I think that's a great idea. Unfortunately I don't actually do sys admin work full-time anymore, so I don't have anything concrete to contribute, but here's a few security ones that might be handy:
Event ID 529 : Unknown user name or bad password Event ID 530 : Logon time restriction violation Event ID 531 : Account disabled Event ID 532 : Account expired Event ID 533 : Workstation restriction - not allowed to logon at this computer Event ID 534 : Inadequate rights - as in user account attempting console login to server Event ID 535 : Password expired Event ID 536 : NetLogon service down Event ID 537 : unexpected error - the who knows ??? factor Event ID 538 : is not an unsuccessful event but rather a successful logoff. Event ID 539 : Logon Failure: Account locked out Event ID 540 : is not an unsuccessful event but rather a successful network logon as in mapping a network drive. Some Windows 2000 only events are: Event ID 541 : IPSec security association established Event ID 542 : IPSec security association ended (mode data protection) Event ID 543 : IPSec security association ended (key exchange) Event ID 544 : IPSec security association establishment failed because peer could not authenicate Event ID 545 : IPSec peer authenication failed Event ID 546 : IPSec security association establishment failed because peer sent invalid proposal Event ID 547 : IPSec secuirty association negotiation failed Event ID 560 : Object Open Event ID 561 : Handle Allocated Event ID 562 : (Handle Closed) : NT is doing internal checks, such as checking to see if the file exists and checking to see that there is no sharing violation Event ID 592 : A New Process Has Been Created Event ID 593 : (Process Has Exited) Event ID 627 : This event is logged when a the password is expired and the user tries to change it during logon. Thus you get no User Name but NT AUTHORITY \ ANONYMOUS written in the log. This error generates calls from Security Admins when they don't understand the meaning of the error. On the surface, it sounds ominous. Event ID 642 : records the PDCs change of secure channel passwords . Event ID 644 : User account Locked out Event ID 672 : Authenication Ticket Granted Event ID 673 : Service Ticket Granted Event ID 674 : Ticket Granted Renewed Event ID 675 : Pre-authenication failed Event ID 676 : Authenication Ticket Request Failed Event ID 677 : Service Ticket Request failed Event ID 678 : Account mapped for logon Event ID 679 : Account could not be mapped for logon Event ID 680 : Account used for logon Event ID 681 : Logon failed. There error code was: Event ID 682 : Session reconnected to winstation Event ID 683 : Session disconnected from winstation For general info on an event id try: http://support.microsoft.com/default.aspx?scid=kb;EN-US;299475 http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q301677 Mark Bradshaw Salem Web Network [EMAIL PROTECTED] 9401 Courthouse Road, Suite 300 Chesterfield, VA 23832 804.768.9404 x123 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Richard Temple Sent: Tuesday, November 25, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [SA-list] Event Log Monitoring Would it be worth everyone contributing to a document that details typical event id's to monitor. Similar to how woodstone.nu hosts a page showing typical pager numbers available. This would save each user re-inventing the wheel. To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive
