<EventLog Name="Logon Failure: User Account Expired" SymbolicName="SE_AUDITID_ACCOUNT_EXPIRED" Id="532" Product="Windows Operating System" Source="Security" Version="5.0" Compenent="" Level="Success audit" Description="Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13" />
<EventLog Name="Logon Failure: Not Allowed" SymbolicName="SE_AUDITID_WORKSTATION_RESTR" Id="533" Product="Windows Operating System" Source="Security" Version="5.0" Compenent="" Level="Success audit" Description="Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13" />
<EventLog Name="Logon Failure: Not Granted Logon Type" SymbolicName="SE_AUDITID_LOGON_TYPE_RESTR" Id="534" Product="Windows Operating System" Source="Security" Version="5.0" Compenent="Security Event Log" Level="Success audit" Description="Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 " />
<EventLog Name="Windows Shutting Down" SymbolicName="SE_AUDITID_SYSTEM_SHUTDOWN" Id="513" Product="Windows Operating System" Source="Security" Version="5.2" Compenent="" Level="Success audit" Description="Windows is shutting down.\r\nAll logon sessions will be terminated by this shutdown." />
<EventLog Name="Authentication Package Loaded" SymbolicName="SE_AUDITID_AUTH_PACKAGE_LOAD" Id="514" Product="Windows Operating System" Source="Security" Version="5.0" Compenent="Security Event Log" Level="Success audit" Description="An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts. Authentication Package Name: %1 " />
<EventLog Name="Resource for Audit Messages Queue Exhausted" SymbolicName="SE_AUDITID_AUDITS_DISCARDED" Id="516" Product="Windows Operating System" Source="Security" Version="5.0" Compenent="Security Event Log" Level="Success audit" Description="Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Number of audit messages discarded: %1 " />
<EventLog Name="Trusted Logon Process Registered" SymbolicName="SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER" Id="515" Product="Windows Operating System" Source="Security" Version="5.0" Compenent="Security Event Log" Level="Success audit" Description="A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name: %1 " />
<EventLog Name="System Time Changed" SymbolicName="SE_AUDITID_SYSTEM_TIME_CHANGE" Id="520" Product="Windows Operating System" Source="Security" Version="5.2" Compenent="" Level="Success audit" Description="The system time was changed. Process ID: %1 Process Name: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon ID: %5 Client User Name: %6 Client Domain: %7 Client Logon ID: %8 Previous Time: %10 %9 New Time: %12 %11" />
<EventLog Name="Global Group Created" Level="Success audit" Description="A security-enabled global group was created. Subject: Security ID: %4 Account Name: %5 Account Domain: %6 Logon ID: %7 New Group: Security ID: %3 Group Name: %1 Group Domain: %2 Attributes: SAM Account Name: %9 SID History: %10 Additional Information: Privileges: %8" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4727" Task="" Channel="Security"/>
<EventLog Name="Global Group Member Added" Level="Success audit" Description="A member was added to a security-enabled global group. Subject: Security ID: %6 Account Name: %7 Account Domain: %8 Logon ID: %9 Member: Security ID: %2 Account Name: %1 Group: Security ID: %5 Group Name: %3 Group Domain: %4 Additional Information: Privileges: %10" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4728" Task="" Channel="Security"/>
<EventLog Name="Global Group Member Removed" Level="Success audit" Description="A member was removed from a security-enabled global group. Subject: Security ID: %6 Account Name: %7 Account Domain: %8 Logon ID: %9 Member: Security ID: %2 Account Name: %1 Group: Security ID: %5 Group Name: %3 Group Domain: %4 Additional Information: Privileges: %10" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4729" Task="" Channel="Security"/>
<EventLog Name="Global Group Deleted" Level="Success audit" Description="A security-enabled global group was deleted. Subject: Security ID: %4 Account Name: %5 Account Domain: %6 Logon ID: %7 Deleted Group: Security ID: %3 Group Name: %1 Group Domain: %2 Additional Information: Privileges: %8" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4730" Task="" Channel="Security"/>
<EventLog Name="Local Group Created" Level="Success audit" Description="A security-enabled local group was created. Subject: Security ID: %4 Account Name: %5 Account Domain: %6 Logon ID: %7 New Group: Security ID: %3 Group Name: %1 Group Domain: %2 Attributes: SAM Account Name: %9 SID History: %10 Additional Information: Privileges: %8" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4731" Task="" Channel="Security"/>
