archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
 
 
 
 
 
 
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/authz/test/wmiaudit/auditevt.mof

2461 lines
51 KiB
Raw Blame History

//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 2000
//
// File: A U D I T E V T . M O F
//
// Contents: Audit event schema definitions
//
//
// History:
// 06-January-2000 kumarp created
//
//------------------------------------------------------------------------
/*
issues:
- best way to represent cred info?
- some events were separately defined the success and failure cases.
I merged them into one.
For example:
SE_AUDITID_ADD_SID_HISTORY_SUCCESS/SE_AUDITID_ADD_SID_HISTORY_FAILURE
SE_AUDITID_ACCOUNT_MAPPED/SE_AUDITID_ACCOUNT_NOT_MAPPED
SE_AUDITID_ACCOUNT_LOGON_SUCCESS/SE_AUDITID_ACCOUNT_LOGON_FAILURE
- category: logon and account logon
- need to define how the audit-format string is to be specified
for new (non-legacy) auditevents
- need to have a link between SE_AUDITID_PROCESS_CREATED/EXIT
- why is that some events have both primary/client user info while
some others have only primary (e.g. AuditEvent_ProcessExit)
- should PID be 32 or 64 bit?
- type of UserRight ?
- tdo ops: DomainId type?
- confirm that account-id (rid) is uint32
- ask shaohua about SE_AUDITID_DOMAIN_POLICY_CHANGE
- for events that are specifically success or failure type.
need to set Success to TRUE/FALSE
- how to handle delegated client contexts in n-tier apps
- when a process opens an object on a remote machine, which
pid gets logged?
- make sure that all corresponding properties have identical name
across different classes
*/
//
// base class for all audit events
//
[abstractevent]
class AuditEvent : __ExtrinsicEvent
{
uint16 CategoryId;
uint32 AuditId;
uint64 CreationTime;
Boolean Success = TRUE;
};
/////////////////////////////////////////////////////////////////////////////
// //
// //
// Messages for Category: SE_CATEGID_SYSTEM //
// //
/////////////////////////////////////////////////////////////////////////////
//
// represents SE_CATEGID_SYSTEM category
//
[abstractevent]
class AuditEvent_System : AuditEvent
{
};
//
//
// SE_AUDITID_SYSTEM_RESTART
//
// Category: SE_CATEGID_SYSTEM
//
class AuditEvent_SystemRestart : AuditEvent_System
{
uint32 AuditId = 0x0200;
};
//
//
// SE_AUDITID_SYSTEM_SHUTDOWN
//
// Category: SE_CATEGID_SYSTEM
//
class AuditEvent_SystemShutdown
{
uint32 AuditId = 0x0201;
};
//
//
// SE_AUDITID_SYSTEM_AUTH_PACKAGE_LOAD
//
// Category: SE_CATEGID_SYSTEM
//
class AuditEvent_AuthPackageLoad : AuditEvent_System
{
uint32 AuditId = 0x0202;
string AuthenticationPackageName;
};
//
//
// SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER
//
// Category: SE_CATEGID_SYSTEM
//
class AuditEvent_SystemLogonProcRegister : AuditEvent_System
{
uint32 AuditId = 0x0203;
string LogonProcessName;
};
//
//
// SE_AUDITID_AUDITS_DISCARDED
//
// Category: SE_CATEGID_SYSTEM
//
class AuditEvent_AuditsDiscarded
{
uint32 AuditId = 0x0204;
uint32 NumberOfAuditMessagesDiscarded;
};
//
//
// SE_AUDITID_AUDIT_LOG_CLEARED
//
// Category: SE_CATEGID_SYSTEM
//
//
class AuditEvent_AuditLogCleared
{
uint32 AuditId = 0x0205;
string PrimaryUserName;
string PrimaryDomain;
uint64 PrimaryLogonId;
string ClientUserName;
string ClientDomain;
uint64 ClientLogonId;
};
