archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/authz/test/wmiaudit/auditevt.mof

2461 lines
51 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 2000
  6. //
  7. // File: A U D I T E V T . M O F
  8. //
  9. // Contents: Audit event schema definitions
  10. //
  11. //
  12. // History:
  13. // 06-January-2000 kumarp created
  14. //
  15. //------------------------------------------------------------------------
  17. /*
  18. issues:
  19. - best way to represent cred info?
  21. - some events were separately defined the success and failure cases.
  22. I merged them into one.
  23. For example:
  24. SE_AUDITID_ADD_SID_HISTORY_SUCCESS/SE_AUDITID_ADD_SID_HISTORY_FAILURE
  25. SE_AUDITID_ACCOUNT_MAPPED/SE_AUDITID_ACCOUNT_NOT_MAPPED
  26. SE_AUDITID_ACCOUNT_LOGON_SUCCESS/SE_AUDITID_ACCOUNT_LOGON_FAILURE
  28. - category: logon and account logon
  30. - need to define how the audit-format string is to be specified
  31. for new (non-legacy) auditevents
  33. - need to have a link between SE_AUDITID_PROCESS_CREATED/EXIT
  35. - why is that some events have both primary/client user info while
  36. some others have only primary (e.g. AuditEvent_ProcessExit)
  38. - should PID be 32 or 64 bit?
  40. - type of UserRight ?
  42. - tdo ops: DomainId type?
  44. - confirm that account-id (rid) is uint32
  46. - ask shaohua about SE_AUDITID_DOMAIN_POLICY_CHANGE
  48. - for events that are specifically success or failure type.
  49. need to set Success to TRUE/FALSE
  51. - how to handle delegated client contexts in n-tier apps
  53. - when a process opens an object on a remote machine, which
  54. pid gets logged?
  56. - make sure that all corresponding properties have identical name
  57. across different classes
  58. */
  60. //
  61. // base class for all audit events
  62. //
  63. [abstractevent]
  64. class AuditEvent : __ExtrinsicEvent
  65. {
  66. uint16 CategoryId;
  67. uint32 AuditId;
  69. uint64 CreationTime;
  70. Boolean Success = TRUE;
  71. };
  74. /////////////////////////////////////////////////////////////////////////////
  75. // //
  76. // //
  77. // Messages for Category: SE_CATEGID_SYSTEM //
  78. // //
  79. /////////////////////////////////////////////////////////////////////////////
  82. //
  83. // represents SE_CATEGID_SYSTEM category
  84. //
  85. [abstractevent]
  86. class AuditEvent_System : AuditEvent
  87. {
  89. };
  92. //
  93. //
  94. // SE_AUDITID_SYSTEM_RESTART
  95. //
  96. // Category: SE_CATEGID_SYSTEM
  97. //
  99. class AuditEvent_SystemRestart : AuditEvent_System
  100. {
  101. uint32 AuditId = 0x0200;
  102. };
  106. //
  107. //
  108. // SE_AUDITID_SYSTEM_SHUTDOWN
  109. //
  110. // Category: SE_CATEGID_SYSTEM
  111. //
  113. class AuditEvent_SystemShutdown
  114. {
  115. uint32 AuditId = 0x0201;
  116. };
  119. //
  120. //
  121. // SE_AUDITID_SYSTEM_AUTH_PACKAGE_LOAD
  122. //
  123. // Category: SE_CATEGID_SYSTEM
  124. //
  126. class AuditEvent_AuthPackageLoad : AuditEvent_System
  127. {
  128. uint32 AuditId = 0x0202;
  129. string AuthenticationPackageName;
  130. };
  133. //
  134. //
  135. // SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER
  136. //
  137. // Category: SE_CATEGID_SYSTEM
  138. //
  140. class AuditEvent_SystemLogonProcRegister : AuditEvent_System
  141. {
  142. uint32 AuditId = 0x0203;
  143. string LogonProcessName;
  144. };
  147. //
  148. //
  149. // SE_AUDITID_AUDITS_DISCARDED
  150. //
  151. // Category: SE_CATEGID_SYSTEM
  152. //
  154. class AuditEvent_AuditsDiscarded
  155. {
  156. uint32 AuditId = 0x0204;
  157. uint32 NumberOfAuditMessagesDiscarded;
  158. };
  161. //
  162. //
  163. // SE_AUDITID_AUDIT_LOG_CLEARED
  164. //
  165. // Category: SE_CATEGID_SYSTEM
  166. //
  167. //
  169. class AuditEvent_AuditLogCleared
  170. {
  171. uint32 AuditId = 0x0205;
  173. string PrimaryUserName;
  174. string PrimaryDomain;
  175. uint64 PrimaryLogonId;
  177. string ClientUserName;
  178. string ClientDomain;
  179. uint64 ClientLogonId;
  180. };
  183. //
  184. //
  185. // SE_AUDITID_SYSTEM_NOTIFY_PACKAGE_LOAD
  186. //
  187. // Category: SE_CATEGID_SYSTEM
  188. //
  190. class AuditEvent_NotifyPackageLoad
  191. {
  192. uint32 AuditId = 0x0206;
  194. string NotificationPackageName;
  195. };
  199. /////////////////////////////////////////////////////////////////////////////
  200. // //
  201. // //
  202. // Messages for Category: SE_CATEGID_LOGON //
  203. // //
  204. // //
  205. /////////////////////////////////////////////////////////////////////////////
  207. //
  208. // represents SE_CATEGID_LOGON
  209. //
  211. [abstractevent]
  212. class AuditEvent_Logon : AuditEvent
  213. {
  214. };
  216. //
  217. // abstract class that stores fields common to all user-logon events
  218. //
  219. [abstractevent]
  220. class AuditEvent_UserLogon : AuditEvent_Logon
  221. {
  222. string UserName;
  223. string Domain;
  224. uint16 LogonType;
  225. string LogonProcess;
  226. string AuthenticationPackage;
  227. string WorkstationName;
  228. };
  231. //
  232. //
  233. // SE_AUDITID_SUCCESSFUL_LOGON
  234. //
  235. // Category: SE_CATEGID_LOGON
  236. //
  237. //
  239. class AuditEvent_SuccessfulLogon : AuditEvent_UserLogon
  240. {
  241. uint32 AuditId = 0x0210;
  243. uint64 LogonId;
  244. };
  247. //
  248. //
  249. // SE_AUDITID_UNKNOWN_USER_OR_PWD
  250. //
  251. // Category: SE_CATEGID_LOGON
  252. //
  254. class AuditEvent_UnknownUserOrPwd : AuditEvent_UserLogon
  255. {
  256. uint32 AuditId = 0x0211;
  257. };
  260. //
  261. //
  262. // SE_AUDITID_ACCOUNT_TIME_RESTR
  263. //
  264. // Category: SE_CATEGID_LOGON
  265. //
  267. class AuditEvent_AccountTimeRestr : AuditEvent_UserLogon
  268. {
  269. uint32 AuditId = 0x0212;
  270. };
  273. //
  274. //
  275. // SE_AUDITID_ACCOUNT_DISABLED
  276. //
  277. // Category: SE_CATEGID_LOGON
  278. //
  280. class AuditEvent_AccountDisabled : AuditEvent_UserLogon
  281. {
  282. uint32 AuditId = 0x0213;
  283. };
  286. //
  287. //
  288. // SE_AUDITID_ACCOUNT_EXPIRED
  289. //
  290. // Category: SE_CATEGID_LOGON
  291. //
  293. class AuditEvent_AccountExpired : AuditEvent_UserLogon
  294. {
  295. uint32 AuditId = 0x0214;
  296. };
  298. // Logon Failure:%n
  299. // %tReason:%t%tThe specified user account has expired%n
  303. //
  304. //
  305. // SE_AUDITID_WORKSTATION_RESTR
  306. //
  307. // Category: SE_CATEGID_LOGON
  308. //