<EventLog Name="Local Group Member Added" Level="Success audit" Description="A member was added to a security-enabled local group. Subject: Security ID: %6 Account Name: %7 Account Domain: %8 Logon ID: %9 Member: Security ID: %2 Account Name: %1 Group: Security ID: %5 Group Name: %3 Group Domain: %4 Additional Information: Privileges: %10" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4732" Task="" Channel="Security"/>
<EventLog Name="Local Group Member Removed" Level="Success audit" Description="A member was removed from a security-enabled local group. Subject: Security ID: %6 Account Name: %7 Account Domain: %8 Logon ID: %9 Member: Security ID: %2 Account Name: %1 Group: Security ID: %5 Group Name: %3 Group Domain: %4 Additional Information: Privileges: %10" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4733" Task="" Channel="Security"/>
<EventLog Name="Local Group Deleted" Level="Success audit" Description="A security-enabled local group was deleted. Subject: Security ID: %4 Account Name: %5 Account Domain: %6 Logon ID: %7 Group: Security ID: %3 Group Name: %1 Group Domain: %2 Additional Information: Privileges: %8" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4734" Task="" Channel="Security"/>
<EventLog Name="Local Group Changed" Level="Success audit" Description="A security-enabled local group was changed. Subject: Security ID: %4 Account Name: %5 Account Domain: %6 Logon ID: %7 Group: Security ID: %3 Group Name: %1 Group Domain: %2 Changed Attributes: SAM Account Name: %9 SID History: %10 Additional Information: Privileges: %8" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4735" Task="" Channel="Security"/>
<EventLog Name="Global Group Changed" Level="Success audit" Description="A security-enabled global group was changed. Subject: Security ID: %4 Account Name: %5 Account Domain: %6 Logon ID: %7 Group: Security ID: %3 Group Name: %1 Group Domain: %2 Changed Attributes: SAM Account Name: %9 SID History: %10 Additional Information: Privileges: %8" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4737" Task="" Channel="Security"/>
</EventSubCategory>
<EventSubCategory Name="User Account Validation">
<EventLog Name="Kerberos Authentication Ticket (TGT) Requested" Level="Success audit" Description="A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: %1 Supplied Realm Name: %2 User ID: %3 Service Information: Service Name: %4 Service ID: %5 Network Information: Client Address: %10 Client Port: %11 Additional Information: Ticket Options: %6 Result Code: %7 Ticket Encryption Type: %8 Pre-Authentication Type: %9 Certificate Information: Certificate Issuer Name: %12 Certificate Serial Number: %13 Certificate Thumbprint: %14 Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120." Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4768" Task="" Channel="Security"/>
<EventLog Name="Computer Attempted to Validate Account" Level="Success audit" Description="The computer attempted to validate the credentials for an account. Authentication Package: %1 Logon Account: %2 Source Workstation: %3 Error Code: %4" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4776" Task="" Channel="Security"/>
<EventLog Name="Kerberos Pre-authentication Failed" Level="Failure audit" Description="Kerberos pre-authentication failed. Account Information: Security ID: %2 Account Name: %1 Service Information: Service Name: %3 Network Information: Client Address: %7 Client Port: %8 Additional Information: Ticket Options: %4 Failure Code: %5 Pre-Authentication Type: %6 Certificate Information: Certificate Issuer Name: %9 Certificate Serial Number: %10 Certificate Thumbprint: %11 Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present." Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4771" Task="" Channel="Security"/>
<EventLog Name="Domain Controller Failed to Validate Account Credentials" Level="Failure audit" Description="The domain controller failed to validate the credentials for an account. Authentication Package: %1 Logon Account: %2 Source Workstation: %3 Error Code: %4" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4777" Task="" Channel="Security"/>
</EventSubCategory>
<EventSubCategory Name="User Logons">
<EventLog Name="Successfully Logon" Level="Success audit" Description="An account was successfully logged on. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Logon Type: %9 New Logon: Security ID: %5 Account Name: %6 Account Domain: %7 Logon ID: %8 Logon GUID: %13 Process Information: Process ID: %17 Process Name: %18 Network Information: Workstation Name: %12 Source Network Address: %19 Source Port: %20 Detailed Authentication Information: Logon Process: %10 Authentication Package: %11 Transited Services: %14 Package Name (NTLM only): %15 Key Length: %16 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested." Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4624" Task="" Channel="Security"/>