//
//
// SE_AUDITID_SYSTEM_NOTIFY_PACKAGE_LOAD
//
// Category: SE_CATEGID_SYSTEM
//
class AuditEvent_NotifyPackageLoad
{
uint32 AuditId = 0x0206;
string NotificationPackageName;
};
/////////////////////////////////////////////////////////////////////////////
// //
// //
// Messages for Category: SE_CATEGID_LOGON //
// //
// //
/////////////////////////////////////////////////////////////////////////////
//
// represents SE_CATEGID_LOGON
//
[abstractevent]
class AuditEvent_Logon : AuditEvent
{
};
//
// abstract class that stores fields common to all user-logon events
//
[abstractevent]
class AuditEvent_UserLogon : AuditEvent_Logon
{
string UserName;
string Domain;
uint16 LogonType;
string LogonProcess;
string AuthenticationPackage;
string WorkstationName;
};
//
//
// SE_AUDITID_SUCCESSFUL_LOGON
//
// Category: SE_CATEGID_LOGON
//
//
class AuditEvent_SuccessfulLogon : AuditEvent_UserLogon
{
uint32 AuditId = 0x0210;
uint64 LogonId;
};
//
//
// SE_AUDITID_UNKNOWN_USER_OR_PWD
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_UnknownUserOrPwd : AuditEvent_UserLogon
{
uint32 AuditId = 0x0211;
};
//
//
// SE_AUDITID_ACCOUNT_TIME_RESTR
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_AccountTimeRestr : AuditEvent_UserLogon
{
uint32 AuditId = 0x0212;
};
//
//
// SE_AUDITID_ACCOUNT_DISABLED
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_AccountDisabled : AuditEvent_UserLogon
{
uint32 AuditId = 0x0213;
};
//
//
// SE_AUDITID_ACCOUNT_EXPIRED
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_AccountExpired : AuditEvent_UserLogon
{
uint32 AuditId = 0x0214;
};
// Logon Failure:%n
// %tReason:%t%tThe specified user account has expired%n
//
//
// SE_AUDITID_WORKSTATION_RESTR
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_WorkstationRestr : AuditEvent_UserLogon
{
uint32 AuditId = 0x0215;
};
// Logon Failure:%n
// %tReason:%t%tUser not allowed to logon at this computer%n
//
//
// SE_AUDITID_LOGON_TYPE_RESTR
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_LogonTypeRestr : AuditEvent_UserLogon
{
uint32 AuditId = 0x0216;
};
// Logon Failure:%n
// %tReason:%tThe user has not been granted the requested%n
// %t%tlogon type at this machine%n
//
//
// SE_AUDITID_PASSWORD_EXPIRED
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_PasswordExpired : AuditEvent_UserLogon
{
uint32 AuditId = 0x0217;
};
// Logon Failure:%n
// %tReason:%t%tThe specified accounts password has expired%n
//
//
// SE_AUDITID_NETLOGON_NOT_STARTED
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_NetlogonNotStarted : AuditEvent_UserLogon
{
uint32 AuditId = 0x0218;
};
// Logon Failure:%n
// %tReason:%t%tThe NetLogon component is not active%n
//
//
// SE_AUDITID_UNSUCCESSFUL_LOGON
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_UnsuccessfulLogon : AuditEvent_UserLogon
{
uint32 AuditId = 0x0219;
};
// Logon Failure:%n
// %tReason:%t%tAn unexpected error occurred during logon%n
//
//
// SE_AUDITID_LOGOFF
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_Logoff : AuditEvent_Logon
{
uint32 AuditId = 0x021A;
string UserName;
string Domain;
uint64 LogonId;
uint16 LogonType;
};
// User Logoff:%n
//
//
// SE_AUDITID_ACCOUNT_LOCKED
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_Accountlocked : AuditEvent_UserLogon
{
uint32 AuditId = 0x021B;
};
