Re: Record Layout of Windows Security Event log records ?.

From: Keith W. McCammon (km_at_km.com)
Date: 02/25/04 

Date: Wed, 25 Feb 2004 09:34:08 -0500

I can't even find anything close. Let me check with someone on this and get
back to you.

"Steen Schjellerup" <steenn@dk.ibm.com> wrote in message
news:Oun1yB5%23DHA.2804@tk2msftngp13.phx.gbl...
> Thanks for you comments, - but unfortunately it was not quite what I need.
> I have found out that the all Windows Event log records have the same
> format. The format is the following:
> typedef struct _EVENTLOGRECORD {
> DWORD Length;
> DWORD Reserved;
> DWORD RecordNumber;
> DWORD TimeGenerated;
> DWORD TimeWritten;
> DWORD EventID;
> WORD EventType;
> WORD NumStrings;
> WORD EventCategory;
> WORD ReservedFlags;
> DWORD ClosingRecordNumber;
> DWORD StringOffset;
> DWORD UserSidLength;
> DWORD UserSidOffset;
> DWORD DataLength;
> DWORD DataOffset;
> } EVENTLOGRECORD,
> *PEVENTLOGRECORD;
>
> The data reported from whatever component has been reporting to the Event
> log starts at "DataOffset" and has the length of "DataLength".
> The records I'm interested in is the one reported as Security Events
> (specifically event type 632, 624, 628 and 565).
> Now what I need is the record layout of those Event types. This will be a
> seperate description of the complete Event log record namely the
> structure/layout starting at "DataOffset".
> Also there are some equates which I need. For example for event type 565
> "Directory Service Access" you can have the accesses=WRITE_OWNER. This is
> what is shown when you use the event viewer to look at the records, - but
> inside the actual record you only see Char Numeric values (like:
> Accesses%%7688), - so I need to know which value represents the
WRITE_OWNER
> access.
> I guess Microsoft must have documented the record layouts for each
> event-id, - but I can't find it anywhere. I have been searching around in
> the msdn Internet pages (http://msdn.microsoft.com/default.aspx ) that's
> where I found the general layout for the Event Log records (the common
> prefix which are present in all Event Log records).
> *
> I'm a manframe person, so I don't know who to contact for such
documentation
> (I mean at the PC platform), - so if you can't guide me to the doc. maybe
> you can help me get in contact with someone which can help me.
> *
> Kind regards from
> Steen Schjellerup/Denmark.
>
> "Keith W. McCammon" <km@km.com> wrote in message
> news:#iAo$Nv#DHA.2664@TK2MSFTNGP09.phx.gbl...
> > Assuming you're talking about a database schema, this one is handy:
> >
> > http://www.winsyslog.com/common/en/faq/setup-with-mysql.asp
> >
> >
> >
> > "Steen Schjellerup" <steenn@dk.ibm.com> wrote in message
> > news:e7Yx%232u%23DHA.2476@TK2MSFTNGP12.phx.gbl...
> > > Hi,
> > > I have to process the Windows Event Log records and pull out the
records
> > > containing information related to Security Events for post processing.
> Now
> > > the above is done already, and at the moment I'm trying to figure out
> the
> > > layout of the Security Event records.
> > > Does anyone know where the layout of these Event types are documented
?.
> > > *
> > > Kind regards from
> > > Steen Schjellerup/Denmark.
> > >
> > >
> >
> >
>
>