<EventLog Name="Failed Logon" Level="Failure audit" Description="An account failed to log on. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Logon Type: %11 Account For Which Logon Failed: Security ID: %5 Account Name: %6 Account Domain: %7 Failure Information: Failure Reason: %9 Status: %8 Sub Status: %10 Process Information: Caller Process ID: %18 Caller Process Name: %19 Network Information: Workstation Name: %14 Source Network Address: %20 Source Port: %21 Detailed Authentication Information: Logon Process: %12 Authentication Package: %13 Transited Services: %15 Package Name (NTLM only): %16 Key Length: %17 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested." Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4625" Task="" Channel="Security"/>
</EventSubCategory>
<EventSubCategory Name="User Logoff">
<EventLog Name="User Logged Off" Level="Success audit" Description="An account was logged off. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Logon Type: %5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4634" Task="" Channel="Security"/>
<EventLog Name="Object Handle Requested" Level="Success audit" Description="A handle to an object was requested. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Object Type: %6 Object Name: %7 Handle ID: %8 Process Information: Process ID: %15 Process Name: %16 Access Request Information: Transaction ID: %9 Accesses: %10 Access Reasons: %11 Access Mask: %12 Privileges Used for Access Check: %13 Restricted SID Count: %14" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4656" Task="" Channel="Security"/>
<EventLog Name="Object Handle Closed" Level="Success audit" Description="The handle to an object was closed. Subject : Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Handle ID: %6 Process Information: Process ID: %7 Process Name: %8" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4658" Task="" Channel="Security"/>
<EventLog Name="Object Handle Requested for Delete" Level="Success audit" Description="A handle to an object was requested with intent to delete. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Object Type: %6 Object Name: %7 Handle ID: %8 Process Information: Process ID: %13 Access Request Information: Transaction ID: %9 Accesses: %10 Access Mask: %11 Privileges Used for Access Check: %12" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4659" Task="" Channel="Security"/>
<EventLog Name="Object Deleted" Level="Success audit" Description="An object was deleted. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Handle ID: %6 Process Information: Process ID: %7 Process Name: %8 Transaction ID: %9" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4660" Task="" Channel="Security"/>
<EventLog Name="Object Handle Requested" Level="Success audit" Description="A handle to an object was requested. Subject : Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Object Type: %6 Object Name: %7 Handle ID: %8 Process Information: Process ID: %15 Process Name: %16 Access Request Information: Transaction ID: %9 Accesses: %10 Access Mask: %11 Privileges Used for Access Check: %12 Properties: %13 Restricted SID Count: %14" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4661" Task="" Channel="Security"/>
<EventLog Name="Operation Performed on Object" Level="Success audit" Description="An operation was performed on an object. Subject : Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Object Type: %6 Object Name: %7 Handle ID: %9 Operation: Operation Type: %8 Accesses: %10 Access Mask: %11 Properties: %12 Additional Information: Parameter 1: %13 Parameter 2: %14" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4662" Task="" Channel="Security"/>
<EventLog Name="Attempted to Access Object" Level="Success audit" Description="An attempt was made to access an object. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Object Type: %6 Object Name: %7 Handle ID: %8 Process Information: Process ID: %11 Process Name: %12 Access Request Information: Accesses: %9 Access Mask: %10" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4663" Task="" Channel="Security"/>
<EventLog Name="Attempted to Create Hard Link" Level="Success audit" Description="An attempt was made to create a hard link. Subject: Account Name: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Link Information: File Name: %5 Link Name: %6 Transaction ID: %7" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4664" Task="" Channel="Security"/>