// Logon Failure:%n
// %tReason:%t%tAccount locked out%n
//
//
// SE_AUDITID_SUCCESSFUL_LOGON
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_NetworkLogon : AuditEvent_UserLogon
{
uint32 AuditId = 0x021c;
uint64 LogonId;
};
// Successful Network Logon:%n
//
// abstract base class to represent IPSEC logon events
//
class AuditEvent_IpsecLogon : AuditEvent_Logon
{
};
//
//
// SE_AUDITID_IPSEC_LOGON_SUCCESS
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_IpsecLogonSuccess : AuditEvent_IpsecLogon
{
uint32 AuditId = 0x021d;
string Mode;
string PeerIdentity;
string Filter;
string Parameters;
};
//IKE security association established.%n
//
//
// SE_AUDITID_IPSEC_LOGOFF_QM
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_IpsecLogoffQm : AuditEvent_IpsecLogon
{
uint32 AuditId = 0x021e;
string Filter;
string InboundSpi;
string OutboundSpi;
};
// IKE security association ended.%n
// Mode: Data Protection (Quick mode)
//
//
// SE_AUDITID_IPSEC_LOGOFF_MM
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_IpsecLogoffMm : AuditEvent_IpsecLogon
{
uint32 AuditId = 0x021f;
string Filter;
};
// IKE security association ended.%n
// Mode: Key Exchange (Main mode)%n
//
//
// SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_IpsecAuthFailCertTrust : AuditEvent_IpsecLogon
{
uint32 AuditId = 0x0220;
string PeerIdentity;
string Filter;
};
// IKE security association establishment failed because peer could not authenticate.
// The certificate trust could not be established.%n
//
//
// SE_AUDITID_IPSEC_AUTH_FAIL
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_IpsecAuthFail : AuditEvent_IpsecLogon
{
uint32 AuditId = 0x0221;
string PeerIdentity;
string Filter;
};
// IKE peer authentication failed.%n
//
//
// SE_AUDITID_IPSEC_ATTRIB_FAIL
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_IpsecAttribFail : AuditEvent_IpsecLogon
{
uint32 AuditId = 0x0222;
string Mode;
string Filter;
string Attribute;
string ExpectedValue;
string ReceivedValue;
};
// IKE security association establishment failed because peer
// sent invalid proposal.%n
//
//
// SE_AUDITID_IPSEC_NEGOTIATION_FAIL
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_IpsecNegotiationFail : AuditEvent_IpsecLogon
{
uint32 AuditId = 0x0223;
string Mode;
string Filter;
string FailurePoint;
string FailureReason;
};
// IKE security association negotiation failed.%n
/////////////////////////////////////////////////////////////////////////////
// //
// //
// Messages for Category: SE_CATEGID_OBJECT_ACCESS //
// //
// //
/////////////////////////////////////////////////////////////////////////////
//
// abstract class that represents SE_CATEGID_OBJECT_ACCESS
//
[abstractevent]
class AuditEvent_ObjectAccess : AuditEvent
{
string ObjectServer;
uint32 ProcessId;
};
class AuditEvent_AuthzAccess : AuditEvent
{
string ObjectServer;
uint32 ProcessId;
string OperationType;
string Objecttype;
string ObjectName;
// uint64 HandleId;
// uint64 OperationId;
uint8 PrimaryUserSid[];
string PrimaryUserName;
string PrimaryDomain;
uint64 PrimaryLogonId;
uint8 ClientUserSid[];
string ClientUserName;
string ClientDomain;
uint64 ClientLogonId;
uint32 AccessMask;
string AdditionalInfo;
};
//
//
// SE_AUDITID_OPEN_HANDLE
//
// Category: SE_CATEGID_OBJECT_ACCESS
//
class AuditEvent_OpenHandle : AuditEvent_ObjectAccess
