Re: Record Layout of Windows Security Event log records ?.

From: Paul Matear (paul_at_nospam.com)
Date: 02/27/04


Date: Fri, 27 Feb 2004 01:57:16 -0000

just found this reference which may help in finding the text strings

http://groups.google.co.uk/groups?q=eventlog+accesses+565&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=bfop2l%245pa%241%40FreeBSD.csie.NCTU.edu.tw&rnum=2

best of luck!

regards
paul

"Paul Matear" <paul@nospam.com> wrote in message
news:Ubx%b.12185$h44.1275619@stones.force9.net...
> Hi Steen
>
> I noticed 565 was missing, but as you said you'd already found that info
> elsewhere. Info on all the security events you are interested in can be
> found at http://support.microsoft.com/default.aspx?scid=kb;en-us;299475
and
> its linked page
>
> From what I've seen of the Accesses field for event 565 and related 560,
you
> may have your work cut out trying to evaluate the values....
>
> normally things like WRITE_OWNER and READ_CONTROL are single bits within
the
> access mask (see
>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distsys/part2/dsgch12.asp
> and
>
http://msdn.microsoft.com/library/en-us/security/security/access_mask_format.asp)
> but that doesn't seem to be the case here - also you need to know what the
> textual values for the object specific bits are, and this will vary from
> object to object. You may be able to determine the standard values by
trial
> and error, but I'm guessing that there is an internal lookup table in the
> event provider that gives the object specific values - possibly you might
> hack this detail out....
>
> you seem quite comitted to programatically accessing this info from a low
> level, but you might also consider using a tool such as LOGPARSER to
extract
> the events in a more useable fashion. LOGPARSER is a free tool from MS
> designed for IIS logs but will also work against the EventLog. More info
on
> this at www.logparser.com - you may find someone there (or at the
> microsoft.public.inetserver.iis newsgroup) that can give you some detail
on
> how they implemented reading the event log records.
>
> hth
> regards
> paul
>
> "Steen Schjellerup" <steenn@dk.ibm.com> wrote in message
> news:%234D3E4E$DHA.3220@TK2MSFTNGP10.phx.gbl...
> > Hi Paul,
> > Thank you very much for your reply.
> > I'm only interested in Security event records with the event id of 565,
> 624,
> > 628 and 632.
> > The http address you gave me was nearly what I wanted. 2 things are
> missing
> > though
> > 1). The layout of event id 565 is missing (not a big problem, - se the
> > bottom of this note)
> > 2). The translation mapping for the values which can be set for the
> Accesses
> > field.
> > When I look in the raw record (after beeing transmitted to the
mainframe),
> > Everything looks like the descriptions I now have execept for the values
> > which is applied to the Accesses field.
> > What I see is something like Accesses %%7688 or there can be more than
> just
> > one value after the Accesses field. There must be some kind of mapping
of
> > these values to a text because I have an example where the event viewer
> > shows the Accesses field as "WRITE_OWNER". Only problem I have is that
at
> > the moment I don't have that record at the mainframe, so I don't know
> which
> > %%xxxx value corresponds to "WRITE_OWNER". I also don't know if the
value
> > should be interpretet as a bit mask where one of the bits corresponds to
> > "WRITE_OWNER" or if the complete value tells me that it is WRITE_OWNER.
I
> > hope for the latter and also I think this is right because there can be
> many
> > %%xxxx values present after the Accesses field.
> >
> > The missing 565 record from your http address is not a big problem
because
> I
> > have found it myself. I went to
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/
> > eventlogrecord_str.asp and did a search for : event message 565, - the
> first
> > entry from the search result (as I remember, - anyway there was only a
> few)
> > got me to the record descriptions. Only in this case the 632 is missing
so
> > your http address gave me the missing info. for that problem.
