2003 Service Ticket Request: User Domain: %2 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Failure Code: %8 Logon GU: %9 Transited Services: %10 Security <13>1 2011-05-10T11:26:29.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Tue May 10 11:26:29 2011 673 Security NT-AUTORITÄT\SYSTEM User SRV-W2003-GERMA Kontoanmeldung Dienstticketanforderung: Benutzername: SRV-W2003-GERMA$@LL.LOCAL Benutzerdomäne: LL.LOCAL Dienstname: SRV-W2003-GERMA$ Dienstkennung: LL\SRV-W2003-GERMA$ Ticketoptionen: 0x40810000 Ticketverschlüsselungstyp: 0x17 Clientadresse: 127.0.0.1 Fehlercode: - Anmelde-GU: {4761741f-96d3-2a70-2fa9-faafcec08460} Übertragene Dienste: - 2410 130 674 Win2003 Service Ticket Renewed: User Domain: %2 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Security <13>Aug 9 14:01:20 10.116.28.102 MSWinLog 0 Security 6318 Sat Aug 05 04:16:36 2006 674 Security SYSTEM User LOGLOGIC-SRV1 Logon Service Ticket Renewed: User Name: Administrator@BLR-LOGLOGIC.COM User Domain: BLR-LOGLOGIC.COM Service Name: krbtgt Service : %{S-1-5-21-2840343336-4043360270-26 59977581-502} Ticket Options: 0x2 Ticket Encryption : 0x17 Client Address: 127.0.0.1 5251 130F 674 Win2003 Service Ticket Renewed: User Domain: %2 Service Name: %3 Service : %4 Ticket Options: %5 Ticket Encryption : %6 Client Address: %7 Security <13>Jun 30 10:06:59 kkkkk-knbmq2eu3.foresta MSWinLog 1 Security 376 Tue Jun 30 10:06:43 2009 674 Security SYSTEM User KKKKK-KNBMQ2EU3 Connexion de compte Ticket de service renouvelé : Nom utilisateur : Administrateur@FORESTA Domaine utilisateur : FORESTA Nom du service : krbtgt Id. du service : %{S-1-5-21-4199537000-1147309911-378 9607300-502} Options du ticket : 0x2 de cryptage du ticket : 0x17 Adresse du client : 127.0.0.1 338 Microsoft Windows Server 2003 Log Configuration Guide 103
# 131 675 Win2003 Pre-authentication failed. Logon Failure <13>Jul 5 16:23:52 10.1.1.55 MSWinLog 0 security 2565 Wed Jul 05 16:23:52 2006 675 Security SYSTEM Well Known Group Failure W2K3-LASSO Logon Pre-authentication failed: User Name: test User : %{S-1-5-21-1578117074-177915290-4279 395478-1125} Service Name: krbtgt/sqa Pre-Authentication : 0x2 Failure Code: 0x18 Client Address: 127.0.0.1 48172 131F 675 Win2003 131G 675 Win2003 Pre-authentication failed. Logon Failure Pre-authentication failed. Logon Failure <13>Jul 22 04:36:29 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 803 Wed Jul 22 04:36:29 2009 675 Security SYSTEM User Failure B0324-FR2003 Connexion de compte Échec de la pré-authentification : Utilisateur : test Id. de l'utilisateur : %{S-1-5-21-30331043-1043570551-1080 916408-1136} Nom du service : krbtgt/ DOMAIN de pré-authentification : 0x2 Code d'échec : 0x18 Adresse du client : 127.0.0.1 752 <13>1 2011-05-16T13:55:29.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:55:29 2011 675 Security NT-AUTORITÄT\SYSTEM User Failure SRV-W2003-GERMA Kontoanmeldung Fehlgeschlagene Vorbestätigung: Benutzername: Administrator Benutzerkennung: LL\Administrator Dienstname: krbtgt/ll Vorauthentifizierungstyp: 0x2 Fehlercode: 0x18 Clientadresse: 127.0.0.1 501 132 678 Win2003 An account was mapped for logon Logon User Authentication / User Access / <13>Jul 25 12:23:44 10.201.20.214 MSWinLog 0 Security 158101 Tue Jul 25 12:05:39 2006 678 Security SYSTEM User BBC-WSMTEST-DC1 Logon/Logoff Mapped for Logon by: NTLM1 Client Name: SQA Mapped Name:abc 546 133 680 Win2003 Logon attempt by: %1 Logon account: %2 Source Workstation: %3 Code: %4 Security / User Authentication <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 Security 609 Fri Aug 04 12:20:19 2006 680 Security Unknown User N/A LOGLOGIC-SRV1 Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Logon account: Administrator Source Workstation: LOGLOGIC-SRV1 Code: 0x0 13 104 Microsoft Windows Server 2003 Log Configuration Guide
# 133F 680 Win2003 Used for Logon by: %1 Name: %2 Workstation: %3 Security / User Authentication <13>May 21 09:43:08 kkkkk-knbmq2eu3 MSWinLog 1 Security 14 Thu May 21 09:43:08 2009 680 Security Administrateur User KKKKK-KNBMQ2EU3 Connexion de compte Tentative d'ouverture de session par : MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Compte d'ouverture de session : Administrateur Station de travail source : KKKKK-KNBMQ2EU3 Code erreur : 0x0 7 133G 680 Win2003 Used for Logon by: %1 Name: %2 Workstation: %3 Security / User Authentication <13>1 2011-05-16T13:27:01.