Each log entry provides a basic set of information. The following is a log entry obtained from a Windows NT log produced by a Windows NT server at the University of California, Riverside Dept. of Computer Science:
5/7/98,3:58:41 PM,Security,Success Audit,Object Access
,560,gaastra,MULFORD,Object Open:
Object Server: Security
Object Type: File
Object Name: E:\CS202\security.txt
New Handle ID: 8060
Operation ID: {0,6250388}
Process ID: 2157379616
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: {0x0,0x3E7}
Client User Name: gaastra
Client Domain: CSLAB
Client Logon ID: {0x0,0x5EE1FF}
Accesses READ_CONTROL
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Privileges -
The example entry can be interpreted as follows.
The event occurred at 3:58:41 PM on May 7, 1998.
The event source was security audit. The audit was
successful. The event category was ``Object Access.''
This means the event involved a file or directory
controlled via access control lists. Event type code
560 means that the Security Account Manager
database was accessed. The accesses list describes the
types of file accesses attempted. The user was gaastra
on the computer mulford. The file involved in the event
was E:\CS202\security.txt. [Fri98]