> >
> > Kind regards from
> > Steen Schjellerup/Denmark.
> >
> >
> > "Paul Matear" <paul@nospam.com> wrote in message
> > news:uBhVAK$#DHA.4012@tk2msftngp13.phx.gbl...
> > > Hi Steen
> > >
> > > not sure I'm following what you are doing, but if you want to display
> the
> > > 'friendly message' that you see in event viewer you may have a
problem.
> > Many
> > > event log messages are dynamically created when you view them in the
> > windows
> > > event viewer - the template text is contained in a supporting DLL
> specific
> > > for the source, and the eventlogrecord only contains the specific
values
> > for
> > > that record which are inserted as appropriate
> > >
> > > a list of registered event providers can be gathered from the registry
> > > (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog)
> > > note that this list is specific for that machine - others may differ
> > > depending on what's installed
> > >
> > > for example security event messages are held in
> > > %systemroot%\system32\msaudite.dll
> > >
> >
>
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Secu
> > > rity)
> > > if you have service packs applied there may be additional DLLs
specified
> > >
> > > the template text for common providers may also be gleaned from
various
> > > sources (as well as by extrapolating from the visible message in event
> > > viewer) such as
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
> > >
> > > so you'd have to roll your own in that respect
> > >
> > > hth
> > > paul
> > >
> > >
> > >
> > > "Steen Schjellerup" <steenn@dk.ibm.com> wrote in message
> > > news:uwT8qS7%23DHA.3184@TK2MSFTNGP09.phx.gbl...
> > > > Hello,
> > > > Thank you so fare for spending time on this issue.
> > > > Of course I have also spend further time on this and I have found
the
> > > > following:
> > > > I have found something which describes this to some point.
> > > > I went to
> > > >
> > >
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/
> > > > eventlogrecord_str.asp and did a search for : event message 565
> > > > This gave me the layout of the 565 record, - simular is available
for
> > the
> > > > other events I have 2 problems though, a small and a bigger one
> > > > 1) - the description is not to be included in any kind of program as
a
> > > > structure or typedef. The description is for humans to read. So
> > something
> > > > which program languages likes would be nice (C, PL1, or simular).
Well
> I
> > > can
> > > > define an array of keywords myself which correspond to the ones
> > described
> > > > and hopefully I can write a program which will be able to find the
> > > > corresponding field values inside the record.
> > > > 2) - The missing thing for me at the moment is the translation of
the
> > char
> > > > numeric values which are present after the Accesses keyword (the
ones
> > like
> > > :
> > > > Accesses%%7688).
> > > >
> > > > Kind regards from
> > > > Steen Schjellerup/Denmark.
> > > >
> > > >
> > > > "Keith W. McCammon" <km@km.com> wrote in message
> > > > news:uHvHbx6#DHA.916@TK2MSFTNGP10.phx.gbl...
> > > > > I can't even find anything close. Let me check with someone on
this
> > and
> > > > get
> > > > > back to you.
> > > > >
> > > > >
> > > > > "Steen Schjellerup" <steenn@dk.ibm.com> wrote in message
> > > > > news:Oun1yB5%23DHA.2804@tk2msftngp13.phx.gbl...
> > > > > > Thanks for you comments, - but unfortunately it was not quite
what
> I
> > > > need.
> > > > > > I have found out that the all Windows Event log records have the
> > same
> > > > > > format. The format is the following:
> > > > > > typedef struct _EVENTLOGRECORD {
> > > > > > DWORD Length;
> > > > > > DWORD Reserved;
> > > > > > DWORD RecordNumber;
> > > > > > DWORD TimeGenerated;
> > > > > > DWORD TimeWritten;
> > > > > > DWORD EventID;
> > > > > > WORD EventType;
> > > > > > WORD NumStrings;
> > > > > > WORD EventCategory;
> > > > > > WORD ReservedFlags;
> > > > > > DWORD ClosingRecordNumber;
> > > > > > DWORD StringOffset;
> > > > > > DWORD UserSidLength;
> > > > > > DWORD UserSidOffset;
> > > > > > DWORD DataLength;
> > > > > > DWORD DataOffset;
> > > > > > } EVENTLOGRECORD,