</EventSubCategory>
<EventSubCategory Name="System Events">
<EventLog Name="Windows Starting Up" Level="Success audit" Description="Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized." Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4608" Task="" Channel="Security"/>
<EventLog Name="Windows Shutting Down" Level="Success audit" Description="Windows is shutting down. All logon sessions will be terminated by this shutdown." Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4609" Task="" Channel="Security"/>
<EventLog Name="Authentication Package Loaded" Level="Success audit" Description="An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts. Authentication Package Name: %1" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4610" Task="" Channel="Security"/>
<EventLog Name="Trusted Logon Process Registered" Level="Success audit" Description="A trusted logon process has been registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Logon Process Name: %5" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4611" Task="" Channel="Security"/>
<EventLog Name="Resource for Audit Messages Queue Exhausted" Level="Success audit" Description="Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Number of audit messages discarded: %1 This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped." Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4612" Task="" Channel="Security"/>
<EventLog Name="Notification Package Loaded" Level="Success audit" Description="A notification package has been loaded by the Security Account Manager. This package will be notified of any account or password changes. Notification Package Name: %1" Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4614" Task="" Channel="Security"/>
<EventLog Name="Invalid Use of LPC Port" Level="Success audit" Description="Invalid use of LPC port. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Process Information: PID: %7 Name: %8 Invalid Use: %5 LPC Server Port Name: %6 Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA's use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel." Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4615" Task="" Channel="Security"/>
<EventLog Name="System Time Changed" Level="Success audit" Description="The system time was changed. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Process Information: Process ID: %7 Name: %8 Previous Time: %5 New Time: %6 This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer." Compenent="" Version="6.0(Windows Vista, Server 2008) - 6.1(Windows 7, Server 2008R2)" Source="Microsoft-Windows-Security-Auditing" Product="Windows Operating System" Id="4616" Task="" Channel="Security"/>
<EventLog Name="Unable to Connect to Remote Server" Id="570" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="Unable to successfully connect to the remote server." />
<EventLog Name="Domain Unreachable: EventID 577" Id="577" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="Routing has reported the domain '%1' as unreachable. The error is '%2'." />
<EventLog Name="Non-delivery Due to Lack of System Resources" Id="714" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="Unable to deliver this message due to lack of system resources." />
<EventLog Name="Unable to Handle Badmail Due to No Badmail Directory Configured" Id="715" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="Unable to handle badmail because no badmail directory is configured." />
<EventLog Name="Unable to Handle Badmail Due to Lack of System Resources." Id="716" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="Unable to handle badmail due to lack of system resources." />
<EventLog Name="Non-delivery Due to Maximum Hop Count Exceeded" Id="717" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="Unable to deliver message because the maximum hop count was exceeded. This is a potential message routing loop." />
<EventLog Name="SMTP Could Not Connect to Any DNS Server" Id="754" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="SMTP could not connect to any DNS server." />
<EventLog Name="Non-delivered Due to Configuration Error" Id="759" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="The message cannot be delivered due to a configuration error. The MTA has been disabled yet the recipient requires the MTA for delivery." />
<EventLog Name="Message Delivery Failed: EventID 4000" Id="4000" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="Message delivery to the remote domain '%1' failed for the following reason: %2" />
