Layout of fields in 540 event ? Expand / Collapse
Author
Message
Posted 4/21/2010 6:45:19 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/21/2010 6:30:13 AM
Posts: 1, Visits: 0
I use a script to parse 540 events in the Security Log.
In some cases I see and event like this
"eventtype" => "Audit Normal ",
"eventnumber" => "540",
"category" => "2",
"source" => "Security",
"creationtime" => "Thu, 15 Apr 2010 10:44:41 UTC",
"writetime" => "Thu, 15 Apr 2010 10:44:41 UTC",
"computer" => "TTESTDC4",
"SID" =>"S-1-5-21-0-0-4-0",
"Strings" => {
"0" => 'TestUser1',
"1" => 'TEST_DOM',
"2" => '(0x0,0x7D709A)',
"3" => '3',
"4" => 'Kerberos',
"5" => 'Kerberos',
"6" => '',
"7" => '{7a49e72b-ae5b-9137-633e-a392ed0569f2}',
"8" => '-',
"9" => '-',
"10" => '-',
"11" => '-',
"12" => '-',
"13" => '10.125.58.195',
"14" => '0',
}

other events appear like this (see the values in the String part, ip addres in field 13 or 14 for example)
"eventtype" => "Audit Normal ",
"eventnumber" => "540",
"category" => "2",
"source" => "Security",
"creationtime" => "Thu, 15 Apr 2010 10:43:51 UTC",
"writetime" => "Thu, 15 Apr 2010 10:43:51 UTC",
"computer" => "TESTDC4",
"SID" =>"S-1-5-21-0-0-4-0",
"Strings" => {
"0" => '',
"1" => 'TestUser2',
"2" => 'TEST_DOM',
"3" => '(0x0,0x7DAC7A)',
"4" => '3',
"5" => 'Kerberos',
"6" => 'Kerberos',
"7" => '',
"8" => '{87e77d0a-64ae-432a-89f4-d62ba36b4966}',
"9" => '-',
"10" => '-',
"11" => '-',
"12" => '-',
"13" => '-',
"14" => '10.125.58.131',
}


Any suggestions why the event would be stored differently ?

thanks
Post #363
Posted 4/28/2010 9:18:48 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
That is wierd if, as your examples suggest, that both events came from the same computer.  My first thought was different versions (even service pack) of Windows.
Post #365
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:10pm