From OSSEC Wiki

Contents 1 Question: What this Windows event ID means? 1.1 General docs about Windows logging 1.2 Event id 534 1.3 Event id 536 1.4 Event id 560 1.5 Event id 624 1.6 Event id 626

Question: What this Windows event ID means?

General docs about Windows logging

• Security Monitoring and Attack Detection Planning Guide

Event id 534

Logon Failure - The user has not been granted the requested logon type at this machine.

• Means that an user tried to map a drive (or view the registry) from a system that he/she doesn't have access. OR
• User tried to logon at the console, but he/she doesn't have the right to log locally. OR
• Service/batch process attempted to start using an account that doesn't have the rights

Refs:

-http://www.ultimatewindowssecurity.com/events/com195.html
-http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx#EQH

Event id 536

Logon Failure - The NetLogon component is not active.

• Means that the network logon service can not be contacted. AND
• Doesn't mean that the user missed the password or did anything wrong.

Refs:

-http://www.ultimatewindowssecurity.com/events/com197.html

Event id 560

Access codes ( ref1 ref2 :

%%1536 = Unused message ID
%%1537 = DELETE
%%1538 = READ_CONTROL
%%1539 = WRITE_DAC
%%1540 = WRITE_OWNER
%%1541 = SYNCHRONIZE
%%1542 = ACCESS_SYS_SEC
%%1543 = MAX_ALLOWED

Event id 624

User Account Created.

• Means that an user account was created. This will be followed by event 626.

Refs:

-http://www.ultimatewindowssecurity.com/events/com243.html

Event id 626

User Account Enabled.

• Means that an user account was enabled (W3K only).

Refs:

-http://www.ultimatewindowssecurity.com/events/com246.html