<EventLog Name="Message Delivery Failed: EventID 4001" Id="4001" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="Message delivery to the remote domain '%1' failed. The error message is '%2'.The SMTP verb which caused the error is '%3'. The response from the remoteserver is '%4'." />
<EventLog Name="Domain Unreachable: EventID 4003" Id="4003" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="The domain '%1' is currently unreachable." />
<EventLog Name="Message Size too Large or Local Quota Exceeded" Id="3014" Product="Exchange" Source="MSExchangeTransport" Version="6.5.7596.0" Compenent="" Description="A non-delivery report with a status code of %1 was generated for recipient %2 (Message-ID %3). Cause: The message size was large or the local quota exceeded. For example, remote Exchange user might have delivery restrictions set with maximum incoming message size. Solution: Check access permissions as well as the message size." />
<EventLog Name="Generic Protocol Error (SMTP Error)" Id="3022" Product="Exchange" Source="MSExchangeTransport" Version="6.5.7596.0" Compenent="" Description="A non-delivery report with a status code of %1 was generated for recipient %2 (Message-ID %3).Cause: This message indicates a generic protocol error (SMTP error). For example, the remote SMTP responds to an issued EHLO with a 500 level error and the sending system will QUIT the connection and report this with NDR indicating the remote SMTP server canÆt handle the protocol.Solution: View the SMTP log or run a netmon trace to see why the remote SMTP server rejects the protocol request." />
<EventLog Name="Sender Denied Access or General Access Denied" Id="3027" Product="Exchange" Source="MSExchangeTransport" Version="6.5.7596.0" Compenent="" Description="A non-delivery report with a status code of %1 was generated for recipient %2 (Message-ID %3). Causes: This message indicates that the sender was denied access or general access was denied. Solution: Check system privileges and attributes for the contact and retry sending the message." />
<EventLog Name="E-mail Account Not Exist" Id="3028" Product="Exchange" Source="MSExchangeTransport" Version="6.5.7596.0" Compenent="" Description="A non-delivery report with a status code of %1 was generated for recipient %2 (Message-ID %3). Cause: The e-mail account does not exist at the organization where the message was sent. Either the recipient address is incorrectly formatted or the categorizer was not able to properly resolve the recipient.Solution: Checking the recipient address and the recipient policy and re-sending the message are among the first steps in resolving this error." />
<EventLog Name="Exchange MTA Disabled" Id="340" Product="Exchange" Source="MSExchangeTransport" Version="6.5.6940.0" Compenent="Microsoft Exchange Transport" Description="Because the Exchange MTA is disabled, the store driver cannot deliver the message recipient:text to the recipient recipient" />
<EventLog Name="Maximum Hop Count Exceeded" Id="3005" Product="Exchange" Source="MSExchangeTransport" Version="6.5.6940.0" Compenent="Microsoft Exchange Transport" Description="A non-delivery report with a status code of number was generated for recipient %2 (Message-ID id). Cause: The maximum hop count was exceeded for this message. This non-delivery report can also be caused if a looping condition exists between sending and receiving servers that are not in the same Exchange organization. In this situation, the message bounces back and forth until the hop count is exceeded. A configuration error in the e-mail system can also cause the message to bounce between two servers or to be forwarded between two recipients. Solution: The maximum hop count is a property set on each virtual server and you can manually override it. The default maximum hop count is 15. Also, check for any situations that might cause loops between servers." />
<EventLog Name="Permanent Failure" Id="3008" Product="Exchange" Source="MSExchangeTransport" Version="6.5.6940.0" Compenent="Microsoft Exchange Transport" Description="A non-delivery report with a status code of number was generated for recipient recipient (Message-ID id). Cause: This indicates a permanent failure. Possible causes : 1)No route is defined for a given address space. For example, an SMTP connector is configured, but this recipient address does not match the address spaces for which it routes mail. 2)Domain Name Server (DNS) returned an authoritative host not found for the domain. 3)The routing group does not have a connector defined ???? mail from one server in the routing group has no way to get to another routing group. Solution: Verify that this error is not caused by a DNS lookup problem, and then check the address spaces configured on your STMP connectors. If you are delivering Internet mail through an SMTP connector, consider adding an address space of type SMTP with value ????*???? (an asterisk) to one of the SMTP connectors to make routing possible. Verify all routing groups are connected to each other through a routing group connector or another connector." />
