Windows 2008 servers have been around for about 10 months now and chances are they have made their way into your IT department. Many among you would be aware of the changes that have been introduced in Vista and Win2k8 servers. There has been a number of changes in the logging infrastructure, the most interesting of the lot is the renumbering of security event ids.
The event ids of Vista and 2008 servers compared to its predecessors generally follow a ‘offset by 4096‘ rule, i.e the good old logon event represented by id 528 is now 4624(4096+528) and so on. However, this offset rule is not a universal change and there are a few gotchas that surface here and there. For example, logon failures in pre-vista systems were represented by a multitude of event ids ranging from 529 to 537(each indicating a specific reason for the failure), this has now been unified to a single event, namely 4625 and a new field ‘Failure Reason’ has been added to the message under the category ‘Failure Information’ highlighting the reason. Another example of this is the ‘Audit Log Cleared’ event. This event is logged with the id 517 in pre-vista machines but is now changed to 1102 with the source being ‘EventLog'(this is another change that skipped mention, the ‘Source’ of the Security log which till now is ‘Security’ has been refined to a more meaningful field, the security audit events take the source ‘Microsoft Windows Security Auditing’, while as mentioned audit logs cleared is logged with source ‘Eventlog’.)
The following KB article is a handy reference describing the various security and audit based events in Vista and 2008 servers.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;947226
Scrolling down to the “Notes” section at the bottom of the article, you will find information about a useful command line utility ‘wevtutil’, which when used in the form mentioned in the article(wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true) fetches a detailed description of every security based event id.
That just about wraps up this post, oh. . and just one more thing. We have set out a small initiative to get you, the real users of the product, tell us what you want from the product over here. The idea behind this is to listen to what improvements you want and if enough users agree, we will work on it on a priority basis. The whole thing is very much in a nebulous state with no entries yet, we encourage you to use this facility to tell us what you would like.
Until next time, ciao.