Source Security
Type Success Audit
Description Windows NT is shutting down. All logon sessions will be terminated by this shutdown.
Comments Event generated when Windows NT is shutting down.
Event ID: 517
Source Security
Type Success Audit
Description The audit log was cleared
Primary User Name:
Primary Domain:
Primary Logon ID:
Client User Name:
Client Domain:
Client Logon ID:
Comments This event is generated when an administrator clears the event log.
Event ID: 610
Source Security
Type Success Audit
Description New Trusted Domain:
Domain Name: %1 Domain ID: %2
Established By:
User Name: %3 Domain: %4
Logon ID: %5
Comments New Trusted Domain
Event ID: 611
Source Security
Type Success Audit
Description Removing Trusted Domain:
Domain Name: %1 Domain ID: %2
Removed By:
User Name: %3 Domain: %4
Logon ID: %5
Comments Audit message for the removal of a trusted domain.
Event ID: 612
Source Security
Type Success Audit
Description Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
- -System
- -Detailed Tracking
- - Directory Service Access
++ Account Logon
Changed By:
User Name:
Domain Name:
Logon ID:
Comments Indicates that a change was made to the audit policy. The description shows the current policy. A "+" sign indicates that the policy is enable, a "-" that is disabled. For example, the following:
- + Directory Service Access
Indicates that the the successful attempts to use the directory services will not be audited (the "-") but the failures will be (the "+").
See the link to the "Auditing policies - their meaning and recommended settings" article for a description of the auditing policies.
Event ID: 643
Source Security
Type Success Audit
Description Domain Policy Changed:
Password Policy modified
Domain: CORPDOM Domain ID: %{S-1-5-21-1390850448-2335789268-393128203}
Caller User Name: APPSERVER$
Caller Domain: ALTDOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges:
Comments This event normally indicates a successful change to the Windows AD security policies. However, this also is recorded when the Group Policies are applied (event id 1704 would indicate a successful application of Group Policies). As per a newsgroup posting of a Microsoft intrusion detection engineer, this is "normal behavior" for Windows .
From a newsgroup post: "Group policy is applied every 16 hours by default. If you have set any of the "security options" in a policy from the domain, then expect to see this event when those options are set".
For more information on windows event ID's please refer to http://eventid.net/
No comments:
Post a Comment