<EventLog Name="Attempted Mail Delivery to Incorrect MTA Route" Id="3015" Product="Exchange" Source="MSExchangeTransport" Version="6.5.6940.0" Compenent="Microsoft Exchange Transport" Description="A non-delivery report with a status code of number was generated for recipient recipient (Message-ID id). Causes: Exchange mistakenly attempted mail delivery to an incorrect MTA route. Solution: Check your route and topology; use the winroute tool to ensure the routes are properly replicated between servers and routing groups." />
<EventLog Name="Looping Condition Detected" Id="3017" Product="Exchange" Source="MSExchangeTransport" Version="6.5.6940.0" Compenent="Microsoft Exchange Transport" Description="A non-delivery report with a status code of number was generated for recipient address (Message-ID message id). Causes: A looping condition was detected. (The server is configured to route mail back to itself). If you have multiple SMTP Virtual Servers configured on your Exchange server, make sure they are defined by a unique incoming port and that the outgoing SMTP port configuration is valid to avoid looping between local virtual servers. Solution: Check the configuration of the virtual server??s connectors for loops and ensure each virtual server is defined by a unique incoming port." />
<EventLog Name="DNS or IP Address configuration Problem " Id="3018" Product="Exchange" Source="MSExchangeTransport" Version="6.5.6940.0" Compenent="Microsoft Exchange Transport" Description="A non-delivery report with a status code of number was generated for recipient proxy address (Message-ID id). Causes: This message indicates a DNS problem or an IP address configuration problem Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format. " />
<EventLog Name="Forward Loop Detected" Id="3020" Product="Exchange" Source="MSExchangeTransport" Version="6.5.6940.0" Compenent="Microsoft Exchange Transport" Description="A non-delivery report with a status code of number was generated for recipient recipient (Message-ID message id). Cause: A forward loop was detected by the categorizer. This is a common hosting configuration problem caused when someone uses the provisioning tool to create a contact in one organization unit and creates a user in a different organization user that share the same e-mail address. Solution: Verify that you do not have a user in organizational unit and a contact in a different organizational unit that have the same e-mail address." />
</EventSubCategory>
<EventSubCategory Name="Virus Related Logs">
<EventLog Name="Virus Infected Message Successfully Cleaned" Id="345" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="A virus infected message was successfully cleaned. Internet Message ID %1." />
<EventLog Name="Virus Infected Message Placed in BadMail Directory" Id="346" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="A virus infected message was placed in the BadMail directory. Internet Message ID %1." />
<EventLog Name="Virus Infected Message Deleted" Id="347" Product="Exchange" Source=" MSExchangeTransport" Version="6.5.0000.0" Compenent="" Description="A virus infected message was deleted. Internet Message ID %1." />
<EventLog Name="Message Could not be Virus Scanned" Id="348" Product="Exchange" Source="MSExchangeTransport" Version="6.5.6940.0" Compenent="Microsoft Exchange Transport" Description="A message could not be virus scanned - this operation will be retried later. Internet Message ID proxy address, Error Code error code." />
</EventSubCategory>
</EventSubCategory>
<EventSubCategory Name="Microsoft SQL Server">
<EventSubCategory Name="DDL Events">
<EventLog Name="CREATE INDEX Aborted" Id="1530" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="CREATE INDEX with DROP_EXISTING was aborted because a row was out of order. Most significant offending primary key is '%S_KEY'. Explicitly drop and create the index instead." />
<EventLog Name="CREATE TABLE Failed: Reached Maxium Number of Columns" Id="1702" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="CREATE TABLE failed because column '%.*ls' in table '%.*ls' exceeds the maximum of %d columns." />
