next up previous contents
Next: Disk and File System Up: NT Audit Logs Previous: NT Audit Logs

Log Entries

Each log entry provides a basic set of information. The following is a log entry obtained from a Windows NT log produced by a Windows NT server at the University of California, Riverside Dept. of Computer Science:

5/7/98,3:58:41 PM,Security,Success Audit,Object Access
,560,gaastra,MULFORD,Object Open:
      Object Server:    Security
      Object Type:      File
      Object Name:      E:\CS202\security.txt
      New Handle ID:    8060
      Operation ID:     {0,6250388}
      Process ID: 2157379616
      Primary User Name:       SYSTEM
      Primary Domain:   NT AUTHORITY
      Primary Logon ID: {0x0,0x3E7}
      Client User Name: gaastra
      Client Domain:    CSLAB
      Client Logon ID:  {0x0,0x5EE1FF}
      Accesses          READ_CONTROL
            WriteData (or AddFile)
            AppendData (or AddSubdirectory or CreatePipeInstance)

      Privileges        -

The example entry can be interpreted as follows. The event occurred at 3:58:41 PM on May 7, 1998. The event source was security audit. The audit was successful. The event category was ``Object Access.'' This means the event involved a file or directory controlled via access control lists. Event type code 560 means that the Security Account Manager database was accessed. The accesses list describes the types of file accesses attempted. The user was gaastra on the computer mulford. The file involved in the event was E:\CS202\security.txt. [Fri98]

Barnett Hsu