Cardboard Iguana Security

Search

SearchSearch

Windows event logs

July 31, 20243 min read

Log types

  • Application — Contains events logged by applications. For example, a database application might record a file error. The application developer decides which events to record.
  • Security — Contains events such as valid and invalid logon attempts, as well as events related to resource use such as creating, opening, or deleting files or other objects. An administrator can start auditing to record events in the security log.
  • System — Contains events logged by system components, such as the failure of a driver or other system component to load during startup.
  • [CustomLog] — Contains events logged by applications that create a custom log. Using a custom log enables an application to control the size of the log or attach ACLs for security purposes without affecting other applications.

Log fields

  • Type — Warning, error, information, etc.
  • Time — Date/time for the computer sending the log
  • Computer — Computer name
  • Provider Type — The facility that generated the event (generally the Windows Event Log)
  • Provider Name — The name of the log (Application, Security, etc.)
  • Source — Application
  • Event ID — Standardized (not unique!) identifier
  • Description — Self-explanatory

Microsoft has more detailed documentation.

Event types

  • Error — An event that indicates a significant problem such as loss of data or loss of functionality. For example, if a service fails to load during startup, an Error event is logged.
  • Warning — An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a Warning event is logged. If an application can recover from an event without loss of functionality or data, it can generally classify the event as a Warning event.
  • Information — An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, it may be appropriate to log an Information event. Note that it is generally inappropriate for a desktop application to log an event each time it starts.
  • Success Audit — An event that records an audited security access attempt that is successful. For example, a user’s successful attempt to log on to the system is logged as a Success Audit event.
  • Failure Audit — An event that records an audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt is logged as a Failure Audit event.

Microsoft has more detailed documentation.

Event IDs

Windows event IDs

  • 104 — Event log was cleared
  • 1102 — Audit log was cleared (517 on Windows 2003 and earlier)
  • 4104 — PowerShell command and script logging
  • 4626 — Successful logon
    • LogonType 3 represents a (generic) network login
    • LogonType 9 represents a logon where the outbound credentials are different than the credentials used to authenticate to the account that is initiating that login (only logged by the host initiating the connection, however)

It’s hard to find documentation about event ID, and the meaning seems to shift between versions of Windows.

Link to original

Graph View

Backlinks