  310. class AuditEvent_WorkstationRestr : AuditEvent_UserLogon
  311. {
  312. uint32 AuditId = 0x0215;
  313. };
  315. // Logon Failure:%n
  316. // %tReason:%t%tUser not allowed to logon at this computer%n
  320. //
  321. //
  322. // SE_AUDITID_LOGON_TYPE_RESTR
  323. //
  324. // Category: SE_CATEGID_LOGON
  325. //
  327. class AuditEvent_LogonTypeRestr : AuditEvent_UserLogon
  328. {
  329. uint32 AuditId = 0x0216;
  330. };
  332. // Logon Failure:%n
  333. // %tReason:%tThe user has not been granted the requested%n
  334. // %t%tlogon type at this machine%n
  338. //
  339. //
  340. // SE_AUDITID_PASSWORD_EXPIRED
  341. //
  342. // Category: SE_CATEGID_LOGON
  343. //
  345. class AuditEvent_PasswordExpired : AuditEvent_UserLogon
  346. {
  347. uint32 AuditId = 0x0217;
  348. };
  350. // Logon Failure:%n
  351. // %tReason:%t%tThe specified accounts password has expired%n
  355. //
  356. //
  357. // SE_AUDITID_NETLOGON_NOT_STARTED
  358. //
  359. // Category: SE_CATEGID_LOGON
  360. //
  362. class AuditEvent_NetlogonNotStarted : AuditEvent_UserLogon
  363. {
  364. uint32 AuditId = 0x0218;
  365. };
  367. // Logon Failure:%n
  368. // %tReason:%t%tThe NetLogon component is not active%n
  372. //
  373. //
  374. // SE_AUDITID_UNSUCCESSFUL_LOGON
  375. //
  376. // Category: SE_CATEGID_LOGON
  377. //
  379. class AuditEvent_UnsuccessfulLogon : AuditEvent_UserLogon
  380. {
  381. uint32 AuditId = 0x0219;
  382. };
  384. // Logon Failure:%n
  385. // %tReason:%t%tAn unexpected error occurred during logon%n
  389. //
  390. //
  391. // SE_AUDITID_LOGOFF
  392. //
  393. // Category: SE_CATEGID_LOGON
  394. //
  396. class AuditEvent_Logoff : AuditEvent_Logon
  397. {
  398. uint32 AuditId = 0x021A;
  400. string UserName;
  401. string Domain;
  402. uint64 LogonId;
  403. uint16 LogonType;
  404. };
  406. // User Logoff:%n
  409. //
  410. //
  411. // SE_AUDITID_ACCOUNT_LOCKED
  412. //
  413. // Category: SE_CATEGID_LOGON
  414. //
  416. class AuditEvent_Accountlocked : AuditEvent_UserLogon
  417. {
  418. uint32 AuditId = 0x021B;
  419. };
  421. // Logon Failure:%n
  422. // %tReason:%t%tAccount locked out%n
  425. //
  426. //
  427. // SE_AUDITID_SUCCESSFUL_LOGON
  428. //
  429. // Category: SE_CATEGID_LOGON
  430. //
  432. class AuditEvent_NetworkLogon : AuditEvent_UserLogon
  433. {
  434. uint32 AuditId = 0x021c;
  435. uint64 LogonId;
  436. };
  438. // Successful Network Logon:%n
  441. //
  442. // abstract base class to represent IPSEC logon events
  443. //
  444. class AuditEvent_IpsecLogon : AuditEvent_Logon
  445. {
  446. };
  449. //
  450. //
  451. // SE_AUDITID_IPSEC_LOGON_SUCCESS
  452. //
  453. // Category: SE_CATEGID_LOGON
  454. //
  456. class AuditEvent_IpsecLogonSuccess : AuditEvent_IpsecLogon
  457. {
  458. uint32 AuditId = 0x021d;
  460. string Mode;
  461. string PeerIdentity;
  462. string Filter;
  463. string Parameters;
  464. };
  466. //IKE security association established.%n
  469. //
  470. //
  471. // SE_AUDITID_IPSEC_LOGOFF_QM
  472. //
  473. // Category: SE_CATEGID_LOGON
  474. //
  476. class AuditEvent_IpsecLogoffQm : AuditEvent_IpsecLogon
  477. {
  478. uint32 AuditId = 0x021e;
  480. string Filter;
  481. string InboundSpi;
  482. string OutboundSpi;
  483. };
  485. // IKE security association ended.%n
  486. // Mode: Data Protection (Quick mode)
  490. //
  491. //
  492. // SE_AUDITID_IPSEC_LOGOFF_MM
  493. //
  494. // Category: SE_CATEGID_LOGON
  495. //
  497. class AuditEvent_IpsecLogoffMm : AuditEvent_IpsecLogon
  498. {
  499. uint32 AuditId = 0x021f;
  501. string Filter;
  502. };
  504. // IKE security association ended.%n
  505. // Mode: Key Exchange (Main mode)%n
  509. //
  510. //
  511. // SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST
  512. //
  513. // Category: SE_CATEGID_LOGON
  514. //
  516. class AuditEvent_IpsecAuthFailCertTrust : AuditEvent_IpsecLogon
  517. {
  518. uint32 AuditId = 0x0220;
  519. string PeerIdentity;
  520. string Filter;
  521. };
  523. // IKE security association establishment failed because peer could not authenticate.
  524. // The certificate trust could not be established.%n
  528. //
  529. //
  530. // SE_AUDITID_IPSEC_AUTH_FAIL
  531. //
  532. // Category: SE_CATEGID_LOGON
  533. //
  535. class AuditEvent_IpsecAuthFail : AuditEvent_IpsecLogon
  536. {
  537. uint32 AuditId = 0x0221;
  538. string PeerIdentity;
  539. string Filter;
  540. };
  542. // IKE peer authentication failed.%n
  546. //
  547. //
  548. // SE_AUDITID_IPSEC_ATTRIB_FAIL
  549. //
  550. // Category: SE_CATEGID_LOGON
  551. //
  553. class AuditEvent_IpsecAttribFail : AuditEvent_IpsecLogon
  554. {
  555. uint32 AuditId = 0x0222;
  557. string Mode;
  558. string Filter;
  559. string Attribute;
  560. string ExpectedValue;
  561. string ReceivedValue;
  562. };
  564. // IKE security association establishment failed because peer
  565. // sent invalid proposal.%n
  569. //
  570. //
  571. // SE_AUDITID_IPSEC_NEGOTIATION_FAIL
  572. //
  573. // Category: SE_CATEGID_LOGON
  574. //
  576. class AuditEvent_IpsecNegotiationFail : AuditEvent_IpsecLogon
  577. {
  578. uint32 AuditId = 0x0223;
  580. string Mode;
  581. string Filter;
  582. string FailurePoint;
  583. string FailureReason;
  584. };
  586. // IKE security association negotiation failed.%n
  591. /////////////////////////////////////////////////////////////////////////////
  592. // //
  593. // //
  594. // Messages for Category: SE_CATEGID_OBJECT_ACCESS //
  595. // //
  596. // //
  597. /////////////////////////////////////////////////////////////////////////////
  599. //
  600. // abstract class that represents SE_CATEGID_OBJECT_ACCESS
  601. //
  602. [abstractevent]
  603. class AuditEvent_ObjectAccess : AuditEvent
  604. {
  605. string ObjectServer;
  606. uint32 ProcessId;
  607. };
  609. class AuditEvent_AuthzAccess : AuditEvent
  610. {
  611. string ObjectServer;
  612. uint32 ProcessId;
  614. string OperationType;
  615. string Objecttype;
  616. string ObjectName;
  617. // uint64 HandleId;
  618. // uint64 OperationId;
  620. uint8 PrimaryUserSid[];
  621. string PrimaryUserName;
  622. string PrimaryDomain;
  623. uint64 PrimaryLogonId;
  625. uint8 ClientUserSid[];
  626. string ClientUserName;
  627. string ClientDomain;
  628. uint64 ClientLogonId;
  630. uint32 AccessMask;
  632. string AdditionalInfo;
  633. };
  635. //
  636. //
  637. // SE_AUDITID_OPEN_HANDLE
  638. //
  639. // Category: SE_CATEGID_OBJECT_ACCESS