<EventLog Name="System Table Not Created" Id="1706" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="System table '%.*ls' was not created, because ad hoc updates to system catalogs are not enabled." />
<EventLog Name="Could not Obtain Exclusive Lock on Database" Id="1807" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Could not obtain exclusive lock on database '%.*ls'. Retry the operation later." />
<EventLog Name="CREATE DATABASE Failed: COLLATE Clause" Id="1812" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="CREATE DATABASE failed. COLLATE clause cannot be used with the FOR ATTACH option." />
<EventLog Name="CREATE DATABASE Aborted: Could not Open New Database" Id="1813" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Could not open new database '%.*ls'. CREATE DATABASE is aborted." />
<EventLog Name="Cannot Drop Dabase with DBCC: Database Not Marked Suspect" Id="2573" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Database '%.*ls' is not marked suspect. You cannot drop it with DBCC." />
</EventSubCategory>
<EventSubCategory Name="DML Events">
<EventLog Name="INSERT: More Columns in INSERT than in VALUES Clause" Id="109" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="There are more columns in the INSERT statement than values specified in the VALUES clause. The number of values in the VALUES clause must match the number of columns specified in the INSERT statement." />
<EventLog Name="Incorrect Syntax" Id="156" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Incorrect syntax near the keyword '%.*ls'." />
<EventLog Name="Permission Denied on Column" Id="230" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="%ls permission denied on column '%.*ls' of object '%.*ls', database '%.*ls', owner '%.*ls'." />
<EventLog Name="Could not Resolve Referenced Column Name" Id="437" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Could not resolve the referenced column name in table ID %d." />
<EventLog Name="Could not Find FOREIGN KEY Constraints for Table" Id="439" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Could not find FOREIGN KEY constraints for table '%.*ls' in database ID %d although the table is flagged as having them." />
<EventLog Name="Maximum Number of Databases Used for Each Query Exceeded" Id="925" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Maximum number of databases used for each query has been exceeded. The maximum allowed is %d." />
</EventSubCategory>
<EventSubCategory Name="Backup/Restore">
<EventLog Name="Backup Device Failed: Operating System Error" Id="18204" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="%1: Backup device '%2' failed to %3. Operating system error = %4." />
<EventLog Name="Failure on Backup Device Operating System Error" Id="18210" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="%1: %2 failure on backup device '%3'. Operating system error %4." />
<EventLog Name="Device or Media not Supported" Id="18257" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="%1: Device or media does not support %2." />
<EventLog Name="Database Backed up" Id="18264" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Database backed up: Database: %1, creation date(time): %2(%3), pages dumped: %4!d!, first LSN: %5, last LSN: %6, number of dump devices: %9!d!, device information: (%10)." />
<EventLog Name="Log Backed Up" Id="18265" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Log backed up: Database: %1, creation date(time): %2(%3), first LSN: %4, last LSN: %5, number of dump devices: %7!d!, device information: (%8)." />
<EventLog Name="Database Differential Changes Backed up" Id="18270" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Database differential changes backed up: Database: %1, creation date(time): %2(%3), pages dumped: %4!d!, first LSN: %5, last LSN: %6, full backup LSN: %7, number of dump devices: %10!d!, device information: (%11)." />
<EventLog Name="Database Changes Restored" Id="18271" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Database changes restored: Database: %1, creation date(time): %2(%3), first LSN: %4, last LSN: %5, number of dump devices: %7!d!, device information: (%8)." />
<EventLog Name="I/O Error on Backup or Restore Restart-checkpoint File" Id="18272" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="I/O error on backup or restore restart-checkpoint file '%1'. Operating system error %2. The statement is proceeding but is non-restartable." />
<EventLog Name="Cannot Drop Role" Id="15142" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Cannot drop the role '%s'." />
<EventLog Name="Could not Grant Login Access" Id="15480" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Could not grant login access to '%s'." />