> > > > > > *PEVENTLOGRECORD;
> > > > > >
> > > > > > The data reported from whatever component has been reporting to
> the
> > > > Event
> > > > > > log starts at "DataOffset" and has the length of "DataLength".
> > > > > > The records I'm interested in is the one reported as Security
> Events
> > > > > > (specifically event type 632, 624, 628 and 565).
> > > > > > Now what I need is the record layout of those Event types. This
> will
> > > be
> > > > a
> > > > > > seperate description of the complete Event log record namely the
> > > > > > structure/layout starting at "DataOffset".
> > > > > > Also there are some equates which I need. For example for event
> type
> > > 565
> > > > > > "Directory Service Access" you can have the
accesses=WRITE_OWNER.
> > This
> > > > is
> > > > > > what is shown when you use the event viewer to look at the
> > records, -
> > > > but
> > > > > > inside the actual record you only see Char Numeric values (like:
> > > > > > Accesses%%7688), - so I need to know which value represents the
> > > > > WRITE_OWNER
> > > > > > access.
> > > > > > I guess Microsoft must have documented the record layouts for
each
> > > > > > event-id, - but I can't find it anywhere. I have been searching
> > around
> > > > in
> > > > > > the msdn Internet pages
(http://msdn.microsoft.com/default.aspx )
> > > that's
> > > > > > where I found the general layout for the Event Log records (the
> > common
> > > > > > prefix which are present in all Event Log records).
> > > > > > *
> > > > > > I'm a manframe person, so I don't know who to contact for such
> > > > > documentation
> > > > > > (I mean at the PC platform), - so if you can't guide me to the
> doc.
> > > > maybe
> > > > > > you can help me get in contact with someone which can help me.
> > > > > > *
> > > > > > Kind regards from
> > > > > > Steen Schjellerup/Denmark.
> > > > > >
> > > > > > "Keith W. McCammon" <km@km.com> wrote in message
> > > > > > news:#iAo$Nv#DHA.2664@TK2MSFTNGP09.phx.gbl...
> > > > > > > Assuming you're talking about a database schema, this one is
> > handy:
> > > > > > >
> > > > > > > http://www.winsyslog.com/common/en/faq/setup-with-mysql.asp
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > "Steen Schjellerup" <steenn@dk.ibm.com> wrote in message
> > > > > > > news:e7Yx%232u%23DHA.2476@TK2MSFTNGP12.phx.gbl...
> > > > > > > > Hi,
> > > > > > > > I have to process the Windows Event Log records and pull out
> the
> > > > > records
> > > > > > > > containing information related to Security Events for post
> > > > processing.
> > > > > > Now
> > > > > > > > the above is done already, and at the moment I'm trying to
> > figure
> > > > out
> > > > > > the
> > > > > > > > layout of the Security Event records.
> > > > > > > > Does anyone know where the layout of these Event types are
> > > > documented
> > > > > ?.
> > > > > > > > *
> > > > > > > > Kind regards from
> > > > > > > > Steen Schjellerup/Denmark.
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Re: Record Layout of Windows Security Event log records ?.
    ... I now have the record descriptions I need, - and I'll try the tool Paul ... Kind regards from ... >> how they implemented reading the event log records. ...
    (microsoft.public.windows.server.security)
  • Missing File bpfinder.sys
    ... displayed stating that file 'bpfinder.sys' was missing. ... Regards ... Paul ...
    (microsoft.public.windowsxp.basics)
  • Re: Handheld bootable from external memory source
    ... Thanks a lot, Paul. ... can't be booted from an extermal source in the sense ... not by the Windows CE OS itself. ... >> Thanks & regards, ...
    (microsoft.public.windowsce.embedded.vc)
  • Re: build -c from Mystery Solved
    ... working from Bryan Everly''s posting "Mystery Solved - Boot CEPC from Hard ... target: obj\x86\debug\startup.obj is missing. ... Paul A. Lowe ...
    (microsoft.public.windowsce.platbuilder)
  • Re: compiling external modules
    ... excuse me, I've found the reason for the missing ... exported symbols in the C-source. ... I will continue simplifying the Makefile... ... Regards, ...
    (Linux-Kernel)