Each log entry provides a basic set of information. The following is a log entry obtained from a Windows NT log produced by a Windows NT server at the University of California, Riverside Dept. of Computer Science:
5/7/98,3:58:41 PM,Security,Success Audit,Object Access ,560,gaastra,MULFORD,Object Open: Object Server: Security Object Type: File Object Name: E:\CS202\security.txt New Handle ID: 8060 Operation ID: {0,6250388} Process ID: 2157379616 Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: {0x0,0x3E7} Client User Name: gaastra Client Domain: CSLAB Client Logon ID: {0x0,0x5EE1FF} Accesses READ_CONTROL WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Privileges -
The example entry can be interpreted as follows.
The event occurred at 3:58:41 PM on May 7, 1998.
The event source was security audit. The audit was
successful. The event category was ``Object Access.''
This means the event involved a file or directory
controlled via access control lists. Event type code
560 means that the Security Account Manager
database was accessed. The accesses list describes the
types of file accesses attempted. The user was gaastra
on the computer mulford. The file involved in the event
was E:\CS202\security.txt
. [Fri98]