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 13:27:01 2011 680 Security LL\Administrator User SRV-W2003-GERMA Kontoanmeldung Anmeldversuch von: MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 Anmeldekonto: administrator Arbeitsstation: XP-CLIENT Fehlercode: 0x0 3040 134 681 Win2003 The logon to account: %2 by: %1 from workstation: %3 failed. The error code was: %4 Security Failure audit / User Authentication <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 Security 609 Fri Aug 04 12:20:19 2006 681 Security Unknown User N/A LOGLOGIC-SRV1 Logon The logon to account: Administrator by: MICROSOFT_AUTHENTICATION_PACK AGE_V1_0 from Workstation: LOGLOGIC-SRV1 failed. The error code was: 0x0 13 135 682 Win2003 Session reconnected to winstation: Domain: %2 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 Security <13>Jul 25 12:20:50 10.201.20.224 MSWinLog 0 Security 125955 Thu Jun 22 10:44:55 2006 682 Security SYSTEM User BLR-WIPTEST-DC1 Logon/Logoff Session reconnected to winstation: User Name: dmsopann Domain: WIPRO Logon : (0x0,0x5EEA9) Session Name: RDP-Tcp#2 Client Name: BLR-TEST-RMS01 Client Address: 10.201.20.102 916836 135F 682 Win2003 Session reconnected to winstation: Domain: %2 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 Security <13>Jul 22 10:06:58 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 3092 Wed Jul 22 10:06:51 2009 682 Security SYSTEM User B0324-FR2003 Ouverture/Fermeture de session Session reconnectée à la station Windows : Utilisateur : Administrateur Domaine : DOMAIN Id. de session : (0x0,0x45E43C) Nom de session : RDP-Tcp#7 Nom de client : B0324-MENGKJ Adresse de client : 10.8.0.45 3010 Microsoft Windows Server 2003 Log Configuration Guide 105
# 136 683 Win2003 Session disconnected from winstation: Domain: %2 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 Security <13>Jul 25 12:20:13 10.201.20.224 MSWinLog 0 Security 109478 Wed Jun 21 14:29:16 2006 683 Security SYSTEM User BLR-WIPTEST-DC1 Logon/Logoff Session disconnected from winstation: User Name: dmsopann Domain: WIPRO Logon : (0x0,0x5EEA9) Session Name: RDP-Tcp#1 Client Name: BLR-TEST-RMS04 Client Address: 10.201.20.104 900359 136F 683 Win2003 Session disconnected from winstation: Domain: %2 Logon : %3 Session Name: %4 Client Name: %5 Client Address: %6 Security <13>Jul 22 09:58:49 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2995 Wed Jul 22 09:58:49 2009 683 Security SYSTEM User B0324-FR2003 Ouverture/Fermeture de session Session déconnectée de la station Windows : Utilisateur : Administrateur Domaine : DOMAIN Id. de session : (0x0,0x45E43C) Nom de session : RDP-Tcp#4 Nom de client : B0324-MENGKJ Adresse de client : 10.8.0.45 2918 137 684 Win2003 Set ACLs of members in administrators groups: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Security <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 Security 1029 Fri Aug 04 13:14:31 2006 684 Security ANONYMOUS LOGON Well Known Group LOGLOGIC-SRV1 Set ACLs of members in administrators groups: Target Name: Domain Admins Target Domain: DC=loglogic,DC=com Target : %{S-1-5-21-2315716220-955307559-237 2290133-512} Caller User Name: LOGLOGIC-SRV1$ Caller Domain: LOGLOGIC Caller Logon : (0x0,0x3E7) Privileges: - 433 106 Microsoft Windows Server 2003 Log Configuration Guide
# 137F 684 Win2003 Set ACLs of members