{
uint32 AuditId = 0x0230;
string ObjectType;
string ObjectName;
uint64 NewHandleId;
uint64 OperationId;
string PrimaryUserName;
string PrimaryDomain;
uint64 PrimaryLogonId;
string ClientUserName;
string ClientDomain;
uint64 ClientLogonId;
string Privileges[];
};
// Object Open:%n
//
//
// SE_AUDITID_CREATE_HANDLE
//
// Category: SE_CATEGID_OBJECT_ACCESS
//
class AuditEvent_CreateHandle : AuditEvent_ObjectAccess
{
uint32 AuditId = 0x0231;
uint64 HandleId;
uint64 OperationId;
};
//Handle Allocated:%n
//
//
// SE_AUDITID_CLOSE_HANDLE
//
// Category: SE_CATEGID_OBJECT_ACCESS
//
class AuditEvent_CloseHandle : AuditEvent_ObjectAccess
{
uint32 AuditId = 0x0232;
uint64 HandleId;
};
//Handle Closed:%n
//
//
// SE_AUDITID_OPEN_OBJECT_FOR_DELETE
//
// Category: SE_CATEGID_OBJECT_ACCESS
//
class AuditEvent_OpenObjectForDelete : AuditEvent_ObjectAccess
{
uint32 AuditId = 0x0233;
string ObjectType;
string ObjectName;
uint64 NewHandleId;
uint64 OperationId;
string PrimaryUserName;
string PrimaryDomain;
uint64 PrimaryLogonId;
string ClientUserName;
string ClientDomain;
uint64 ClientLogonId;
string Privileges[];
};
//Object Open for Delete:%n
//
//
// SE_AUDITID_DELETE_OBJECT
//
// Category: SE_CATEGID_OBJECT_ACCESS
//
class AuditEvent_DeleteObject : AuditEvent_ObjectAccess
{
uint32 AuditId = 0x0234;
uint64 HandleId;
};
//Object Deleted:%n
//
//
// SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE
//
// Category: SE_CATEGID_OBJECT_ACCESS
//
class AuditEvent_OpenHandleObjectType : AuditEvent_ObjectAccess
{
uint32 AuditId = 0x0235;
string ObjectType;
string ObjectName;
uint64 NewHandleId;
uint64 OperationId;
string PrimaryUserName;
string PrimaryDomain;
uint64 PrimaryLogonId;
string ClientUserName;
string ClientDomain;
uint64 ClientLogonId;
string Properties;
string Privileges[];
};
//Object Open:%n
// SE_AUDITID_OBJECT_OPERATION
//
// Category: SE_CATEGID_OBJECT_ACCESS
//
class AuditEvent_ObjectOperation : AuditEvent_ObjectAccess
{
uint32 AuditId = 0x0236;
string OperationType;
string Objecttype;
string ObjectName;
uint64 HandleId;
uint64 OperationId;
string PrimaryUserName;
string PrimaryDomain;
uint64 PrimaryLogonId;
string ClientUserName;
string ClientDomain;
uint64 ClientLogonId;
uint32 RequestedAccesses;
};
//Object Operation:%n
/////////////////////////////////////////////////////////////////////////////
// //
// //
// Messages for Category: SE_CATEGID_PRIVILEGE_USE //
// //
// //
/////////////////////////////////////////////////////////////////////////////
//
// represents SE_CATEGID_PRIVILEGE_USE
//
[abstractevent]
class AuditEvent_PrivilegeUse : AuditEvent
{
string Privileges[];
};
//
//
// SE_AUDITID_ASSIGN_SPECIAL_PRIV
//
// Category: SE_CATEGID_PRIVILEGE_USE
//
class AuditEvent_AssignSpecialPriv : AuditEvent_PrivilegeUse
{
uint32 AuditId = 0x0240;
string UserName;
string Domain;
uint64 LogonId;
};
//Special privileges assigned to new logon:%n
//
//
// SE_AUDITID_PRIVILEGED_SERVICE
//
// Category: SE_CATEGID_PRIVILEGE_USE
//
class AuditEvent_PrivilegedService : AuditEvent_PrivilegeUse
{
uint32 AuditId = 0x0241;
string Server;
string Service;
string PrimaryUserName;
string PrimaryDomain;
uint64 PrimaryLogonId;
string ClientUserName;
string ClientDomain;
uint64 ClientLogonId;
};
//Privileged Service Called:%n
//.
