Re: Record Layout of Windows Security Event log records ?.

From: Paul Matear (paul_at_nospam.com)
Date: 02/25/04 

Date: Wed, 25 Feb 2004 22:58:00 -0000

Hi Steen

not sure I'm following what you are doing, but if you want to display the
'friendly message' that you see in event viewer you may have a problem. Many
event log messages are dynamically created when you view them in the windows
event viewer - the template text is contained in a supporting DLL specific
for the source, and the eventlogrecord only contains the specific values for
that record which are inserted as appropriate

a list of registered event providers can be gathered from the registry
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog)
note that this list is specific for that machine - others may differ
depending on what's installed

for example security event messages are held in
%systemroot%\system32\msaudite.dll
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Secu
rity)
if you have service packs applied there may be additional DLLs specified

the template text for common providers may also be gleaned from various
sources (as well as by extrapolating from the visible message in event
viewer) such as
http://support.microsoft.com/default.aspx?scid=kb;en-us;174074

so you'd have to roll your own in that respect

hth
paul

"Steen Schjellerup" <steenn@dk.ibm.com> wrote in message
news:uwT8qS7%23DHA.3184@TK2MSFTNGP09.phx.gbl...
> Hello,
> Thank you so fare for spending time on this issue.
> Of course I have also spend further time on this and I have found the
> following:
> I have found something which describes this to some point.
> I went to
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/
> eventlogrecord_str.asp and did a search for : event message 565
> This gave me the layout of the 565 record, - simular is available for the
> other events I have 2 problems though, a small and a bigger one
> 1) - the description is not to be included in any kind of program as a
> structure or typedef. The description is for humans to read. So something
> which program languages likes would be nice (C, PL1, or simular). Well I
can
> define an array of keywords myself which correspond to the ones described
> and hopefully I can write a program which will be able to find the
> corresponding field values inside the record.
> 2) - The missing thing for me at the moment is the translation of the char
> numeric values which are present after the Accesses keyword (the ones like
:
> Accesses%%7688).
>
> Kind regards from
> Steen Schjellerup/Denmark.
>
>
> "Keith W. McCammon" <km@km.com> wrote in message
> news:uHvHbx6#DHA.916@TK2MSFTNGP10.phx.gbl...
> > I can't even find anything close. Let me check with someone on this and
> get
> > back to you.
> >
> >
> > "Steen Schjellerup" <steenn@dk.ibm.com> wrote in message
> > news:Oun1yB5%23DHA.2804@tk2msftngp13.phx.gbl...
> > > Thanks for you comments, - but unfortunately it was not quite what I
> need.
> > > I have found out that the all Windows Event log records have the same
> > > format. The format is the following:
> > > typedef struct _EVENTLOGRECORD {
> > > DWORD Length;
> > > DWORD Reserved;
> > > DWORD RecordNumber;
> > > DWORD TimeGenerated;
> > > DWORD TimeWritten;
> > > DWORD EventID;
> > > WORD EventType;
> > > WORD NumStrings;
> > > WORD EventCategory;
> > > WORD ReservedFlags;
> > > DWORD ClosingRecordNumber;
> > > DWORD StringOffset;
> > > DWORD UserSidLength;
> > > DWORD UserSidOffset;
> > > DWORD DataLength;
> > > DWORD DataOffset;
> > > } EVENTLOGRECORD,
> > > *PEVENTLOGRECORD;
> > >
> > > The data reported from whatever component has been reporting to the
> Event
> > > log starts at "DataOffset" and has the length of "DataLength".
> > > The records I'm interested in is the one reported as Security Events
> > > (specifically event type 632, 624, 628 and 565).
> > > Now what I need is the record layout of those Event types. This will
be
> a
> > > seperate description of the complete Event log record namely the
> > > structure/layout starting at "DataOffset".
> > > Also there are some equates which I need. For example for event type
565
> > > "Directory Service Access" you can have the accesses=WRITE_OWNER. This
> is
> > > what is shown when you use the event viewer to look at the records, -
> but
> > > inside the actual record you only see Char Numeric values (like:
> > > Accesses%%7688), - so I need to know which value represents the
> > WRITE_OWNER
> > > access.
> > > I guess Microsoft must have documented the record layouts for each
> > > event-id, - but I can't find it anywhere. I have been searching around
> in
> > > the msdn Internet pages (http://msdn.microsoft.com/default.aspx )
that's
> > > where I found the general layout for the Event Log records (the common
> > > prefix which are present in all Event Log records).
> > > *
> > > I'm a manframe person, so I don't know who to contact for such
> > documentation
> > > (I mean at the PC platform), - so if you can't guide me to the doc.
> maybe
> > > you can help me get in contact with someone which can help me.
> > > *
> > > Kind regards from
> > > Steen Schjellerup/Denmark.
> > >
> > > "Keith W. McCammon" <km@km.com> wrote in message
> > > news:#iAo$Nv#DHA.2664@TK2MSFTNGP09.phx.gbl...
> > > > Assuming you're talking about a database schema, this one is handy:
> > > >
> > > > http://www.winsyslog.com/common/en/faq/setup-with-mysql.asp
> > > >
> > > >
> > > >
> > > > "Steen Schjellerup" <steenn@dk.ibm.com> wrote in message
> > > > news:e7Yx%232u%23DHA.2476@TK2MSFTNGP12.phx.gbl...
> > > > > Hi,
> > > > > I have to process the Windows Event Log records and pull out the
> > records
> > > > > containing information related to Security Events for post
> processing.
> > > Now
> > > > > the above is done already, and at the moment I'm trying to figure
> out
> > > the
> > > > > layout of the Security Event records.
> > > > > Does anyone know where the layout of these Event types are
> documented
> > ?.
> > > > > *
> > > > > Kind regards from
> > > > > Steen Schjellerup/Denmark.
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>