Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Event Log Error Codes

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Event Log Error Codes

    Looking for a little help from the Microsoft Windows security experts out there.

    I have a requirement to generate a report of only specific security events. Some of the sites may have other auditing enabled and therefore there may be entries in the security event log that are irrelevant to my report.

    I ONLY want to extract information regarding failed login or failed object access. However, from what I can see there isn't a one to one relationship between what you have enabled auditing for and the possible 3-digit error code that shows up in the event log.

    I will be using a tool from Microsoft to dump the event log into a delimited text file so that I can programatically extract the data I need- but I need to know what codes to pull.

    Here is what I have thus far:

    560 Triggered when a user attempts to acess a file or directory for which they have no access.

    529 User violates password.

    644 User has exceed security control in place. Account is locked out due to exceeding the number of password attempts.

    578 & 612 Administrator makes an ACL or policy change.

    Considering that we are only interested in failed login or object access and not any other potential security audit logging- are you aware of any other codes we should include or can you suggest another approach to the problem?

  2. #2
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    Microsoft has compiled a file of 'all' Windows 2000 event ids. Download Windows2000Events.exe and extract the Windows2000Events.csv file.

  3. #3
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    This may be a stupid suggestion, but do you have to search for the error type, can you not search for the error text ?

    Or is the error text linked directly to the error code?

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    560 Triggered when a user attempts to acess a file or directory for which they have no access.

    529 User violates password.

    644 User has exceed security control in place. Account is locked out due to exceeding the number of password attempts.

    578 & 612 Administrator makes an ACL or policy change.
    Those are the event codes I come up with.

    I use a couple more though...

    529 Failure Audit Unknown user name or bad password
    530 Failure Audit Account logon time restriction violation
    531 Failure Audit Account currently disabled
    532 Failure Audit The specified user account has expired
    533 Failure Audit User not allowed to logon at this computer
    534 Failure Audit The user has not been granted the requested logon type at this machine
    535 Failure Audit The specified account's password has expired
    536 Failure Audit The NetLogon component is not active
    537 Failure Audit An unexpected error occurred during logon
    539 Failure Audit Account locked out
    627 Failure Audit NT AUTHORITY\ANONYMOUS is trying to change a password
    644 Failure Audit User account Locked out

    I use a program from m$ called dumpel .

    C:\Documents and Settings\user>dumpel /?

    DUMPEL Usage:

    dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t] [-d x]

    -d <days> Filters for event last days (number larger than zero)
    -e nn Filters for event id nn (up to 10 may be specified)
    -f <filename> Output filename (default stdout)
    -l <name> Dumps the specified log (system, application, security)
    -b Dumps a backup file (use -l to specify file name)
    -m <name> Filters for events logged by name
    -r Filters out events logged by name (must use -m too)
    -s <servername> Remote to servername
    -t Use tab to separate strings (default is space)
    -c Use comma to separate fields
    -ns Do not output strings
    -format <fmt> Specify output format. Default format is
    dtTCISucs
    where
    t - time
    d - date
    T - event type
    C - event category
    I - event ID
    S - event source
    u - user
    c - computer
    s - strings
    That way, you can do the extraction/filtering all in one.


    I have a .bat file that I use to do this on all my servers and then archive them.
    Since you can only dump up to 10 events at a time, I have more than .bat file.
    Then I archive ALL the logs just in case I need to go back for other info.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    Hi phishphreek80! Did you get my response to your IM last week?

    I am also using the dumpel utility to extract the information. I just wanted to make sure I was filtering the right set of error codes to get the data I am interested in.

    Thank you everyone for your help and input.

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Hi phishphreek80! Did you get my response to your IM last week?
    Nah, I rarely get on it anymore. Anywho, I'll get on in the next couple of days and if you are on I'll send a msg. Just have to finish up this last final Wed and I'll be home free for a couple of weeks. Hope all is well. Talk to ya then.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Tony: I also for these codes (in addition to the others listed by other posters here)...

    517 - Audit log cleared
    621 - Policy Change

    I also monitor for the following although it is not related to object access...
    For groups: Administrators, Operators, Admins (domain admins):
    632 - Add member to global group on domain (seen on domain controllers)
    633 - Remove member of global group
    636 - Add member to local group

    And monitor any changes to ANY of the user accounts who have administrator access (everyone in Administrators or Domain Admins):
    642 - Change to user account

    Monitor for any of these events: (similar to phish)
    529 - Unknown user name or bad password (you had a diff description but same error)
    530 - Logon attempt outside of allowed time of day or day of week
    531 - Disabled account
    532 - Reached account expiration date
    533 - User restricted to workstation
    535 - Password expired
    539 - Account locked
    626 - Enable user account
    644 - Account locked (644)
    Note: I'm on an NT 4.0 domain but the codes seem to be the same in Windows 2000 standalone servers - unsure of DCs.

    I run a Perl script which dumps (using dumpel as well) the security logs every night and parses them sending me and my administrators "suspicious activity" for review. Yeah, it's reactive and the poor mans way of event management but ya gotta do what ya gotta do - right?

    The one real nice thing is that I can go back forever (I save all log dumps with YYYYMMDD added to beginning of file name) and look for activity when doing forensics and investigative work. It also acts as a basic/rudamentery change management tracking tool where when something changes you can search through these files to see who performed the change.

    Hope this helps.

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    what a great idea. after reading this thread i d/l'ed dumpel and set it to dump the logs from key servers. i just can't figure out what the event names are so i can use the event numbers to filter it. now i dump them all to one file, 'find' "what i want" and append the output into an html file. its just not very graceful

    if someone can tell me where to find event names id appreciate it.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9

    Complete List of Windows 2000 Event IDs

    Tedob1:

    Here ya go... got it from M$'s site at http://www.microsoft.com/windows2000...EventMessages/

    (Note: renamed file to .TXT so I could upload...it's really a CSV file as you can see)

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    that i have ric-o. when i try to run dumpel using -n xxx i get the msg: you must use -m option which requires the name...which field is the name ? i got ids, source computer, text and types but no field indicates a name. am i just being stupid?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •