I've used a very helpful PDF written by Troy Larson in order to examine Windows Server 2003 records, for each record i have retrieved an "Event ID".
Most of the event ID's i discovered were 3 digit. However a substantial amount of records had much longer event ID's, for example "134217736". I located these in hex in exactly the same place as the other 3 digit ones i retrieved and converted them to decimal in the same way. I don't know whether these could genuinely be event ID's or if those records differed from the rest in some way and for some reason.
Can anyone shed any light?
Thanks
If you're referring to Event Log event records, the event ID is actually not a complete DWORD; it's really only the first half. So go back and look at where you're seeing the "long" event IDs in hex and extract only the first two bytes (as opposed to the entire 4 byte DWORD).
Oh i see, yes because for those that i have converted correctly the last two bytes (as i have highlighted 4) have been 0. lol what an idiot i am.
Although the PDF does state that the event IDs are 4 bytes, but then again if someones says jump off a bridge you don't do it.
Thanks a lot Keydet
Can you send me a copy of that PDF?
keydet89 at yahoo dot com
thanks,
H
Can you send me a copy of that PDF?
Yeah will do.
Does anyone know the difference between secEvent.evt, sysEvent.evt and sat log.evt?
Both secEvent and sysEvent are brought up by google, but i can't find any detailed information.
Google finds nothing for sat log.evt and from what i've read, in most other cases this file seems to be called appEvent.
I need to know the difference between these three files and what information is logged by each. I have an idea from the data i've been finding in them, but there seem to be some overlaps and i could really do with some clarification.
Cheers
> Does anyone know the difference between secEvent.evt, sysEvent.evt and sat log.evt?
SecEvent.evt = Security Event Log
SysEvent.evt = System Event Log
Never heard of "sat log.evt", but I do know that developers can create their own Event Logs (as opposed to creating application-specific records that get reported to one of the other Event Logs).
> I need to know the difference between these three files and what
> information is logged by each.
There are plenty of explanations available regarding what's *can be* logged to the System and Security Event Log…in part, the names are somewhat self-explanatory. If you do some Registry analysis (particularly of the file named "Security") you can determine what the audit configuration of the system is, and have a better idea of what is logged to those files.
With regards to "sat log.evt", you'll need to do some additional Registry analysis to determine information about that event log.
H