//
//
// SE_AUDITID_PRIVILEGED_OBJECT
//
// Category: SE_CATEGID_PRIVILEGE_USE
//
class AuditEvent_PrivilegedObject : AuditEvent_PrivilegeUse
{
uint32 AuditId = 0x0242;
string ObjectHandle;
string PrimaryUserName;
string PrimaryDomain;
uint64 PrimaryLogonId;
string ClientUserName;
string ClientDomain;
uint64 ClientLogonId;
};
//Privileged object operation:%n
//.
/////////////////////////////////////////////////////////////////////////////
// //
// //
// Messages for Category: SE_CATEGID_DETAILED_TRACKING //
// //
// Event IDs: //
// SE_AUDITID_PROCESS_CREATED //
// SE_AUDITID_PROCESS_EXIT //
// SE_AUDITID_DUPLICATE_HANDLE //
// SE_AUDITID_INDIRECT_REFERENCE //
// //
/////////////////////////////////////////////////////////////////////////////
//
// abstract class that represents SE_CATEGID_DETAILED_TRACKING
//
[abstractevent]
class AuditEvent_DetailedTracking : AuditEvent
{
};
//
//
// SE_AUDITID_PROCESS_CREATED
//
// Category: SE_CATEGID_DETAILED_TRACKING
//
class AuditEvent_ProcessCreated : AuditEvent_DetailedTracking
{
uint32 AuditId = 0x0250;
uint32 ProcessId;
string ImageFileName;
uint32 CreatorProcessId;
string UserName;
string Domain;
uint64 LogonId;
};
//A new process has been created:%n
//.
//
//
// SE_AUDITID_PROCESS_EXIT
//
// Category: SE_CATEGID_DETAILED_TRACKING
//
class AuditEvent_ProcessExit : AuditEvent_DetailedTracking
{
uint32 AuditId = 0x0251;
uint32 ProcessId;
string UserName;
string Domain;
uint64 LogonId;
};
//A process has exited:%n
//.
//
//
// SE_AUDITID_DUPLICATE_HANDLE
//
// Category: SE_CATEGID_DETAILED_TRACKING
//
class AuditEvent_DuplicateHandle : AuditEvent_DetailedTracking
{
uint32 AuditId = 0x0252;
uint64 SourceHandleId;
uint32 SourceProcessId;
uint64 TargetHandleId;
uint32 TargetProcessId;
};
//A handle to an object has been duplicated:%n
//.
//
//
// SE_AUDITID_INDIRECT_REFERENCE
//
// Category: SE_CATEGID_DETAILED_TRACKING
//
class AuditEvent_IndirectReference : AuditEvent_DetailedTracking
{
uint32 AuditId = 0x0253;
string ObjectType;
string ObjectName;
uint32 ProcessId;
string PrimaryUserName;
string PrimaryDomain;
uint64 PrimaryLogonId;
string ClientUserName;
string ClientDomain;
uint64 ClientLogonId;
uint32 GrantedAccess;
};
//Indirect access to an object has been obtained:%n
//.
/////////////////////////////////////////////////////////////////////////////
// //
// //
// Messages for Category: SE_CATEGID_POLICY_CHANGE //
// //
// Event IDs: //
// SE_AUDITID_USER_RIGHT_ASSIGNED //
// SE_AUDITID_USER_RIGHT_REMOVED //
// SE_AUDITID_TRUSTED_DOMAIN_ADD //
// SE_AUDITID_TRUSTED_DOMAIN_REM //
// SE_AUDITID_POLICY_CHANGE //
// SE_AUDITID_IPSEC_POLICY_START //
// SE_AUDITID_IPSEC_POLICY_DISABLED //
// SE_AUDITID_IPSEC_POLICY_CHANGED //
// SE_AUDITID_IPSEC_POLICY_FAILURE //
// //
/////////////////////////////////////////////////////////////////////////////
//
// abstract class that represents SE_CATEGID_POLICY_CHANGE
//
[abstractevent]
class AuditEvent_PolicyChange : AuditEvent
{
};
//
// abstract class that represents user-rights operations
//
[abstractevent]
class AuditEvent_UserRightsOperation : AuditEvent_PolicyChange
{
string UserRight;
uint8 TargetUser[];
// caller
string UserName;
string Domain;
uint64 LogonId;
};
//
//
// SE_AUDITID_USER_RIGHT_ASSIGNED
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_UserRightAssigned : AuditEvent_UserRightsOperation
{
uint32 AuditId = 0x0260;
};
//User Right Assigned:%n
//.
