Microsoft Windows event logs provide historical information that can help you track down the operation and security of your Windows-based network. The event-logging service controls whether events are tracked on Windows-based systems. When this service is started, you can track user actions and system resource usage events with the following event logs:
The following two sections provide you with more details on Windows Security log events and user session events:
This data can help you detect suspicious activity and audit major administrative tasks.
Event records contained in the security log can be grouped according to the audit policy categories they are tracked with. Some events are generated by all versions of the Windows operating system; others are version-specific (for example, generated by Windows Server 2008). The common security event categories common to all versions are described below.
Logon events are generated on the computer to which the logon attempt was made, whether the attempt was an interactive or a remote logon. Events related to this category allow you to track user logons to network computers and discover suspicious activity that might lead to security incidents (such as logon failures due to bad passwords or logons during non-business hours).
Account logon events are generated when user tries to logon on the computer or domain:
These events are related to users account management, and to group and group membership management tasks. These tasks should be performed by administrators. If the administrator fails to carry out these tasks, this may lead to account misrule and security violations. The following events are included:
The security log contains records on the important system events, allowing you to monitor for your system operation: system startup/shutdown, system time change, and other events. For example, the “Audit log was cleared” event in this category helps you discover potential intruder activity and attempts to cover the tracks.
These events help you to find out whether an object of a certain type (printer, server, file, registry key, etc.) was accessed by a user, and what operations were performed on the object (for example, an attempt to delete).
Note, that Active Directory objects are not included in this category (for more information see Directory Service Access section below).
Policy change events include security event messages involving trust relationships, IPSec policy, and user rights assignments.
These events help you investigate changes to a user's privileges or attempts to use privileges in an unauthorized manner.
These events help you to find out what software is running on the work stations and on the servers. Information about processed tasks and object access data allow you to stay informed on users’ activity in whole.
|
Note: In Event Viewer terminology the Detailed Tracking events category is the same as Process Tracking events. |
Directory Service Access events allow you to monitor for AD objects access. These events are also recorded in the Windows security log.
|
Note: Since Windows Server 2008, the Audit directory service access policy is divided into the following categories:
To learn more about directory service audit in Windows 2008, search Microsoft TechNet (http://technet.microsoft.com) for “AD DS Auditing Step-by-Step Guide”. |
InTrust lets you extend the auditing of logon activity on any Windows computer where an InTrust agent is installed. In addition to the generic logon and logoff information from the Security log, you get details about the following:
On computers where these events are tracked, you do not have to look at the generic Security log logon and logoff events. InTrust-provided user-session auditing is more complete and (especially in the case of logoff auditing) more dependable.
These events are generated by the Quest InTrust User Session Monitor service, which is installed together with the InTrust agent. This service makes the events available to the agent through the agent cache, and the agent works with them as with any Windows events.
From the agent's perspective, these events come from the “InTrust User Session Tracking” event log, for which the InTrust User Session Tracking data source is provided. Gathering, real-time monitoring, reporting, browsing in Repository Viewer and other operations work for these events without limitations.
This table lists the events logged by the Quest InTrust User Session Monitor service.
Event ID | Description |
Insertion Strings |
---|---|---|
100 | A user session by user %IS1% took place on computer %Where%, starting at %IS13%, ending at %IS15% and lasting %IS16%. The session was started from computer %IS7% (IP address %IS8%). Reason for session start: %IS23%. Reason for session end: %IS24%. |
|
101 | A user session was started on computer %Where% by user %IS1% logging on at %IS13% with the %IS10% logon type. |
|
102 | A user session was ended on computer %Where% by user %IS1% logging off at %IS15%. The user session lasted %IS16%. |
|
103 | A user session was ended on computer %Where% by user %IS1% locking the computer at %IS15%. The user session lasted %IS16%. |
|
104 | A user session was started on computer %Where% by user %IS1% unlocking the computer at %IS13%. |
|
105 | A user session was started on computer %Where% by user %IS1% due to user switch at %IS13%. |
|
106 | A user session was ended on computer %Where% by user %IS1% at %IS15%, because a user switch was performed. The user session lasted %IS16%. |
|
107 | A user session was started on computer %Where% by user %IS1% making a terminal services connection from computer %IS17% (IP address %IS18%) at %IS13. |
|
108 | A user session was ended on computer %Where% by user %IS1% logging off at %IS15% and stopping a terminal services connection from computer %IS17% (IP address %IS18%). The user session lasted %IS16%. |
|
110 | An incorrectly finished user session by user %IS1% was found on computer %Where% while the user session monitoring service was starting. The session started at %IS13%, lasted %IS16% and ended at %IS15%. |
|
111 | A user session was started on computer %Where% by user %IS1% before the start of the user session monitoring service. This session was detected at %IS13%. |
|
120 | The user session monitoring service was started on computer %Where% at %Time%. |
|
121 | The user session monitoring service was stopped on computer %Where% at %Time%. |
|
130 | A user session of user %IS1% was ended on computer %Where% by the screensaver turning on at %IS15%. The user session lasted %IS16%. |
|
131 | A user session was started on computer %Where% by user %IS1% exiting screensaver mode at %IS13%. |
|
For a list of Windows versions from which InTrust can collect audit data, see Microsoft Windows Events.
For more details, see the following topics:
© ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center