  640. //
  642. class AuditEvent_OpenHandle : AuditEvent_ObjectAccess
  643. {
  644. uint32 AuditId = 0x0230;
  646. string ObjectType;
  647. string ObjectName;
  648. uint64 NewHandleId;
  649. uint64 OperationId;
  651. string PrimaryUserName;
  652. string PrimaryDomain;
  653. uint64 PrimaryLogonId;
  655. string ClientUserName;
  656. string ClientDomain;
  657. uint64 ClientLogonId;
  659. string Privileges[];
  660. };
  662. // Object Open:%n
  665. //
  666. //
  667. // SE_AUDITID_CREATE_HANDLE
  668. //
  669. // Category: SE_CATEGID_OBJECT_ACCESS
  670. //
  672. class AuditEvent_CreateHandle : AuditEvent_ObjectAccess
  673. {
  674. uint32 AuditId = 0x0231;
  675. uint64 HandleId;
  676. uint64 OperationId;
  677. };
  679. //Handle Allocated:%n
  682. //
  683. //
  684. // SE_AUDITID_CLOSE_HANDLE
  685. //
  686. // Category: SE_CATEGID_OBJECT_ACCESS
  687. //
  689. class AuditEvent_CloseHandle : AuditEvent_ObjectAccess
  690. {
  691. uint32 AuditId = 0x0232;
  692. uint64 HandleId;
  693. };
  695. //Handle Closed:%n
  697. //
  698. //
  699. // SE_AUDITID_OPEN_OBJECT_FOR_DELETE
  700. //
  701. // Category: SE_CATEGID_OBJECT_ACCESS
  702. //
  704. class AuditEvent_OpenObjectForDelete : AuditEvent_ObjectAccess
  705. {
  706. uint32 AuditId = 0x0233;
  708. string ObjectType;
  709. string ObjectName;
  710. uint64 NewHandleId;
  711. uint64 OperationId;
  713. string PrimaryUserName;
  714. string PrimaryDomain;
  715. uint64 PrimaryLogonId;
  717. string ClientUserName;
  718. string ClientDomain;
  719. uint64 ClientLogonId;
  721. string Privileges[];
  722. };
  724. //Object Open for Delete:%n
  728. //
  729. //
  730. // SE_AUDITID_DELETE_OBJECT
  731. //
  732. // Category: SE_CATEGID_OBJECT_ACCESS
  733. //
  735. class AuditEvent_DeleteObject : AuditEvent_ObjectAccess
  736. {
  737. uint32 AuditId = 0x0234;
  738. uint64 HandleId;
  739. };
  741. //Object Deleted:%n
  744. //
  745. //
  746. // SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE
  747. //
  748. // Category: SE_CATEGID_OBJECT_ACCESS
  749. //
  751. class AuditEvent_OpenHandleObjectType : AuditEvent_ObjectAccess
  752. {
  753. uint32 AuditId = 0x0235;
  755. string ObjectType;
  756. string ObjectName;
  757. uint64 NewHandleId;
  758. uint64 OperationId;
  760. string PrimaryUserName;
  761. string PrimaryDomain;
  762. uint64 PrimaryLogonId;
  764. string ClientUserName;
  765. string ClientDomain;
  766. uint64 ClientLogonId;
  768. string Properties;
  770. string Privileges[];
  771. };
  773. //Object Open:%n
  776. // SE_AUDITID_OBJECT_OPERATION
  777. //
  778. // Category: SE_CATEGID_OBJECT_ACCESS
  779. //
  781. class AuditEvent_ObjectOperation : AuditEvent_ObjectAccess
  782. {
  783. uint32 AuditId = 0x0236;
  785. string OperationType;
  786. string Objecttype;
  787. string ObjectName;
  788. uint64 HandleId;
  789. uint64 OperationId;
  791. string PrimaryUserName;
  792. string PrimaryDomain;
  793. uint64 PrimaryLogonId;
  795. string ClientUserName;
  796. string ClientDomain;
  797. uint64 ClientLogonId;
  799. uint32 RequestedAccesses;
  800. };
  802. //Object Operation:%n
  805. /////////////////////////////////////////////////////////////////////////////
  806. // //
  807. // //
  808. // Messages for Category: SE_CATEGID_PRIVILEGE_USE //
  809. // //
  810. // //
  811. /////////////////////////////////////////////////////////////////////////////
  813. //
  814. // represents SE_CATEGID_PRIVILEGE_USE
  815. //
  816. [abstractevent]
  817. class AuditEvent_PrivilegeUse : AuditEvent
  818. {
  819. string Privileges[];
  820. };
  822. //
  823. //
  824. // SE_AUDITID_ASSIGN_SPECIAL_PRIV
  825. //
  826. // Category: SE_CATEGID_PRIVILEGE_USE
  827. //
  829. class AuditEvent_AssignSpecialPriv : AuditEvent_PrivilegeUse
  830. {
  831. uint32 AuditId = 0x0240;
  833. string UserName;
  834. string Domain;
  835. uint64 LogonId;
  836. };
  838. //Special privileges assigned to new logon:%n
  841. //
  842. //
  843. // SE_AUDITID_PRIVILEGED_SERVICE
  844. //
  845. // Category: SE_CATEGID_PRIVILEGE_USE
  846. //
  848. class AuditEvent_PrivilegedService : AuditEvent_PrivilegeUse
  849. {
  850. uint32 AuditId = 0x0241;
  852. string Server;
  853. string Service;
  855. string PrimaryUserName;
  856. string PrimaryDomain;
  857. uint64 PrimaryLogonId;
  859. string ClientUserName;
  860. string ClientDomain;
  861. uint64 ClientLogonId;
  862. };
  864. //Privileged Service Called:%n
  865. //.
  867. //
  868. //
  869. // SE_AUDITID_PRIVILEGED_OBJECT
  870. //
  871. // Category: SE_CATEGID_PRIVILEGE_USE
  872. //
  874. class AuditEvent_PrivilegedObject : AuditEvent_PrivilegeUse
  875. {
  876. uint32 AuditId = 0x0242;
  878. string ObjectHandle;
  880. string PrimaryUserName;
  881. string PrimaryDomain;
  882. uint64 PrimaryLogonId;
  884. string ClientUserName;
  885. string ClientDomain;
  886. uint64 ClientLogonId;
  887. };
  889. //Privileged object operation:%n
  890. //.
  893. /////////////////////////////////////////////////////////////////////////////
  894. // //
  895. // //
  896. // Messages for Category: SE_CATEGID_DETAILED_TRACKING //
  897. // //
  898. // Event IDs: //
  899. // SE_AUDITID_PROCESS_CREATED //
  900. // SE_AUDITID_PROCESS_EXIT //
  901. // SE_AUDITID_DUPLICATE_HANDLE //
  902. // SE_AUDITID_INDIRECT_REFERENCE //
  903. // //
  904. /////////////////////////////////////////////////////////////////////////////
  906. //
  907. // abstract class that represents SE_CATEGID_DETAILED_TRACKING
  908. //
  909. [abstractevent]
  910. class AuditEvent_DetailedTracking : AuditEvent
  911. {
  913. };
  915. //
  916. //
  917. // SE_AUDITID_PROCESS_CREATED
  918. //
  919. // Category: SE_CATEGID_DETAILED_TRACKING
  920. //
  922. class AuditEvent_ProcessCreated : AuditEvent_DetailedTracking
  923. {
  924. uint32 AuditId = 0x0250;
  926. uint32 ProcessId;
  927. string ImageFileName;
  928. uint32 CreatorProcessId;
  930. string UserName;
  931. string Domain;
  932. uint64 LogonId;
  933. };
  935. //A new process has been created:%n
  936. //.
  938. //
  939. //
  940. // SE_AUDITID_PROCESS_EXIT
  941. //
  942. // Category: SE_CATEGID_DETAILED_TRACKING
  943. //
  945. class AuditEvent_ProcessExit : AuditEvent_DetailedTracking
  946. {
  947. uint32 AuditId = 0x0251;
  949. uint32 ProcessId;
  951. string UserName;
  952. string Domain;
  953. uint64 LogonId;
  954. };
  956. //A process has exited:%n
  957. //.
