Sun, Jul 26 2009 13:24
bradley
So what do you want to monitor?
One of the tools I use to monitor activity on the blog site is a product called www.eventsentry.com for $85 for one server (less, the more server and workstations you add) it has a nice built in monitoring toolkit.
Some of the events that it tracks that I like are.... (keep in mind these are 2k3 events, not Vista or 2k8)
7036 - start of a service. Handy to know when services are starting and stopping.
21 - Server/Workstation restarted due to automatic updates
626 - User account Enabled
629 - User account disabled
642 - User account change
624 - User account creation
630 - User account deleted
644 - User account locked out
627 - User account password change attempt
628 - User account password set
671 - User account unlocked
Audit policy change
612 - Audit policy change
608 - User right assigned
609 - User right removed
Group Management
649,654,664 - distribution group changed
648,653,663 - distribution group created
652,657,667 - distribution group deleted
650,655,665 - distribution group member added
651,656,666 - distribution group memeber removed
641,639,659 - security group changed
635,631,658 - security group created
638,634,662 - security group deleted
636,632,660 - security group member added
637,633,661 = security group member removed
Logon failures
539 - account locked out
544,545,546,547 - IKE failures
533 - Logon at prohibited computer
530 - Logon outside allowed time
531 - Logon with disabled account
532 - Logon with expired account
535 - Logon with expired password
534 - Logon with invalid type
529 - Logon with unknown username/password
537 - Unknown logon failure
System events
513 - Windows shutting down
512 - Windows Starting
General server hardware
11 - Disk error
52 - Disk fail predicted
1076 - unexpected shutdown
Server stuff
26 - Application popup
6009 - Server boot
Download details: Security Audit Events for Windows 7 and Windows Server 2008 R2:
http://www.microsoft.com/downloads/details.aspx?familyid=3A15B562-4650-4298-9745-D9B261F35814&displaylang=en
Remember in Server 2008 and Vista, the security codes are different. Much more granularity was needed so codes were added to the base numbers.
Windows Security Logging and Other Esoterica : Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+:
http://blogs.msdn.com/ericfitz/archive/2009/06/10/mapping-pre-vista-security-event-ids-to-security-event-ids-in-vista.aspx
"In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03.
The exceptions are the logon events. The logon success events (540, 528) were collapsed into a single event 4624 (=528 + 4096). The logon failure events (529-537, 539) were collapsed into a single event 4625 (=529+4096)."
626 - User account Enabled = 4722 in Server 2008/Vista/Win7
629 - User account disabled = 4725 in Server 2008/Vista/Win7
642 - User account change = 4738 in Server 2008/Vista/Win7
624 - User account creation = 4720 in Server 2008/Vista/Win7
630 - User account deleted = 4726 in Server 2008/Vista/Win7
644 - User account locked out = 4740 in Server 2008/Vista/Win7
627 - User account password change attempt = 4723 in Server 2008/Vista/Win7
628 - User account password set = 4724 in Server 2008/Vista/Win7
671 - User account unlocked = 4767 in Server 2008/Vista/Win7
Other events you might want to track in Server 2008 --
| 4608 |
Windows is starting up. |
| 4609 |
Windows is shutting down. |
Filed under: Security
![[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.]](http://www.sbslinks.com/images/headertop.png "There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not!")