in administrators groups: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Security <13>Jul 2 04:17:46 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 25641 Thu Jul 02 04:17:42 2009 684 Security ANONYMOUS LOGON Well Known Group B0324-FR2003 Gestion des comptes Définir les listes ACL des membres des groupes administrateurs : Nom du compte destination : Administrateurs du schéma Domaine destination : DC=domain,DC=symbio-group,DC=com Id. du compte destination : %{S-1-5-21-30331043-1043570551-1080 916408-518} Utilisateur appelant : B0324-FR2003$ Domaine appelant : DOMAIN Id. d'ouv. de session de l'appelant : (0x0,0x3E7) Privilèges : - 25592 137G 684 Win2003 Set ACLs of members in administrators groups: Target Name: %1 Target : %3 Caller Logon : %6 Privileges: %7 Security <13>1 2011-05-16T14:07:19.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 14:07:19 2011 684 Security NT-AUTORITÄT\ANONYMOUS-ANMELD UNG User SRV-W2003-GERMA Kontenverwaltung ACLs von Mitgliedern in Administratorgruppen festlegen: Zielkontoname: admin Zieldomäne: DC=ll,DC=local Zielkontokennung: LL\admin Aufruferbenutzername: SRV-W2003-GERMA$ Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x3E7) Berechtigungen: - 1058 138 685 Win2003 The name of an account was changed User Authentication / User Access / <13>Aug 8 09:26:00 10.116.29.15 MSWinLog 0 Security 981 Fri Aug 04 12:08:23 2006 685 Security LOCAL SERVICEWell Known Group MACHINENAME Logon/Logoff Name Changed: Old Name:SQA New Name:SQA_NEW Target Domain:test Target : testac Caller User Name: admin Caller Domain:test Caller Logon :test Privileges:test 896 Microsoft Windows Server 2003 Log Configuration Guide 107
# 138F 685 Win2003 The name of an account was changed User Authentication / User Access / <13>Jul 17 04:25:57 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 193820 Fri Jul 17 04:25:57 2009 685 Security Administrateur User B0324-FR2003 Gestion des comptes Nom du compte modifié : Ancien nom de compte : test Nouveau nom de compte : test1 Domaine cible : DOMAIN Identificateur du compte cible : %{S-1-5-21-30331043-1043570551-1080 916408-1135} Utilisateur appelant : Administrateur Domaine appelant : DOMAIN Id. de session de l'appelant : (0x0,0x3EEA5) Privilèges : - 192843 138G 685 Win2003 The name of an account was changed User Authentication / User Access / <13>1 2011-05-16T15:37:37.000+02:00 192.168.56.132 MSWinLog 0 Security 0 Mon May 16 15:37:37 2011 685 Security LL\Administrator User SRV-W2003-GERMA Kontenverwaltung Kontoname wurde geändert: Alter Kontoname: bob Neuer Kontoname: bob1 Zieldomäne: LL Zielkontokennung: LL\bob Aufruferbenutzername: administrator Aufruferdomäne: LL Aufruferanmeldekennung: (0x0,0x6BD92C) Berechtigungen: - 2467 139 769 Win2003 Trusted Forest Information Entry Added: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Added by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 108 Microsoft Windows Server 2003 Log Configuration Guide
# 139F 769 Win2003 Trusted Forest Information Entry Added: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Added by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security <13>Jul 22 07:37:13 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2077 Wed Jul 22 07:37:08 2009 769 Security Administrateur User B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été ajoutée : Racine de la forêt : abc.com S de la racine de la forêt : %{S-1-5-21-1893538592-169538710-372 8419160} Id. de l'opération : {0,4298359} d'entrée : 0 Indicateurs : 0 Nom du niveau le plus élevé : abc.com Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) 2010 140 770 Win2003 Trusted Forest Information Entry Removed: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 140F 770 Win2003 Trusted Forest Information Entry Removed: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security <13>Jul 23 05:06:09 