//
//
// SE_AUDITID_USER_RIGHT_REMOVED
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_UserRightRemoved : AuditEvent_UserRightsOperation
{
uint32 AuditId = 0x0261;
};
//User Right Removed:%n
//.
//
// abstract class that represents TDO operations
//
[abstractevent]
class AuditEvent_TrustedDomainOperation : AuditEvent_PolicyChange
{
string DomainName;
string DomainId;
string UserName;
string Domain;
uint64 LogonId;
};
//
//
// SE_AUDITID_TRUSTED_DOMAIN_ADD
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_TrustedDomainAdd : AuditEvent_TrustedDomainOperation
{
uint32 AuditId = 0x0262;
};
//New Trusted Domain:%n
//.
//
//
// SE_AUDITID_TRUSTED_DOMAIN_REM
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_TrustedDomainRem : AuditEvent_TrustedDomainOperation
{
uint32 AuditId = 0x0263;
};
//Removing Trusted Domain:%n
//.
//
//
// SE_AUDITID_TRUSTED_DOMAIN_MOD
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_TrustedDomainMod : AuditEvent_TrustedDomainOperation
{
uint32 AuditId = 0x026C;
};
//Trusted Domain Information Modified:%n
//.
//
//
// SE_AUDITID_POLICY_CHANGE
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_PolicyChange : AuditEvent_PolicyChange
{
uint32 AuditId = 0x0264;
// ... new policy here...
string UserName;
string DomainName;
uint64 LogonId;
};
//Audit Policy Change:%n
//New Policy:%n
//...
//Changed By:%n
//.
//
// abstract class that represents Ipsec policy operations
//
[abstractevent]
class AuditEvent_IpsecPolicy : AuditEvent_PolicyChange
{
};
//
//
// SE_AUDITID_IPSEC_POLICY_START
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_IpsecPolicyStart : AuditEvent_IpsecPolicy
{
uint32 AuditId = 0x0265;
};
//IPSec policy agent started: %t%1%n
//Policy Source: %t%2%n
//.
//
//
// SE_AUDITID_IPSEC_POLICY_DISABLED
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_IpsecPolicyDisabled : AuditEvent_IpsecPolicy
{
uint32 AuditId = 0x0266;
};
//IPSec policy agent disabled: %t%1%n
//.
//
//
// SE_AUDITID_IPSEC_POLICY_CHANGED
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_IpsecPolicyChanged : AuditEvent_IpsecPolicy
{
uint32 AuditId = 0x0267;
};
//IPSEC PolicyAgent Service: %t%1%n
//.
//
//
// SE_AUDITID_IPSEC_POLICY_FAILURE
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_IpsecPolicyFailure : AuditEvent_IpsecPolicy
{
uint32 AuditId = 0x0268;
};
//IPSec policy agent encountered a potentially serious failure.%n
//.
//
// abstract class that represents kerberos policy operations
//
[abstractevent]
class AuditEvent_KerberosPolicy : AuditEvent_PolicyChange
{
};
//
//
// SE_AUDITID_KERBEROS_POLICY_CHANGE
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_KerberosPolicyChange : AuditEvent_KerberosPolicy
{
uint32 AuditId = 0x0269;
// changed by
string UserName;
string DomainName;
uint64 LogonId;
// changes made
};
//Kerberos Policy Changed:%n
//Changed By:%n
//Changes made:%n
//.