<EventLog Name="User Dropped From Current Database" Id="15491" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="User has been dropped from current database." />
<EventLog Name="Could not Add Login Using sp_addlogin" Id="15497" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Could not add login using sp_addlogin (user = %s). Terminating this procedure." />
</EventSubCategory>
<EventSubCategory Name="Connection/Login/Logoff">
<EventLog Name="Login Failed: Only Administrators May Connect" Id="18451" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Login failed for user '%ls'. Only administrators may connect at this time." />
<EventLog Name="Login Failed: Server in Single User Mode" Id="18461" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Login failed for user '%ls'. Reason: Server is in single user mode. Only one administrator can connect at this time." />
<EventLog Name="Could not Connect to Server: Account not Defined as Remote Login" Id="18483" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Could not connect to server '%ls' because '%ls' is not defined as a remote login at the server." />
<EventLog Name="Reached Maximum Limit for Connections" Id="17302" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="The maximum limit for connections has been reached." />
<EventLog Name="Full-text Catalog Lost" Id="7605" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Full-text catalog '%ls' has been lost. Use sp_fulltext_catalog to rebuild and to repopulate this full-text catalog." />
<EventLog Name="Could not Find Full-text Index for Database" Id="7606" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Could not find full-text index for database ID %d, table ID %d. Use sp_fulltext_table to deactivate then activate this index." />
<EventLog Name="Search on Full-text Catalog Failed" Id="7607" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Search on full-text catalog '%ls' for database ID %d, table ID %d with search condition '%ls' failed with unknown result (%x)." />
<EventLog Name="Unknown Full-text Failure" Id="7608" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="An unknown full-text failure (%x) occurred in function %hs on full-text catalog '%ls'." />
<EventLog Name="Full-text Query Failed Because Full-text Catalog Not Ready" Id="7623" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Full-text query failed because full-text catalog '%ls' is not yet ready for queries." />
<EventLog Name="Full-Text Search Not Enabled for Current Database" Id="15601" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="Full-Text Search is not enabled for the current database. Use sp_fulltext_database to enable Full-Text Search." />
</EventSubCategory>
<EventSubCategory Name="Server Status">
<EventLog Name="Server Startup Failed Insufficient Memory" Id="17132" Hide="True" Product="SQL Server" Source="MSSQLServer" Version="10.0" Compenent="SQLEngine" Description="Server startup failed due to insufficient memory for descriptor. Reduce non-essential memory load or increase system memory." />
<EventLog Name="SQL Server Service Paused" Id="17142" Product="SQL Server" Source="MSSQLServer" Version="10.0" Compenent="SQLEngine" Description="SQL Server service has been paused. No new connections will be allowed. To resume the service, use SQL Computer Manager or the Services application in Control Panel." />
<EventLog Name="SQL Server Terminating: System Shutdown" Id="17147" Product="SQL Server" Source="MSSQLServer" Version="10.0" Compenent="SQLEngine" Description="SQL Server is terminating because of a system shutdown. This is an informational message only. No user action is required." />
<EventLog Name="SQL Server Terminating" Id="17148" Product="SQL Server" Source="MSSQLServer" Version="10.0" Compenent="SQLEngine" Description="SQL Server is terminating in response to a 'stop' request from Service Control Manager. This is an informational message only. No user action is required." />
<EventLog Name="SQL Server Service Terminated Unexpectedly" Id="14265" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="The MSSQLServer service terminated unexpectedly." />
<EventLog Name="SQL Server Started in Single User Mode" Id="17658" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="SQL Server started in single user mode. Updates allowed to system catalogs." />
<EventLog Name="SQL Server Shutdown Due to Ctrl-C or Ctrl-Break Signal" Id="17676" Product="SQL Server" Source="MSSQLServer" Version="8.0" Compenent="SQL Engine" Description="SQL Server shutdown due to Ctrl-C or Ctrl-Break signal." />
