2 Mart 2012 Cuma

Windows 2008 Security Event IDs


Audit account logon events
Event ID      Description
4776 - The domain controller attempted to validate the credentials for an account
4777 - The domain controller failed to validate the credentials for an account
4768 - A Kerberos authentication ticket (TGT) was requested
4769 - A Kerberos service ticket was requested
4770 - A Kerberos service ticket was renewed


Audit account management
Event ID          Description
4741 - A computer account was created.
4742 - A computer account was changed.
4743 - A computer account was deleted.
4739 - Domain Policy was changed. 
4782 - The password hash an account was accessed.
4727 - A security-enabled global group was created.
4728 - A member was added to a security-enabled global group.
4729 - A member was removed from a security-enabled global group.
4730 - A security-enabled global group was deleted.
4731 - A security-enabled local group was created.
4732 - A member was added to a security-enabled local group.
4733 - A member was removed from a security-enabled local group.



4734 - A security-enabled local group was deleted.
4735 - A security-enabled local group was changed.
4737 - A security-enabled global group was changed.
4754 - A security-enabled universal group was created.
4755 - A security-enabled universal group was changed.
4756 - A member was added to a security-enabled universal group.
4757 - A member was removed from a security-enabled universal group.
4758 - A security-enabled universal group was deleted.
4720 - A user account was created.
4722 - A user account was enabled.
4723 - An attempt was made to change an account's password.
4724 - An attempt was made to reset an account's password.
4725 - A user account was disabled.
4726 - A user account was deleted.
4738 - A user account was changed.
4740 - A user account was locked out.
4765 - SID History was added to an account.
4766 - An attempt to add SID History to an account failed.
4767 - A user account was unlocked.
4780 - The ACL was set on accounts which are members of administrators groups.
4781 - The name of an account was changed:



Audit directory service access
4934 - Attributes of an Active Directory object were replicated. 
4935 - Replication failure begins. 
4936 - Replication failure ends. 
5136 - A directory service object was modified. 
5137 - A directory service object was created. 
5138 - A directory service object was undeleted. 
5139 - A directory service object was moved. 
5141 - A directory service object was deleted.
4932 - Synchronization of a replica of an Active Directory naming context has begun.
4933 - Synchronization of a replica of an Active Directory naming context has ended.


Audit logon events
4634 - An account was logged off.
4647 - User initiated logoff.
4624 - An account was successfully logged on.
4625 - An account failed to log on. 
4648 - A logon was attempted using explicit credentials.
4675 - SIDs were filtered. 
4649 - A replay attack was detected.
4778 - A session was reconnected to a Window Station.
4779 - A session was disconnected from a Window Station.
4800 - The workstation was locked.
4801 - The workstation was unlocked.
4802 - The screen saver was invoked.
4803 - The screen saver was dismissed.
5378     The requested credentials delegation was disallowed by policy.
5632     A request was made to authenticate to a wireless network.
5633     A request was made to authenticate to a wired network.


Audit object access
5140 - A network share object was accessed.
4664 - An attempt was made to create a hard link. 
4985 - The state of a transaction has changed. 
5051 - A file was virtualized. 
5031 - The Windows Firewall Service blocked an application from accepting incoming connections on the network. 
4698 - A scheduled task was created. 
4699 - A scheduled task was deleted. 
4700 - A scheduled task was enabled. 
4701 - A scheduled task was disabled. 
4702 - A scheduled task was updated.
4657 - A registry value was modified.
5039 - A registry key was virtualized.
4660 - An object was deleted. 
4663 - An attempt was made to access an object. 


Audit policy change
4715 -  The audit policy (SACL) on an object was changed. 
4719 -  System audit policy was changed. 
4902 -  The Per-user audit policy table was created. 
4906 -  The CrashOnAuditFail value has changed. 
4907 -  Auditing settings on object were changed. 
4706 -  A new trust was created to a domain. 
4707 -  A trust to a domain was removed.
4713 -  Kerberos policy was changed. 
4716 -  Trusted domain information was modified. 
4717 -  System security access was granted to an account. 
4718 -  System security access was removed from an account. 
4864 -  A namespace collision was detected. 
4865 -  A trusted forest information entry was added. 
4866 -  A trusted forest information entry was removed. 
4867 -  A trusted forest information entry was modified. 
4704 -  A user right was assigned. 
4705 -  A user right was removed. 
4714 -  Encrypted data recovery policy was changed.
4944 -  The following policy was active when the Windows Firewall started. 
4945 -  A rule was listed when the Windows Firewall started. 
4946 -  A change has been made to Windows Firewall exception list. A rule was added. 
4947 -  A change has been made to Windows Firewall exception list. A rule was modified. 
4948 -  A change has been made to Windows Firewall exception list. A rule was deleted. 
4949 -  Windows Firewall settings were restored to the default values. 
4950 -  A Windows Firewall setting has changed. 
4951 -  A rule has been ignored because its major version number was not recognized by Windows Firewall. 
4952 -    Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. 
4953 -  A rule has been ignored by Windows Firewall because it could not parse the rule. 
4954 -  Windows Firewall Group Policy settings have changed. The new settings have been applied. 
4956 -  Windows Firewall has changed the active profile. 
4957 -  Windows Firewall did not apply the following rule: 
4958 -  Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: 
6144 -  Security policy in the group policy objects has been applied successfully. 
6145 -  One or more errors occurred while processing security policy in the group policy objects. 
4670 -  Permissions on an object were changed.


Audit privilege use
4672 - Special privileges assigned to new logon.
4673 - A privileged service was called.
4674 - An operation was attempted on a privileged object.


Audit system events
5024 - The Windows Firewall Service has started successfully. 
5025 - The Windows Firewall Service has been stopped. 
5027 - The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. 
5028 - The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. 
5029 - The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. 
5030 - The Windows Firewall Service failed to start. 
5032 - Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. 
5033 - The Windows Firewall Driver has started successfully. 
5034 - The Windows Firewall Driver has been stopped. 
5035 - The Windows Firewall Driver failed to start. 
5037 - The Windows Firewall Driver detected critical runtime error. Terminating. 
4608 - Windows is starting up. 
4609 - Windows is shutting down. 
4616 - The system time was changed. 
4621 - Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. 
4697 - A service was installed in the system. 
4618 - A monitored security event pattern has occurred.

Hiç yorum yok:

Yorum Gönder