  959. //
  960. //
  961. // SE_AUDITID_DUPLICATE_HANDLE
  962. //
  963. // Category: SE_CATEGID_DETAILED_TRACKING
  964. //
  966. class AuditEvent_DuplicateHandle : AuditEvent_DetailedTracking
  967. {
  968. uint32 AuditId = 0x0252;
  970. uint64 SourceHandleId;
  971. uint32 SourceProcessId;
  973. uint64 TargetHandleId;
  974. uint32 TargetProcessId;
  975. };
  977. //A handle to an object has been duplicated:%n
  978. //.
  980. //
  981. //
  982. // SE_AUDITID_INDIRECT_REFERENCE
  983. //
  984. // Category: SE_CATEGID_DETAILED_TRACKING
  985. //
  987. class AuditEvent_IndirectReference : AuditEvent_DetailedTracking
  988. {
  989. uint32 AuditId = 0x0253;
  991. string ObjectType;
  992. string ObjectName;
  993. uint32 ProcessId;
  995. string PrimaryUserName;
  996. string PrimaryDomain;
  997. uint64 PrimaryLogonId;
  999. string ClientUserName;
  1000. string ClientDomain;
  1001. uint64 ClientLogonId;
  1003. uint32 GrantedAccess;
  1004. };
  1006. //Indirect access to an object has been obtained:%n
  1007. //.
  1010. /////////////////////////////////////////////////////////////////////////////
  1011. // //
  1012. // //
  1013. // Messages for Category: SE_CATEGID_POLICY_CHANGE //
  1014. // //
  1015. // Event IDs: //
  1016. // SE_AUDITID_USER_RIGHT_ASSIGNED //
  1017. // SE_AUDITID_USER_RIGHT_REMOVED //
  1018. // SE_AUDITID_TRUSTED_DOMAIN_ADD //
  1019. // SE_AUDITID_TRUSTED_DOMAIN_REM //
  1020. // SE_AUDITID_POLICY_CHANGE //
  1021. // SE_AUDITID_IPSEC_POLICY_START //
  1022. // SE_AUDITID_IPSEC_POLICY_DISABLED //
  1023. // SE_AUDITID_IPSEC_POLICY_CHANGED //
  1024. // SE_AUDITID_IPSEC_POLICY_FAILURE //
  1025. // //
  1026. /////////////////////////////////////////////////////////////////////////////
  1030. //
  1031. // abstract class that represents SE_CATEGID_POLICY_CHANGE
  1032. //
  1033. [abstractevent]
  1034. class AuditEvent_PolicyChange : AuditEvent
  1035. {
  1037. };
  1039. //
  1040. // abstract class that represents user-rights operations
  1041. //
  1042. [abstractevent]
  1043. class AuditEvent_UserRightsOperation : AuditEvent_PolicyChange
  1044. {
  1045. string UserRight;
  1047. uint8 TargetUser[];
  1049. // caller
  1050. string UserName;
  1051. string Domain;
  1052. uint64 LogonId;
  1053. };
  1056. //
  1057. //
  1058. // SE_AUDITID_USER_RIGHT_ASSIGNED
  1059. //
  1060. // Category: SE_CATEGID_POLICY_CHANGE
  1061. //
  1063. class AuditEvent_UserRightAssigned : AuditEvent_UserRightsOperation
  1064. {
  1065. uint32 AuditId = 0x0260;
  1066. };
  1068. //User Right Assigned:%n
  1069. //.
  1071. //
  1072. //
  1073. // SE_AUDITID_USER_RIGHT_REMOVED
  1074. //
  1075. // Category: SE_CATEGID_POLICY_CHANGE
  1076. //
  1078. class AuditEvent_UserRightRemoved : AuditEvent_UserRightsOperation
  1079. {
  1080. uint32 AuditId = 0x0261;
  1081. };
  1083. //User Right Removed:%n
  1084. //.
  1086. //
  1087. // abstract class that represents TDO operations
  1088. //
  1089. [abstractevent]
  1090. class AuditEvent_TrustedDomainOperation : AuditEvent_PolicyChange
  1091. {
  1092. string DomainName;
  1093. string DomainId;
  1095. string UserName;
  1096. string Domain;
  1097. uint64 LogonId;
  1098. };
  1101. //
  1102. //
  1103. // SE_AUDITID_TRUSTED_DOMAIN_ADD
  1104. //
  1105. // Category: SE_CATEGID_POLICY_CHANGE
  1106. //
  1108. class AuditEvent_TrustedDomainAdd : AuditEvent_TrustedDomainOperation
  1109. {
  1110. uint32 AuditId = 0x0262;
  1112. };
  1114. //New Trusted Domain:%n
  1115. //.
  1117. //
  1118. //
  1119. // SE_AUDITID_TRUSTED_DOMAIN_REM
  1120. //
  1121. // Category: SE_CATEGID_POLICY_CHANGE
  1122. //
  1124. class AuditEvent_TrustedDomainRem : AuditEvent_TrustedDomainOperation
  1125. {
  1126. uint32 AuditId = 0x0263;
  1127. };
  1129. //Removing Trusted Domain:%n
  1130. //.
  1133. //
  1134. //
  1135. // SE_AUDITID_TRUSTED_DOMAIN_MOD
  1136. //
  1137. // Category: SE_CATEGID_POLICY_CHANGE
  1138. //
  1140. class AuditEvent_TrustedDomainMod : AuditEvent_TrustedDomainOperation
  1141. {
  1142. uint32 AuditId = 0x026C;
  1143. };
  1145. //Trusted Domain Information Modified:%n
  1146. //.
  1150. //
  1151. //
  1152. // SE_AUDITID_POLICY_CHANGE
  1153. //
  1154. // Category: SE_CATEGID_POLICY_CHANGE
  1155. //
  1157. class AuditEvent_PolicyChange : AuditEvent_PolicyChange
  1158. {
  1159. uint32 AuditId = 0x0264;
  1161. // ... new policy here...
  1163. string UserName;
  1164. string DomainName;
  1165. uint64 LogonId;
  1166. };
  1168. //Audit Policy Change:%n
  1169. //New Policy:%n
  1170. //...
  1171. //Changed By:%n
  1172. //.
  1175. //
  1176. // abstract class that represents Ipsec policy operations
  1177. //
  1178. [abstractevent]
  1179. class AuditEvent_IpsecPolicy : AuditEvent_PolicyChange
  1180. {
  1181. };
  1184. //
  1185. //
  1186. // SE_AUDITID_IPSEC_POLICY_START
  1187. //
  1188. // Category: SE_CATEGID_POLICY_CHANGE
  1189. //
  1191. class AuditEvent_IpsecPolicyStart : AuditEvent_IpsecPolicy
  1192. {
  1193. uint32 AuditId = 0x0265;
  1194. };
  1196. //IPSec policy agent started: %t%1%n
  1197. //Policy Source: %t%2%n
  1198. //.
  1200. //
  1201. //
  1202. // SE_AUDITID_IPSEC_POLICY_DISABLED
  1203. //
  1204. // Category: SE_CATEGID_POLICY_CHANGE
  1205. //
  1207. class AuditEvent_IpsecPolicyDisabled : AuditEvent_IpsecPolicy
  1208. {
  1209. uint32 AuditId = 0x0266;
  1210. };
  1212. //IPSec policy agent disabled: %t%1%n
  1213. //.
  1215. //
  1216. //
  1217. // SE_AUDITID_IPSEC_POLICY_CHANGED
  1218. //
  1219. // Category: SE_CATEGID_POLICY_CHANGE
  1220. //
  1222. class AuditEvent_IpsecPolicyChanged : AuditEvent_IpsecPolicy
  1223. {
  1224. uint32 AuditId = 0x0267;
  1225. };
  1227. //IPSEC PolicyAgent Service: %t%1%n
  1228. //.
