[prev in list] [next in list] [prev in thread] [next in thread]
List: loganalysis
Subject: [logs] Re: Reviewing Vista/2k3 log files from the same platform
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell ! net>
Date: 2007-01-17 19:07:18
Message-ID: 45AE73E6.7070202 () pacbell ! net
[Download RAW message or body]
That's still not quite my point....and granted, perhaps I wasn't
supposed to be able to do what I was doing...but nonetheless I did it.
.... pre Vista for basic admin "what's nailing my server" I can/do look
at the 2k3 security log file in a XP event viewer. If Vista is my
desktop of choice (and it's not ....quite yet...) while the events for
"success" from a 2k3 box are readable, the "failures" are not. That
surprised me is all.
Because the event logs (which don't get me wrong I LOVE the new stuff)
have the new XML values I was just surprised that my quick and dirty log
view that shouldn't have worked before....but more often than not did...
now really doesn't.
Eric Fitzgerald wrote:
> Hey Tina!
>
>
>> For years one of my *favorite* parts of Microsoft logging is that
>> event IDs *have* remained consistent across versions of the operating
>> systems...
>> What's the plan for heterogeneous Windows
>>
> environments?
>
>
> We almost always kept the same event ID's from version to version
> pre-Vista. The problem was that the tools didn't do well correlating
> events or finding a subset of events with a similar characteristic so
> we'd either split an event ID into two, or combine two into one,
> depending on which problem was being complain^h^h^h emphasized more at
> the time.
>
> However we did a whole bunch of event cleanup in Vista and the resulting
> events were different enough from their pre-Vista equivalents to break
> automation. So we had to renumber, to save you. But I knew that folks
> like you on this list would want to leverage your pre-Vista knowledge
> instead of memorizing 300-odd new events.
>
> So here is my New Years' gift to all of you.
>
> For almost all security log events, EventId(Vista) = EventId(PreVista) +
> 4096
>
> You can do it in your head- add 4000, add 100, subtract 4. 528 -->
> 4624, etc.
>
> Best regards,
> Eric
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs
_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic