Looking for a little help from the Microsoft Windows security experts out there.
I have a requirement to generate a report of only specific security events. Some of the sites may have other auditing enabled and therefore there may be entries in the security event log that are irrelevant to my report.
I ONLY want to extract information regarding failed login or failed object access. However, from what I can see there isn't a one to one relationship between what you have enabled auditing for and the possible 3-digit error code that shows up in the event log.
I will be using a tool from Microsoft to dump the event log into a delimited text file so that I can programatically extract the data I need- but I need to know what codes to pull.
Here is what I have thus far:
560 Triggered when a user attempts to acess a file or directory for which they have no access.
529 User violates password.
644 User has exceed security control in place. Account is locked out due to exceeding the number of password attempts.
578 & 612 Administrator makes an ACL or policy change.
Considering that we are only interested in failed login or object access and not any other potential security audit logging- are you aware of any other codes we should include or can you suggest another approach to the problem?