  1230. //
  1231. //
  1232. // SE_AUDITID_IPSEC_POLICY_FAILURE
  1233. //
  1234. // Category: SE_CATEGID_POLICY_CHANGE
  1235. //
  1237. class AuditEvent_IpsecPolicyFailure : AuditEvent_IpsecPolicy
  1238. {
  1239. uint32 AuditId = 0x0268;
  1240. };
  1242. //IPSec policy agent encountered a potentially serious failure.%n
  1243. //.
  1245. //
  1246. // abstract class that represents kerberos policy operations
  1247. //
  1248. [abstractevent]
  1249. class AuditEvent_KerberosPolicy : AuditEvent_PolicyChange
  1250. {
  1251. };
  1255. //
  1256. //
  1257. // SE_AUDITID_KERBEROS_POLICY_CHANGE
  1258. //
  1259. // Category: SE_CATEGID_POLICY_CHANGE
  1260. //
  1262. class AuditEvent_KerberosPolicyChange : AuditEvent_KerberosPolicy
  1263. {
  1264. uint32 AuditId = 0x0269;
  1266. // changed by
  1267. string UserName;
  1268. string DomainName;
  1269. uint64 LogonId;
  1271. // changes made
  1272. };
  1274. //Kerberos Policy Changed:%n
  1275. //Changed By:%n
  1276. //Changes made:%n
  1277. //.
  1280. //
  1281. // abstract class that represents EFS policy operations
  1282. //
  1283. [abstractevent]
  1284. class AuditEvent_EfsPolicy : AuditEvent_PolicyChange
  1285. {
  1286. };
  1290. //
  1291. //
  1292. // SE_AUDITID_EFS_POLICY_CHANGE
  1293. //
  1294. // Category: SE_CATEGID_POLICY_CHANGE
  1295. //
  1297. class AuditEvent_EfsPolicyChange : AuditEvent_EfsPolicy
  1298. {
  1299. uint32 AuditId = 0x026a;
  1301. // changed by
  1302. string UserName;
  1303. string DomainName;
  1304. uint64 LogonId;
  1306. // changes made
  1307. };
  1309. //Encrypted Data Recovery Policy Changed:%n
  1310. //Changed By:%n
  1311. //Changes made:%n
  1312. //.
  1314. //
  1315. // abstract class that represents QoS policy operations
  1316. //
  1317. [abstractevent]
  1318. class AuditEvent_QosPolicy : AuditEvent_PolicyChange
  1319. {
  1320. };
  1323. //
  1324. //
  1325. // SE_AUDITID_QOS_POLICY_CHANGE
  1326. //
  1327. // Category: SE_CATEGID_POLICY_CHANGE
  1328. //
  1330. class AuditEvent_QosPolicyChange : AuditEvent_QosPolicy
  1331. {
  1332. uint32 AuditId = 0x026b;
  1334. // changed by
  1335. string UserName;
  1336. string DomainName;
  1337. uint64 LogonId;
  1339. // changes made
  1340. };
  1342. //Quality of Service Policy Changed:%n
  1343. //Changes made:%n
  1344. //Changed By:%n
  1345. //.
  1347. /////////////////////////////////////////////////////////////////////////////
  1348. // //
  1349. // //
  1350. // Messages for Category: SE_CATEGID_ACCOUNT_MANAGEMENT //
  1351. // //
  1352. // Event IDs: //
  1353. // SE_AUDITID_USER_CREATED //
  1354. // SE_AUDITID_USER_CHANGE //
  1355. // SE_AUDITID_ACCOUNT_TYPE_CHANGE //
  1356. // SE_AUDITID_USER_ENABLED //
  1357. // SE_AUDITID_USER_PWD_CHANGED //
  1358. // SE_AUDITID_USER_PWD_SET //
  1359. // SE_AUDITID_USER_DISABLED //
  1360. // SE_AUDITID_USER_DELETED //
  1361. // //
  1362. // SE_AUDITID_COMPUTER_CREATED //
  1363. // SE_AUDITID_COMPUTER_CHANGE //
  1364. // SE_AUDITID_COMPUTER_DELETED //
  1365. // //
  1366. // SE_AUDITID_GLOBAL_GROUP_CREATED //
  1367. // SE_AUDITID_GLOBAL_GROUP_ADD //
  1368. // SE_AUDITID_GLOBAL_GROUP_REM //
  1369. // SE_AUDITID_GLOBAL_GROUP_DELETED //
  1370. // SE_AUDITID_LOCAL_GROUP_CREATED //
  1371. // SE_AUDITID_LOCAL_GROUP_ADD //
  1372. // SE_AUDITID_LOCAL_GROUP_REM //
  1373. // SE_AUDITID_LOCAL_GROUP_DELETED //
  1374. // //
  1375. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED //
  1376. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE //
  1377. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD //
  1378. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM //
  1379. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED //
  1380. // //
  1381. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED //
  1382. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE //
  1383. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD //
  1384. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM //
  1385. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED //
  1386. // //
  1387. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED //
  1388. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE //
  1389. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD //
  1390. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM //
  1391. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED //
  1392. // //
  1393. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED //
  1394. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE //
  1395. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD //
  1396. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM //
  1397. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED //
  1398. // //
  1399. // SE_AUDITID_GROUP_TYPE_CHANGE //
  1400. // //
  1401. // SE_AUDITID_ADD_SID_HISTORY_SUCCESS //
  1402. // SE_AUDITID_ADD_SID_HISTORY_FAILURE //
  1403. // //
  1404. // SE_AUDITID_OTHER_ACCT_CHANGE //
  1405. // SE_AUDITID_DOMAIN_POLICY_CHANGE //
  1406. // SE_AUDITID_ACCOUNT_AUTO_LOCKED //
  1407. // //
  1408. // //
  1409. /////////////////////////////////////////////////////////////////////////////
  1412. //
  1413. // abstract class that represents SE_CATEGID_ACCOUNT_MANAGEMENT
  1414. //
  1415. [abstractevent]
  1416. class AuditEvent_AccountManagement : AuditEvent
  1417. {
  1419. };
  1422. //
  1423. // abstract class that groups common fields for account change opns
  1424. //
  1425. [abstractevent]
  1426. class AuditEvent_AccountChange : AuditEvent_AccountManagement
  1427. {
  1428. string TargetAccountName;
  1429. string TargetDomain;
  1430. uint32 TargetAccountId;
  1432. string CallerUserName;
  1433. string CallerDomain;
  1434. uint64 CallerLogonId;
  1435. };
  1438. //
  1439. //
  1440. // SE_AUDITID_USER_CREATED
  1441. //
  1442. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1443. //
  1445. class AuditEvent_UserCreated : AuditEvent_AccountChange
  1446. {
  1447. uint32 AuditId = 0x0270;
  1449. string Privileges[];
  1450. };
  1452. //User Account Created:%n
  1453. //.
  1455. //
  1456. //
  1457. // SE_AUDITID_ACCOUNT_TYPE_CHANGE
  1458. //
  1459. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1460. //
  1462. class AuditEvent_AccountTypeChange : AuditEvent_AccountChange
  1463. {
  1464. uint32 AuditId = 0x0271;
  1466. string NewType;
  1467. };
  1469. //User Account Type Change:%n
  1470. //.
  1472. //
  1473. //
  1474. // SE_AUDITID_USER_ENABLED
  1475. //
  1476. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1477. //
  1479. class AuditEvent_UserEnabled : AuditEvent_AccountChange
  1480. {
  1481. uint32 AuditId = 0x0272;
  1482. };
  1484. //User Account Enabled:%n
  1485. //.
  1487. //
  1488. //
  1489. // SE_AUDITID_USER_PWD_CHANGED
  1490. //
  1491. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1492. //
  1494. class AuditEvent_UserPwdChanged : AuditEvent_AccountChange
  1495. {
  1496. uint32 AuditId = 0x0273;
  1498. string Privileges[];
  1499. };
  1501. //Change Password Attempt:%n
  1502. //.
