RE: Using AuthzReportSecurityEvent

From: Chris Stagnaro (anonymous_at_discussions.microsoft.com)
Date: 09/29/04 

Date: Tue, 28 Sep 2004 15:55:42 -0700

Thanks, that did the trick. I now get my audit events in
the security log (along with all the other objects...). I
don't suppose there is a another way to control this so
that I don't have to turn on all of the other OS object
access audits?

Thanks again for all the extra help.
Chris
>-----Original Message-----
>Do you have the object access auditing category ON?
>
>>From cmd prompt type secpol.msc. Go to local policies-
>Audit Policy. Enable
>"Audit Object Access" for success and failure.
>
>HTH
>
>
>"Chris Stagnaro" wrote:
>
>> Thanks, that gets me past this call.
>>
>> I get a success from this call, but I still don't get
>> anything in the security log.
>>
>> Does something need to change in the message file
format?
>>
>> Thanks,
>> Chris
>>
>> >-----Original Message-----
>> >AuthzReportSecurityEvent takes a var arg list. Instead
of
>> constructing the
>> >AUDIT_PARAMS struct, you'd have to call
>> AuthzReportSecurityEvent as follows:
>> >
>> > bRet = AuthzReportSecurityEvent
>> >(nEventType /*nEventType */,
>> > m_hSecHandle,
>> > (DWORD)
nEventID,
>> > pSID,
>> > index,
>> > APT_String,
<Your
>> String>,
>> > APT_String,
<Your
>> String>,
>> > // and so forth
>> > );
>> >
>> >HTH
>> >
>> >
>> >"Chris Stagnaro" wrote:
>> >
>> >> The code has gotten pretty hacked up. Here is the
>> section
>> >> that builds the AUDIT_PARAM strucutre and calls the
>> >> AuthzReportSecurityEvent.
>> >>
>> >> vector<_bstr_t> vecMsgs;
>> >>
>> >> /* ... Code that parses an input string and turns
>> >> it into the list of strings in vecMsgs
>> >> left out here. ... */
>> >>
>> >> // Code that populates the AUDIT_PARAM array from
>> vecMsgs
>> >>
>> >> long index = 0;
>> >> AUDIT_PARAM list[20];
>> >> TCHAR listparms[10][1024];
>> >>
>> >> for (int i = 0; i < vecMsgs.size(); ++i)
>> >> {
>> >> list[index].Type = APT_String;
>> >> list[index].Length = sizeof(AUDIT_PARAM);
>> >> list[index].Flags = 0;
>> >> ZeroMemory(listparms[i], 1024 * sizeof(TCHAR));
>> >> wsprintf(listparms[i], vecMsgs[i]);
>> >> list[index].String = listparms[i];
>> >>
>> >> index++;
>> >> }
>> >>
>> >> // Making the API call
>> >>
>> >> bRet = AuthzReportSecurityEvent
>> >> (nEventType /*nEventType */,
>> >> m_hSecHandle,
>> >> (DWORD)
nEventID,
>> >> pSID,
>> >> index,
>> >> list);
>> >> Result_Error = GetLastError();
>> >>
>> >> Thanks,
>> >> Chris
>> >>
>> >> >-----Original Message-----
>> >> >Please post your code. Especially, how you are
>> >> constructing the AUDIT_PARAM
>> >> >struct.
>> >> >
>> >> >"Chris Stagnaro" wrote:
>> >> >
>> >> >> I am trying to report Audit Events from our
>> application
>> >> into the Security Log
>> >> >> on Windows Server 2003 using the
>> >> AuthzReportSecurityEvent Security API. On
>> >> >> Windows 2000 we were using ReportEvent, which
worked
>> >> because of a bug in the
>> >> >> API, which has subsequently been fixed.
>> >> >>
>> >> >> Currently I am making a call to
>> >> AuthzReportSecurityEvent with no paramaters
>> >> >> and it returns a success, however nothing is
written
>> to
>> >> the security log.
>> >> >>
>> >> >> I've tried to also provide a list of paramaters
to
>> this
>> >> call by passing an
>> >> >> array of AUDIT_PARAM. However in this case
>> >> GetLastError returns 87 (The
>> >> >> parameter is incorrect). I have not been able to
>> find
>> >> any example code or
>> >> >> any documentation that outlines any additional
steps
>> >> that need to be taken to
>> >> >> actually get this method to work. All I have
been
>> able
>> >> to find is the basic
>> >> >> SDK pages that give the syntax for each method
call.
>> >> >>
>> >> >> Does anyone have an idea what else needs to be
done
>> to
>> >> make this work? It
>> >> >> is running as a service and has the necessary
audit
>> >> privilege set already.
>> >> >>
>> >> >> Thanks,
>> >> >> Chris
>> >> >>
>> >> >.
>> >> >
>> >>
>> >.
>> >
>>
>.
>

Relevant Pages

  • Re: Ghost in the Recycle Bin
    ... Audit account logon events ... Prevent local guests group from accessing application log ... Prevent local guests group from accessing security log ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: administrator sign on
    ... I dont' think Windows audits this by default. ... Event log in the Security log, in the Computer Management MMC. ... also audit success of, say, logon events, and probably also system events, ...
    (microsoft.public.security)
  • Re: Audit the administrator account?
    ... In a Windows NT domain, the security log of the PDC can be configured to ... "Audit these events" and turn on auditing for "User and Group Management"... ... Event Log for the PDC for event ID 628. ...
    (microsoft.public.win2000.security)
  • Re: Audit problem
    ... I already enabled the suditing ... fail audit options. ... Then, try to check your security log, ... >> I enable object access audit setting and apply all audit ...
    (microsoft.public.win2000.security)
  • Re: DC Policy: just want to audit files, not set security
    ... definition to deliver only Audit SACL to some storage ... > to audit everything. ... Just enabling auditing of object access will generate ... > lot of events in the security log. ...
    (microsoft.public.windows.server.security)