Event-Log Fields
A brief description of the fields in the Windows Security log.
April 18, 2004
The field names in the Windows 2000 and later event (.evt) logs are EventLog, RecordNumber, TimeGenerated, TimeWritten, EventID, EventType, EventTypeName, SourceName, EventCategory, Strings, Message, ComputerName, and SID. Let's examine how these fields come into play when you use LogParser to process events from the Security log.
EventLog contains the name of the event log in which the current row in the LogParser output table originated. EventLog is important only in situations in which you specify multiple logs in LogParser's FROM clause. RecordNumber specifies the number of an event record within the log. TimeGenerated and TimeWritten specify the date and time that the event was reported to the Event Logging service and the date and time that the service recorded the event in the log. (These two fields usually share the same value.)
EventID is an important field because it contains the event's Windows event ID. For example, Windows identifies account lockouts as event ID 644 and successful logons as event ID 528. (For a comprehensive discussion of Windows event IDs and their meanings, see "Mining the Win2K Security Log," April 2001, InstantDoc ID 20052; "Audit Account Logon Events," March 2001, InstantDoc ID 19677; and "Tracking Logon and Logoff Activity in Win2K," February 2001, InstantDoc ID 16430.) EventType and EventTypeName specify whether the event was a success or a failure. For example, event ID 529 (logon failure: bad username or password) shows an EventType of 16 and an EventTypeName of Failure Audit event, whereas event ID 528 (successful logon) shows an EventType of 8 and an EventTypeName of Success Audit event. (The Security log's EventType field can have a value of 8 or 16; the System and Application logs use other values to indicate information, warning, and error events.)
SourceName and EventCategory correspond to the Source and Category fields in Event Viewer, which Figure A shows. SourceName isn't particularly useful because almost all events have the same source: Security. But EventCategory can be useful for sorting or filtering events according to Windows' audit policy categories. (Win2K and later contain nine audit policy categories, which you can view by opening the Administrative Tools, Local Security Policy interface and navigating to the Security SettingsLocal PoliciesAudit Policy.) EventCategory is a numeric value; Table A shows the EventCategory values and their corresponding category names (both the audit policy category name and the name that appears in the Event Viewer Category field).
The Strings and Message fields relate to the multiline text entry that appears in an event record's Description section. To support multiple languages, the Windows Event Log service is set up so that developers can write the static and dynamic elements of an event ID's description separately. For example, in the Description section of the event ID 576 record that Figure B shows, the User Name and Domain field names are static elements, whereas the values for these fields—LOCAL SERVICE and NT AUTHORITY—are dynamic elements that change from one occurrence of the event to another. The dynamic elements are called strings. Therefore, the Strings field in LogParser contains all the dynamic elements of the current event. This field is useful when you need to filter events according to a dynamic element within a certain event ID—for example, to see all occurrences of event ID 528 (successful logon) in which the Logon Type is 2 (for Interactive). In an upcoming article, I'll show you how to use LogParser's string-manipulation functions to extract specific elements from text fields such as Strings. The Message field contains the entire description of the event, merging the static and dynamic elements.
ComputerName specifies the computer on which the event was logged. When you analyze one log, this field is the same for each event. However, when you use one LogParser command to query multiple logs, the ComputerName field is necessary to identify which computer generated which event.
SID contains the SID of the user account associated with the event. For most events, SID corresponds to the account of the person who triggered the event, but some events are generated by system accounts rather than user accounts (Table B lists the SIDs and accounts that generate these events). LogParser supports a function to translate SIDs into usernames, as the main article explains.
About the Author
You May Also Like