//
// abstract class that represents EFS policy operations
//
[abstractevent]
class AuditEvent_EfsPolicy : AuditEvent_PolicyChange
{
};
//
//
// SE_AUDITID_EFS_POLICY_CHANGE
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_EfsPolicyChange : AuditEvent_EfsPolicy
{
uint32 AuditId = 0x026a;
// changed by
string UserName;
string DomainName;
uint64 LogonId;
// changes made
};
//Encrypted Data Recovery Policy Changed:%n
//Changed By:%n
//Changes made:%n
//.
//
// abstract class that represents QoS policy operations
//
[abstractevent]
class AuditEvent_QosPolicy : AuditEvent_PolicyChange
{
};
//
//
// SE_AUDITID_QOS_POLICY_CHANGE
//
// Category: SE_CATEGID_POLICY_CHANGE
//
class AuditEvent_QosPolicyChange : AuditEvent_QosPolicy
{
uint32 AuditId = 0x026b;
// changed by
string UserName;
string DomainName;
uint64 LogonId;
// changes made
};
//Quality of Service Policy Changed:%n
//Changes made:%n
//Changed By:%n
//.
/////////////////////////////////////////////////////////////////////////////
// //
// //
// Messages for Category: SE_CATEGID_ACCOUNT_MANAGEMENT //
// //
// Event IDs: //
// SE_AUDITID_USER_CREATED //
// SE_AUDITID_USER_CHANGE //
// SE_AUDITID_ACCOUNT_TYPE_CHANGE //
// SE_AUDITID_USER_ENABLED //
// SE_AUDITID_USER_PWD_CHANGED //
// SE_AUDITID_USER_PWD_SET //
// SE_AUDITID_USER_DISABLED //
// SE_AUDITID_USER_DELETED //
// //
// SE_AUDITID_COMPUTER_CREATED //
// SE_AUDITID_COMPUTER_CHANGE //
// SE_AUDITID_COMPUTER_DELETED //
// //
// SE_AUDITID_GLOBAL_GROUP_CREATED //
// SE_AUDITID_GLOBAL_GROUP_ADD //
// SE_AUDITID_GLOBAL_GROUP_REM //
// SE_AUDITID_GLOBAL_GROUP_DELETED //
// SE_AUDITID_LOCAL_GROUP_CREATED //
// SE_AUDITID_LOCAL_GROUP_ADD //
// SE_AUDITID_LOCAL_GROUP_REM //
// SE_AUDITID_LOCAL_GROUP_DELETED //
// //
// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED //
// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE //
// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD //
// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM //
// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED //
// //
// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED //
// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE //
// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD //
// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM //
// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED //
// //
// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED //
// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE //
// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD //
// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM //
// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED //
// //
// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED //
// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE //
// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD //
// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM //
// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED //
// //
// SE_AUDITID_GROUP_TYPE_CHANGE //
// //
// SE_AUDITID_ADD_SID_HISTORY_SUCCESS //
// SE_AUDITID_ADD_SID_HISTORY_FAILURE //
// //
// SE_AUDITID_OTHER_ACCT_CHANGE //
// SE_AUDITID_DOMAIN_POLICY_CHANGE //
// SE_AUDITID_ACCOUNT_AUTO_LOCKED //
// //
// //
/////////////////////////////////////////////////////////////////////////////
//
// abstract class that represents SE_CATEGID_ACCOUNT_MANAGEMENT
//
[abstractevent]
class AuditEvent_AccountManagement : AuditEvent
{
};
//
// abstract class that groups common fields for account change opns
//
[abstractevent]
class AuditEvent_AccountChange : AuditEvent_AccountManagement
{
string TargetAccountName;
string TargetDomain;
uint32 TargetAccountId;
string CallerUserName;
string CallerDomain;
uint64 CallerLogonId;
};
//
//
// SE_AUDITID_USER_CREATED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_UserCreated : AuditEvent_AccountChange
{
uint32 AuditId = 0x0270;
string Privileges[];
};
//User Account Created:%n
//.
//
//
// SE_AUDITID_ACCOUNT_TYPE_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_AccountTypeChange : AuditEvent_AccountChange
{
uint32 AuditId = 0x0271;
string NewType;
};
//User Account Type Change:%n
//.