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 7380 Thu Jul 23 05:06:09 2009 770 Security Administrateur User B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été supprimée : Racine de la forêt : abc.com S de la racine de la forêt : %{S-1-5-21-1893538592-169538710-372 8419160} Id. de l'opération : {0,5313893} d'entrée : 1 Indicateurs : 0 Nom du niveau le plus élevé : xzy.abc.com Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) 7234 Microsoft Windows Server 2003 Log Configuration Guide 109
# 141 771 Win2003 Trusted Forest Information Entry Modified: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 141F 771 Win2003 Trusted Forest Information Entry Modified: Forest Root: %1 Forest Root S: %2 Operation : {%3,%4} Entry : %5 Flags: %6 Top Level Name: %7 DNS Name: %8 NetBIOS Name: %9 Domain S: %10 Removed by : Client User Name: %11 Client Domain: %12 Client Logon : %13 Security <13>Jul 22 07:39:51 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 2092 Wed Jul 22 07:39:51 2009 771 Security Administrateur User B0324-FR2003 Changement de stratégie Une entrée avec des informations concernant la forêt approuvée a été modifiée : Racine de la forêt : abc.com S de la racine de la forêt : %{S-1-5-21-1893538592-169538710-372 8419160} Id. de l'opération : {0,4306236} d'entrée : 0 Indicateurs : 2 Nom du niveau le plus élevé : - Nom DNS : - Nom NetBIOS : - S du domaine : - Ajouté par : Utilisateur client : Administrateur Domaine client : DOMAIN Id. d'ouv. de session client : (0x0,0x3EAB48) 2024 142 807 Win2003 Per user auditing policy set for user. Policy Change The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 110 Microsoft Windows Server 2003 Log Configuration Guide
# 142F 807 Win2003 Per user auditing policy set for user. Policy Change <13>Jul 23 08:46:53 b0324-fr2003.domain.symbio-group.com MSWinLog 4 Security 8268 Thu Jul 23 08:46:47 2009 807 Security SYSTEM User B0324-FR2003 Changement de stratégie Stratégie d'audit par utilisateur définie pour l'utilisateur : Utilisateur cible : %{S-1-5-21-30331043-1043570551-1080 916408-1145} Id de stratégie : (0x0,0x53E953) Paramètres de catégorie : Système : 0x0 Ouverture de session : 0x0 Accès de l'objet 0x2 Utilisation d'un privilège : 0x0 Suivi détaillé : 0x0 Modification de stratégie : 0x0 Gestion de compte : 0x0 Accès DS : 0x0 Ouverture de session du compte : 0x0 8109 143 1000 Win2003 Windows is unable to load or access an object, registry or file. Application The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. 144 5805 Win2003 The session setup from the computer %1 failed to authenticate. The following error occurred: %2 Directory Service <13>Aug 8 10: 53: 29 10.116.9.202 MSWinLog 0 Directory Service 2507 Tue Aug 08 10: 53: 27 2006 5805 ADS loglogic N/A Information M2-0W55 None The session setup from the computer %1 failed to authenticate. The following error occurred: %2 2512 144F 5805 Win2003 The session setup from the computer %1 failed to authenticate. The following error occurred: %2 Directory Service <13>Jul 22 08:15:53 b0324-fr2003.domain.symbio-group.com MSWinLog 4 2334 Wed Jul 22 08:15:52 2009 5805 NETLOGON Unknown User N/A B0324-FR2003 None 0000: 22 00 00 c0 90 b3 82 00... L'installation de la session à partir de l'ordinateur LOGLOGIC-LVROFF n'a pas pu être authentifiée. L'erreur suivante s'est produite : %%5 42 145 6005 Win2003 The log service was started. <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 143 Fri Aug 04 17:34:16 2006 6005 Log Unknown User N/A Information MACHINENAME None The log service was started. 2 Microsoft Windows Server 2003 Log Configuration Guide 111
# 145F 6005 Win2003 The log service was started. <13>May 21 10:31:17 kkkkk-knbmq2eu3 MSWinLog 1 4 Thu May 21 10:31:04 2009 6005 Log Unknown User N/A Information KKKKK-KNBMQ2EU3 None 0000: 31 00 2e 00 31 00 00 00... 0008: 30 00 00 00 4d 00 69 00... 0010: 63 00 72 00 6f 00 73 00... 