  1504. //
  1505. //
  1506. // SE_AUDITID_USER_PWD_SET
  1507. //
  1508. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1509. //
  1511. class AuditEvent_UserPwdSet : AuditEvent_AccountChange
  1512. {
  1513. uint32 AuditId = 0x0274;
  1514. };
  1516. //User Account password set:%n
  1517. //.
  1519. //
  1520. //
  1521. // SE_AUDITID_USER_DISABLED
  1522. //
  1523. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1524. //
  1526. class AuditEvent_UserDisabled : AuditEvent_AccountChange
  1527. {
  1528. uint32 AuditId = 0x0275;
  1529. };
  1531. //User Account Disabled:%n
  1532. //.
  1534. //
  1535. //
  1536. // SE_AUDITID_USER_DELETED
  1537. //
  1538. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1539. //
  1541. class AuditEvent_UserDeleted : AuditEvent_AccountChange
  1542. {
  1543. uint32 AuditId = 0x0276;
  1545. string Privileges[];
  1546. };
  1548. //User Account Deleted:%n
  1549. //.
  1551. //
  1552. //
  1553. // SE_AUDITID_USER_CHANGE
  1554. //
  1555. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1556. //
  1558. class AuditEvent_UserChange : AuditEvent_AccountChange
  1559. {
  1560. uint32 AuditId = 0x0282;
  1562. string TypeOfChange;
  1564. string Privileges[];
  1565. };
  1567. //User Account Changed:%n
  1568. //.
  1571. // ======================================================================
  1573. //
  1574. // abstract class that groups common fields for group change opns
  1575. //
  1576. [abstractevent]
  1577. class AuditEvent_GroupChange : AuditEvent_AccountManagement
  1578. {
  1579. string TargetAccountName;
  1580. string TargetDomain;
  1581. uint32 TargetAccountId;
  1583. string CallerUserName;
  1584. string CallerDomain;
  1585. uint64 CallerLogonId;
  1587. string Privileges[];
  1588. };
  1591. //
  1592. // abstract class that groups common fields for group membership opns
  1593. //
  1594. [abstractevent]
  1595. class AuditEvent_GroupMembershipChange : AuditEvent_GroupChange
  1596. {
  1597. string MemberName;
  1598. uint32 MemberId;
  1599. };
  1603. //
  1604. //
  1605. // SE_AUDITID_GLOBAL_GROUP_CREATED
  1606. //
  1607. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1608. //
  1610. class AuditEvent_GlobalGroupCreated : AuditEvent_GroupChange
  1611. {
  1612. uint32 AuditId = 0x0277;
  1613. };
  1615. //Security Enabled Global Group Created:%n
  1616. //.
  1618. //
  1619. //
  1620. // SE_AUDITID_GLOBAL_GROUP_DELETED
  1621. //
  1622. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1623. //
  1625. class AuditEvent_GlobalGroupDeleted : AuditEvent_GroupChange
  1626. {
  1627. uint32 AuditId = 0x027A;
  1628. };
  1630. //Security Enabled Global Group Deleted:%n
  1631. //.
  1633. //
  1634. //
  1635. // SE_AUDITID_GLOBAL_GROUP_CHANGE
  1636. //
  1637. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1638. //
  1640. class AuditEvent_GlobalGroupChange : AuditEvent_GroupChange
  1641. {
  1642. uint32 AuditId = 0x0281;
  1643. };
  1645. //Security Enabled Global Group Changed:%n
  1646. //.
  1649. //
  1650. //
  1651. // SE_AUDITID_GLOBAL_GROUP_ADD
  1652. //
  1653. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1654. //
  1656. class AuditEvent_GlobalGroupAdd : AuditEvent_GroupMembershipChange
  1657. {
  1658. uint32 AuditId = 0x0278;
  1659. };
  1661. //Security Enabled Global Group Member Added:%n
  1662. //.
  1664. //
  1665. //
  1666. // SE_AUDITID_GLOBAL_GROUP_REM
  1667. //
  1668. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1669. //
  1671. class AuditEvent_GlobalGroupRem : AuditEvent_GroupMembershipChange
  1672. {
  1673. uint32 AuditId = 0x0279;
  1674. };
  1676. //Security Enabled Global Group Member Removed:%n
  1677. //.
  1679. //
  1680. //
  1681. // SE_AUDITID_LOCAL_GROUP_CREATED
  1682. //
  1683. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1684. //
  1686. class AuditEvent_LocalGroupCreated : AuditEvent_GroupChange
  1687. {
  1688. uint32 AuditId = 0x027B;
  1689. };
  1691. //Security Enabled Local Group Created:%n
  1692. //.
  1694. //
  1695. //
  1696. // SE_AUDITID_LOCAL_GROUP_DELETED
  1697. //
  1698. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1699. //
  1701. class AuditEvent_LocalGroupDeleted : AuditEvent_GroupChange
  1702. {
  1703. uint32 AuditId = 0x027E;
  1704. };
  1706. //Security Enabled Local Group Deleted:%n
  1707. //.
  1709. //
  1710. //
  1711. // SE_AUDITID_LOCAL_GROUP_CHANGE
  1712. //
  1713. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1714. //
  1716. class AuditEvent_LocalGroupChange : AuditEvent_GroupChange
  1717. {
  1718. uint32 AuditId = 0x027F;
  1719. };
  1721. //Security Enabled Local Group Changed:%n
  1722. //.
  1724. //
  1725. //
  1726. // SE_AUDITID_LOCAL_GROUP_ADD
  1727. //
  1728. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1729. //
  1731. class AuditEvent_LocalGroupAdd : AuditEvent_GroupMembershipChange
  1732. {
  1733. uint32 AuditId = 0x027C;
  1734. };
  1736. //Security Enabled Local Group Member Added:%n
  1737. //.
  1739. //
  1740. //
  1741. // SE_AUDITID_LOCAL_GROUP_REM
  1742. //
  1743. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1744. //
  1746. class AuditEvent_LocalGroupRem : AuditEvent_GroupMembershipChange
  1747. {
  1748. uint32 AuditId = 0x027D;
  1749. };
  1751. //Security Enabled Local Group Member Removed:%n
  1752. //.
  1754. //
  1755. //
  1756. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED
  1757. //
  1758. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1759. //
  1761. class AuditEvent_SecurityDisabledLocalGroupCreated : AuditEvent_GroupChange
  1762. {
  1763. uint32 AuditId = 0x0288;
  1764. };
  1766. //Security Disabled Local Group Created:%n
  1767. //.
  1769. //
  1770. //
  1771. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE
  1772. //
  1773. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1774. //
  1776. class AuditEvent_SecurityDisabledLocalGroupChange : AuditEvent_GroupChange
  1777. {
  1778. uint32 AuditId = 0x0289;
  1779. };
  1781. //Security Disabled Local Group Changed:%n
  1782. //.
  1784. //
  1785. //
  1786. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD
  1787. //
  1788. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1789. //
  1791. class AuditEvent_SecurityDisabledLocalGroupAdd : AuditEvent_GroupMembershipChange
  1792. {
  1793. uint32 AuditId = 0x028A;
  1794. };
  1796. //Security Disabled Local Group Member Added:%n
  1797. //.
  1799. //
  1800. //
  1801. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM
  1802. //
  1803. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1804. //
  1806. class AuditEvent_SecurityDisabledLocalGroupRem : AuditEvent_GroupMembershipChange
  1807. {
  1808. uint32 AuditId = 0x028B;
  1809. };
  1811. //Security Disabled Local Group Member Removed:%n
  1812. //.
  1814. //
  1815. //
  1816. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED
  1817. //
  1818. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1819. //
  1821. class AuditEvent_SecurityDisabledLocalGroupDeleted : AuditEvent_GroupChange
  1822. {
  1823. uint32 AuditId = 0x028C;
  1824. };
  1826. //Security Disabled Local Group Deleted:%n
  1827. //.
  1829. //
  1830. //
  1831. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED
  1832. //
  1833. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1834. //
  1836. class AuditEvent_SecurityDisabledGlobalGroupCreated : AuditEvent_GroupChange
  1837. {
  1838. uint32 AuditId = 0x028D;
  1839. };
  1841. //Security Disabled Global Group Created:%n
  1842. //.
