[logs] "Missing" Microsoft Event Log events

Eric Fitzgerald Eric.Fitzgerald at microsoft.com
Mon Nov 5 10:25:26 PST 2007 

Hey Tina,

The Events and Errors message center is not updated regularly (it's interrupt-driven, not polling).  It is also possible that the Certificate Server events were never delivered to EEMC; in the source code they are in a separate file than the other security event log events and might have been overlooked.  I will attempt to get that updated.

A KB article containing a comprehensive list of Vista events by subcategory has already been submitted to technical edit and the WS08 article will be submitted closer to RTM.

The certificate server events are kind of a special case; they appear to have been added after the main event message file was finalized.  They are governed by the "object access" event category (this is improved in WS08 and we have a separate subcategory just for these events).  I believe that you might also need to enable something in the Certificate Server user interface to generate these events.

Best regards,
Eric


-----Original Message-----
From: loganalysis-bounces at loganalysis.org [mailto:loganalysis-bounces at loganalysis.org] On Behalf Of Tina Bird
Sent: Tuesday, October 30, 2007 11:06 AM
To: loganalysis at loganalysis.org
Subject: [logs] "Missing" Microsoft Event Log events


Hi all --

In my latest bout of centralizing information about events relevant to
administration and compliance management, I am reviewing my documentation on
Microsoft audit policies and the events they control. This work uses this
document

http://www.splunkbase.com/howtos/Operating_Systems/Windows/howto:HOWTOunders
tandMSEventLog

or http://tinyurl.com/39uny7

as its starting point; for the HOWTO doc I went through each of the
Microsoft documents describing areas of local security policy related to
auditing, and summarized the specific event IDs associated with a given
option in the audit configuration.

As I work my way through this list, trying to identify things like what
kinds of information are recorded in each event, I'm discovering numerous
messages that are included in the audit policy documentation, but don't seem
to be included in the Event Log any more. For instance, according to

http://technet2.microsoft.com/windowsserver/en/library/50fdb7bc-7dae-4dcd-85
91-382aeff2ea791033.mspx?mfr=true

or http://tinyurl.com/36nxgp, the MS doc entitled "Audit object access,"
there's a host of events with IDs in the 770s related to certificate
authority activity and cert management. Of the 3 I've checked so far, none
of those messages can be found in the Errors and Events Message Center:

http://www.microsoft.com/technet/support/ee/ee_advanced.asp

I vaguely recall that MS CA activity is now all recorded in a text log
somewhere; in fact,

http://technet2.microsoft.com/WindowsServer/en/library/b70185ed-93aa-4346-b8
69-9913282086af1033.mspx?mfr=true

or http://tinyurl.com/2n48zp, written at around the same time the "Audit
object access" page was last reviewed, states that CA transaction logs are
stored in a file (in an unspecified location, sigh).

So are the audit policy documents just seriously out of date? Or am I
missing something? If these particular events can no longer be generated
because activity is now recorded outside the Event Log, why haven't the
audit policy documents been updated?

And for event IDs that are still active, wouldn't it be great if the audit
policy doc linked those messages to their complete descriptions from the
Errors and Events database?

yours perplexedly -- tbird
_______________________________________________
LogAnalysis mailing list
LogAnalysis at loganalysis.org
http://www.loganalysis.org/mailman/listinfo/loganalysis

More information about the LogAnalysis mailing list