018: 6f 00 66 00 74 00 20 00... 0020: 57 00 69 00 6e 00 64 00... 0028: 6f 00 77 00 73 00 20 00... 0030: 53 00 65 00 72 00 76 00... 0038: 65 00 72 00 20 00 32 00... 0040: 30 00 30 00 33 00 00 00... 0048: 35 00 2e 00 32 00 2e 00... 0050: 33 00 37 00 39 00 30 00... 0058: 20 00 42 00 75 00 69 00... 0060: 6c 00 64 00 20 00 33 00... 0068: 37 00 39 00 30 00 20 00... 0070: 20 00 00 00 55 00 6e 00... 0078: 69 00 70 00 72 00 6f 00... 0080: 63 00 65 00 73 00 73 00... 0088: 6f 00 72 00 20 00 46 00... 0090: 72 00 65 00 65 00 00 00... 0098: 33 00 37 00 39 00 30 00... 00a0: 2e 00 73 00 72 00 76 00... 00a8: 30 00 33 00 5f 00 72 00... 00b0: 74 00 6d 00 2e 00 30 00... 00b8: 33 00 30 00 33 00 32 00... 00c0: 34 00 2d 00 32 00 30 00... 00c8: 34 00 38 00 00 00 34 00... 00d0: 61 00 31 00 32 00 37 Le service d'enregistrement d'événement a démarré. 3 146 6006 Win2003 The log service was stopped. <13>Aug 8 09:26:00 10.116.28.102 MSWinLog 0 143 Fri Aug 04 17:34:16 2006 6005 Log Unknown User N/A Information MACHINENAME None The log service was stopped. 2 112 Microsoft Windows Server 2003 Log Configuration Guide
# 146F 6006 Win2003 The log service was stopped. <13>May 21 10:31:17 kkkkk-knbmq2eu3 MSWinLog 1 2 Thu May 21 10:29:57 2009 6006 Log Unknown User N/A Information KKKKK-KNBMQ2EU3 None 0000: 31 00 2e 00 31 00 00 00... 008: 30 00 00 00 4d 00 69 00... 0010: 63 00 72 00 6f 00 73 00... 0018: 6f 00 66 00 74 00 20 00... 0020: 57 00 69 00 6e 00 64 00... 0028: 6f 00 77 00 73 00 20 00... 0030: 53 00 65 00 72 00 76 00... 0038: 65 00 72 00 20 00 32 00... 0040: 30 00 30 00 33 00 00 00... 0048: 35 00 2e 00 32 00 2e 00... 0050: 33 00 37 00 39 00 30 00... 0058: 20 00 42 00 75 00 69 00... 0060: 6c 00 64 00 20 00 33 00... 0068: 37 00 39 00 30 00 20 00... 0070: 20 00 00 00 55 00 6e 00... 0078: 69 00 70 00 72 00 6f 00... 0080: 63 00 65 00 73 00 73 00... 0088: 6f 00 72 00 20 00 46 00... 0090: 72 00 65 00 65 00 00 00... 0098: 33 00 37 00 39 00 30 00... 00a0: 2e 00 73 00 72 00 76 00... 00a8: 30 00 33 00 5f 00 72 00... 00b0: 74 00 6d 00 2e 00 30 00... 00b8: 33 00 30 00 33 00 32 00... 00c0: 34 00 2d 00 32 00 30 00... 00c8: 34 00 38 00 00 00 34 00... 00d0: 61 00 31 00 32 00 37 Le service d'enregistrement d'événement a été arrêté. 1 147 6008 Win2003 The previous system shutdown at %1 on %2 was unexpected. <13>Aug 9 18:10:52 10.116.28.102 MSWinLog 0 1106 Wed Aug 09 15:21:51 2006 6008 Log Unknown User N/A LOGLOGIC-SRV1 None 0000: d6 07 08 00 03 00 09 00 Ö... 0008: 0f 00 14 00 2b 00 d8 03..+.Ø 0010: d6 07 08 00 03 00 09 00 Ö... 0018: 09 00 32 00 2b 00 d8 03.2.+.Ø The previous system shutdown at 3:20:43 PM on 8/9/2006 was unexpected. 736 147F 6008 Win2003 The previous system shutdown at %1 on %2 was unexpected. <13>Jul 6 08:05:21 b0324-fr2003.domain.symbio-group.com MSWinLog 4 486 Mon Jul 06 08:04:05 2009 6008 Log Unknown User N/A B0324-FR2003 None 0000: d9 07 07 00 01 00 06 00... 0008: 08 00 01 00 12 00 ab 00... 010: d9 07 07 00 01 00 06 00... 0018: 06 00 01 00 12 00 ab 00... L'arrêt système précédant à 08:01:18 le 06/07/2009 n'était pas prévu. 0 Microsoft Windows Server 2003 Log Configuration Guide 113
Appendix B Logon s and Descriptions Table 2 Logon s and Descriptions Logon Logon Title Description 1 Interactive A user logged on to this computer at the console. 2 Network A user or computer logged on to this computer from the network. 3 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention. 4 Service A service was started by the Service Control Manager. 5 Unlock This workstation was unlocked. 6 NetworkCleartext A user logged on to a network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). 7 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections. 8 RemoteInteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection. 9 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. 114 Microsoft Windows Server 2003 Log Configuration Guide