  1844. //
  1845. //
  1846. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE
  1847. //
  1848. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1849. //
  1851. class AuditEvent_SecurityDisabledGlobalGroupChange : AuditEvent_GroupChange
  1852. {
  1853. uint32 AuditId = 0x028E;
  1854. };
  1856. //Security Disabled Global Group Changed:%n
  1857. //.
  1859. //
  1860. //
  1861. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD
  1862. //
  1863. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1864. //
  1866. class AuditEvent_SecurityDisabledGlobalGroupAdd : AuditEvent_GroupMembershipChange
  1867. {
  1868. uint32 AuditId = 0x028F;
  1869. };
  1871. //Security Disabled Global Group Member Added:%n
  1872. //.
  1874. //
  1875. //
  1876. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM
  1877. //
  1878. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1879. //
  1881. class AuditEvent_SecurityDisabledGlobalGroupRem : AuditEvent_GroupMembershipChange
  1882. {
  1883. uint32 AuditId = 0x0290;
  1884. };
  1886. //Security Disabled Global Group Member Removed:%n
  1887. //.
  1889. //
  1890. //
  1891. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED
  1892. //
  1893. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1894. //
  1896. class AuditEvent_SecurityDisabledGlobalGroupDeleted : AuditEvent_GroupChange
  1897. {
  1898. uint32 AuditId = 0x0291;
  1899. };
  1901. //Security Disabled Global Group Deleted:%n
  1902. //.
  1904. //
  1905. //
  1906. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED
  1907. //
  1908. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1909. //
  1911. class AuditEvent_SecurityEnabledUniversalGroupCreated : AuditEvent_GroupChange
  1912. {
  1913. uint32 AuditId = 0x0292;
  1914. };
  1916. //Security Enabled Universal Group Created:%n
  1917. //.
  1919. //
  1920. //
  1921. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE
  1922. //
  1923. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1924. //
  1926. class AuditEvent_SecurityEnabledUniversalGroupChange : AuditEvent_GroupChange
  1927. {
  1928. uint32 AuditId = 0x0293;
  1929. };
  1931. //Security Enabled Universal Group Changed:%n
  1932. //.
  1934. //
  1935. //
  1936. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD
  1937. //
  1938. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1939. //
  1941. class AuditEvent_SecurityEnabledUniversalGroupAdd : AuditEvent_GroupMembershipChange
  1942. {
  1943. uint32 AuditId = 0x0294;
  1944. };
  1946. //Security Enabled Universal Group Member Added:%n
  1947. //.
  1949. //
  1950. //
  1951. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM
  1952. //
  1953. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1954. //
  1956. class AuditEvent_SecurityEnabledUniversalGroupRem : AuditEvent_GroupMembershipChange
  1957. {
  1958. uint32 AuditId = 0x0295;
  1959. };
  1961. //Security Enabled Universal Group Member Removed:%n
  1962. //.
  1964. //
  1965. //
  1966. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED
  1967. //
  1968. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1969. //
  1971. class AuditEvent_SecurityEnabledUniversalGroupDeleted : AuditEvent_GroupChange
  1972. {
  1973. uint32 AuditId = 0x0296;
  1974. };
  1976. //Security Enabled Universal Group Deleted:%n
  1977. //.
  1979. //
  1980. //
  1981. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED
  1982. //
  1983. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1984. //
  1986. class AuditEvent_SecurityDisabledUniversalGroupCreated : AuditEvent_GroupChange
  1987. {
  1988. uint32 AuditId = 0x0297;
  1989. };
  1991. //Security Disabled Universal Group Created:%n
  1992. //.
  1994. //
  1995. //
  1996. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE
  1997. //
  1998. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1999. //
  2001. class AuditEvent_SecurityDisabledUniversalGroupChange : AuditEvent_GroupChange
  2002. {
  2003. uint32 AuditId = 0x0298;
  2004. };
  2006. //Security Disabled Universal Group Changed:%n
  2007. //.
  2009. //
  2010. //
  2011. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD
  2012. //
  2013. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  2014. //
  2016. class AuditEvent_SecurityDisabledUniversalGroupAdd : AuditEvent_GroupMembershipChange
  2017. {
  2018. uint32 AuditId = 0x0299;
  2019. };
  2021. //Security Disabled Universal Group Member Added:%n
  2022. //.
  2024. //
  2025. //
  2026. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM
  2027. //
  2028. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  2029. //
  2031. class AuditEvent_SecurityDisabledUniversalGroupRem : AuditEvent_GroupMembershipChange
  2032. {
  2033. uint32 AuditId = 0x029A;
  2034. };
  2036. //Security Disabled Universal Group Member Removed:%n
  2037. //.
  2039. //
  2040. //
  2041. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED
  2042. //
  2043. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  2044. //
  2046. class AuditEvent_SecurityDisabledUniversalGroupDeleted
  2047. {
  2048. uint32 AuditId = 0x029B;
  2049. };
  2051. //Security Disabled Universal Group Deleted:%n
  2052. //.
  2054. //
  2055. //
  2056. // SE_AUDITID_OTHER_ACCOUNT_CHANGE
  2057. //
  2058. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  2059. //
  2060. // Note: not used
  2061. //
  2063. class AuditEvent_OtherAccountChange : AuditEvent_AccountManagement
  2064. {
  2065. uint32 AuditId = 0x0280;
  2067. string TypeOfChange;
  2069. string ObjectType;
  2070. string ObjectName;
  2071. string ObjectId; // type?
  2073. string CallerUserName;
  2074. string CallerDomain;
  2075. uint64 CallerLogonId;
  2076. };
  2078. //General Account Database Change:%n
  2079. //.
  2081. //
  2082. //
  2083. // SE_AUDITID_GROUP_TYPE_CHANGE
  2084. //
  2085. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  2086. //
  2088. class AuditEvent_GroupTypeChange : AuditEvent_GroupChange
  2089. {
  2090. uint32 AuditId = 0x029C;
  2092. uint8 NewType;
  2093. };
  2095. //Group Type Changed:%n
  2096. //.
  2099. //
  2100. //
  2101. // SE_AUDITID_DOMAIN_POLICY_CHANGE
  2102. //
  2103. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  2104. //
  2106. //$ BUGBUG kumarp 23-February-2000
  2107. // which class to derive from?
  2108. //
  2109. class AuditEvent_DomainPolicyChange
  2110. {
  2111. uint32 AuditId = 0x0283;
  2113. string TypeOfChange;
  2115. string Domain;
  2116. string DomainId;
  2118. string CallerUserName;
  2119. string CallerDomain;
  2120. string CallerLogonId;
  2122. string Privileges[];
  2123. };
  2125. //Domain Policy Changed: %1 modified%n
  2126. //.
  2128. //
  2129. //
  2130. // SE_AUDITID_ACCOUNT_AUTO_LOCKED
  2131. //
  2132. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  2133. //
  2135. class AuditEvent_AccountAutoLocked : AuditEvent_AccountChange
  2136. {
  2137. uint32 AuditId = 0x0284;
  2139. string CallerMachineName;
  2140. };
  2142. //User Account Locked Out:%n
  2143. //.
  2146. //
  2147. // abstract class that groups common fields for computer account change opns
  2148. //
  2149. [abstractevent]
  2150. class AuditEvent_ComputerAccountChange : AuditEvent_AccountChange
  2151. {
  2152. };
  2155. //
  2156. //
  2157. // SE_AUDITID_COMPUTER_CREATED
  2158. //
  2159. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  2160. //
  2162. class AuditEvent_ComputerCreated : AuditEvent_ComputerAccountChange
  2163. {
  2164. uint32 AuditId = 0x0285;
  2166. string Privileges[];
  2167. };
  2169. //Computer Account Created:%n
  2170. //.
  2172. //
  2173. //
  2174. // SE_AUDITID_COMPUTER_CHANGE
  2175. //
  2176. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  2177. //
  2179. class AuditEvent_ComputerChange : AuditEvent_ComputerAccountChange
  2180. {
  2181. uint32 AuditId = 0x0286;
  2183. string TypeOfChange;
  2185. string Privileges[];
  2186. };
  2188. //Computer Account Changed:%n
  2189. //.
