[logs] Syslog and Windows
Eric Fitzgerald
Eric.Fitzgerald at microsoft.com
Tue Jun 26 12:05:45 PDT 2007
The viewer will no longer be able to look up an account which has been deleted.
Note that a similar problem occurs if you just embed the name; if the account is renamed you lose track of the account's activities with standard queries.
This was addressed in Windows Vista which now embeds the SID and the textual account name.
Eric
-----Original Message-----
From: loganalysis-bounces at loganalysis.org [mailto:loganalysis-bounces at loganalysis.org] On Behalf Of Vincent Bernat
Sent: Monday, June 25, 2007 12:59 PM
To: loganalysis
Subject: Re: [logs] Syslog and Windows
OoO Pendant le journal télévisé du lundi 25 juin 2007, vers 20:54, Eric
Fitzgerald <Eric.Fitzgerald at microsoft.com> disait:
> In Windows events, it's common to embed invariants rather than strings-
> for instance instead of storing "Account Enabled" we store "%%2048";
> which Event Viewer looks up as "Account Enabled" in the locale of the
> viewer. Likewise we store security IDs and AD object GUIDs rather than
> the actual names of the objects; the names have to be looked up before
> presenting to the user; in SEM this is typically done at the agent prior
> to transmission to the SEM server.
What happens if a user get deleted from AD ?
--
BEWITCHED, DOES NOT PROMOTE SATANISM
BEWITCHED, DOES NOT PROMOTE SATANISM
BEWITCHED, DOES NOT PROMOTE SATANISM
-+- Bart Simpson on chalkboard in episode 2F17
_______________________________________________
LogAnalysis mailing list
LogAnalysis at loganalysis.org
http://www.loganalysis.org/mailman/listinfo/loganalysis
More information about the LogAnalysis
mailing list