  2191. //
  2192. //
  2193. // SE_AUDITID_COMPUTER_DELETED
  2194. //
  2195. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  2196. //
  2198. class AuditEvent_ComputerDeleted : AuditEvent_ComputerAccountChange
  2199. {
  2200. uint32 AuditId = 0x0287;
  2202. string Privileges[];
  2203. };
  2205. //Computer Account Deleted:%n
  2206. //.
  2208. //
  2209. //
  2210. // SE_AUDITID_ADD_SID_HISTORY_SUCCESS+SE_AUDITID_ADD_SID_HISTORY_FAILURE
  2211. //
  2212. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  2213. //
  2215. class AuditEvent_AddSidHistory : AuditEvent_AccountChange
  2216. {
  2217. uint32 AuditId = 0x029D;
  2218. string SourceAccountName;
  2219. string SourceAccountId;
  2220. string Privileges[];
  2221. };
  2223. //Add SID History:%n
  2224. //.
  2228. /////////////////////////////////////////////////////////////////////////////
  2229. // //
  2230. // //
  2231. // Messages for Category: SE_CATEGID_ACCOUNT_LOGON //
  2232. // //
  2233. // Event IDs: //
  2234. // SE_AUDITID_AS_TICKET_SUCCESS //
  2235. // SE_AUDITID_TGS_TICKET_SUCCESS //
  2236. // SE_AUDITID_TICKET_RENEW_SUCCESS //
  2237. // SE_AUDITID_PREAUTH_FAILURE //
  2238. // SE_AUDITID_AS_TICKET_FAILURE //
  2239. // SE_AUDITID_TGS_TICKET_FAILURE //
  2240. // SE_AUDITID_ACCOUNT_MAPPED //
  2241. // SE_AUDITID_ACCOUNT_NOT_MAPPED //
  2242. // SE_AUDITID_ACCOUNT_LOGON_SUCCESS //
  2243. // SE_AUDITID_ACCOUNT_LOGON_FAILURE //
  2244. // //
  2245. /////////////////////////////////////////////////////////////////////////////
  2247. //
  2248. // abstract class that represents SE_CATEGID_ACCOUNT_LOGON
  2249. //
  2250. [abstractevent]
  2251. class AuditEvent_AccountLogon : AuditEvent
  2252. {
  2254. };
  2256. //
  2257. // abstract class that groups common fields for kerberos logon
  2258. //
  2259. [abstractevent]
  2260. class AuditEvent_KerberosLogon : AuditEvent_AccountLogon
  2261. {
  2263. };
  2265. //
  2266. //
  2267. // SE_AUDITID_AS_TICKET_SUCCESS+SE_AUDITID_AS_TICKET_FAILURE
  2268. //
  2269. // Category: SE_CATEGID_ACCOUNT_LOGON
  2270. //
  2272. class AuditEvent_AsTicket : AuditEvent_KerberosLogon
  2273. {
  2274. uint32 AuditId = 0x02a0;
  2276. string UserName;
  2277. string SuppliedRealmName;
  2278. string UserId;
  2280. string ServiceName;
  2281. string ServiceId;
  2283. string TicketOptions;
  2284. string TicketEncryptionType;
  2285. string PreAuthenticationType;
  2287. string ClientAddress;
  2289. uint32 StatusCode = 0;
  2290. };
  2292. //Authentication Ticket Granted:%n
  2293. //.
  2295. //
  2296. //
  2297. // SE_AUDITID_TGS_TICKET_SUCCESS+SE_AUDITID_TGS_TICKET_FAILURE
  2298. //
  2299. // Category: SE_CATEGID_ACCOUNT_LOGON
  2300. //
  2302. class AuditEvent_TgsTicket : AuditEvent_KerberosLogon
  2303. {
  2304. uint32 AuditId = 0x02a1;
  2306. string UserName;
  2307. string UserDomain;
  2309. string ServiceName;
  2310. string ServiceId;
  2312. string TicketOptions;
  2313. string TicketEncryptionType;
  2315. string ClientAddress;
  2317. uint32 StatusCode = 0;
  2318. };
  2320. //Service Ticket Granted:%n
  2321. //.
  2323. //
  2324. //
  2325. // SE_AUDITID_TICKET_RENEW_SUCCESS
  2326. //
  2327. // Category: SE_CATEGID_ACCOUNT_LOGON
  2328. //
  2330. class AuditEvent_TicketRenewSuccess : AuditEvent_KerberosLogon
  2331. {
  2332. uint32 AuditId = 0x02a2;
  2334. string UserName;
  2335. string UserDomain;
  2337. string ServiceName;
  2338. string ServiceId;
  2340. string TicketOptions;
  2341. string TicketEncryptionType;
  2343. string ClientAddress;
  2344. };
  2346. //Ticket Granted Renewed:%n
  2347. //.
  2349. //
  2350. //
  2351. // SE_AUDITID_PREAUTH_FAILURE
  2352. //
  2353. // Category: SE_CATEGID_ACCOUNT_LOGON
  2354. //
  2356. class AuditEvent_PreauthFailure : AuditEvent_KerberosLogon
  2357. {
  2358. uint32 AuditId = 0x02a3;
  2360. string UserName;
  2361. string UserId;
  2363. string ServiceName;
  2365. string PreAuthenticationType;
  2366. string FailureCode;
  2368. string ClientAddress;
  2369. };
  2371. //Pre-authentication failed:%n
  2372. //.
  2374. //
  2375. //
  2376. // SE_AUDITID_ACCOUNT_MAPPED+SE_AUDITID_ACCOUNT_NOT_MAPPED
  2377. //
  2378. // Category: SE_CATEGID_ACCOUNT_LOGON
  2379. //
  2381. class AuditEvent_AccountMapping : AuditEvent_KerberosLogon
  2382. {
  2383. uint32 AuditId = 0x02a6;
  2385. string SourceName;
  2386. string ClientName;
  2387. string MappedName;
  2388. };
  2390. //Account Mapped for Logon by: %1%n
  2391. //.
  2393. //
  2394. //
  2395. // SE_AUDITID_ACCOUNT_LOGON_SUCCESS+SE_AUDITID_ACCOUNT_LOGON_FAILURE
  2396. //
  2397. // Category: SE_CATEGID_ACCOUNT_LOGON
  2398. //
  2400. class AuditEvent_AccountLogonAttempt
  2401. {
  2402. uint32 AuditId = 0x02a8;
  2404. string ClientName;
  2405. string AccountName;
  2406. string Workstation;
  2408. uint32 StatusCode = 0;
  2409. };
  2411. //Account Used for Logon by: %1%n
  2412. //.
  2415. //
  2416. // abstract class that groups common fields for session connection
  2417. //
  2418. [abstractevent]
  2419. class AuditEvent_SessionConnection : AuditEvent_AccountLogon
  2420. {
  2421. string UserName;
  2422. string Domain;
  2423. uint64 LogonId;
  2425. string SessionName;
  2427. string ClientName;
  2428. string ClientAddress;
  2429. string Winstation;
  2430. };
  2433. //
  2434. //
  2435. // SE_AUDITID_SESSION_RECONNECTED
  2436. //
  2437. // Category: SE_CATEGID_LOGON
  2438. //
  2440. class AuditEvent_SessionReconnected : AuditEvent_SessionConnection
  2441. {
  2442. uint32 AuditId = 0x02aa;
  2443. };
  2445. //Session reconnected to winstation:%n
  2446. //.
  2448. //
  2449. //
  2450. // SE_AUDITID_SESSION_DISCONNECTED
  2451. //
  2452. // Category: SE_CATEGID_LOGON
  2453. //
  2455. class AuditEvent_SessionDisconnected : AuditEvent_SessionConnection
  2456. {
  2457. uint32 AuditId = 0x02ab;
  2458. };
  2460. //Session disconnected from winstation:%n
  2461. //.