//
//
// SE_AUDITID_USER_ENABLED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_UserEnabled : AuditEvent_AccountChange
{
uint32 AuditId = 0x0272;
};
//User Account Enabled:%n
//.
//
//
// SE_AUDITID_USER_PWD_CHANGED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_UserPwdChanged : AuditEvent_AccountChange
{
uint32 AuditId = 0x0273;
string Privileges[];
};
//Change Password Attempt:%n
//.
//
//
// SE_AUDITID_USER_PWD_SET
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_UserPwdSet : AuditEvent_AccountChange
{
uint32 AuditId = 0x0274;
};
//User Account password set:%n
//.
//
//
// SE_AUDITID_USER_DISABLED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_UserDisabled : AuditEvent_AccountChange
{
uint32 AuditId = 0x0275;
};
//User Account Disabled:%n
//.
//
//
// SE_AUDITID_USER_DELETED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_UserDeleted : AuditEvent_AccountChange
{
uint32 AuditId = 0x0276;
string Privileges[];
};
//User Account Deleted:%n
//.
//
//
// SE_AUDITID_USER_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_UserChange : AuditEvent_AccountChange
{
uint32 AuditId = 0x0282;
string TypeOfChange;
string Privileges[];
};
//User Account Changed:%n
//.
// ======================================================================
//
// abstract class that groups common fields for group change opns
//
[abstractevent]
class AuditEvent_GroupChange : AuditEvent_AccountManagement
{
string TargetAccountName;
string TargetDomain;
uint32 TargetAccountId;
string CallerUserName;
string CallerDomain;
uint64 CallerLogonId;
string Privileges[];
};
//
// abstract class that groups common fields for group membership opns
//
[abstractevent]
class AuditEvent_GroupMembershipChange : AuditEvent_GroupChange
{
string MemberName;
uint32 MemberId;
};
//
//
// SE_AUDITID_GLOBAL_GROUP_CREATED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_GlobalGroupCreated : AuditEvent_GroupChange
{
uint32 AuditId = 0x0277;
};
//Security Enabled Global Group Created:%n
//.
//
//
// SE_AUDITID_GLOBAL_GROUP_DELETED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_GlobalGroupDeleted : AuditEvent_GroupChange
{
uint32 AuditId = 0x027A;
};
//Security Enabled Global Group Deleted:%n
//.
//
//
// SE_AUDITID_GLOBAL_GROUP_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_GlobalGroupChange : AuditEvent_GroupChange
{
uint32 AuditId = 0x0281;
};
//Security Enabled Global Group Changed:%n
//.
//
//
// SE_AUDITID_GLOBAL_GROUP_ADD
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_GlobalGroupAdd : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x0278;
};
//Security Enabled Global Group Member Added:%n
//.
//
//
// SE_AUDITID_GLOBAL_GROUP_REM
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_GlobalGroupRem : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x0279;
};
//Security Enabled Global Group Member Removed:%n
//.
//
//
// SE_AUDITID_LOCAL_GROUP_CREATED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_LocalGroupCreated : AuditEvent_GroupChange
{
uint32 AuditId = 0x027B;
};
//Security Enabled Local Group Created:%n
//.
//
//
// SE_AUDITID_LOCAL_GROUP_DELETED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_LocalGroupDeleted : AuditEvent_GroupChange
{
uint32 AuditId = 0x027E;
};
//Security Enabled Local Group Deleted:%n
//.
//
//
// SE_AUDITID_LOCAL_GROUP_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_LocalGroupChange : AuditEvent_GroupChange
{
uint32 AuditId = 0x027F;
};
//Security Enabled Local Group Changed:%n
//.
//
//
// SE_AUDITID_LOCAL_GROUP_ADD
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_LocalGroupAdd : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x027C;
};
//Security Enabled Local Group Member Added:%n
//.
//
//
// SE_AUDITID_LOCAL_GROUP_REM
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_LocalGroupRem : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x027D;
};
//Security Enabled Local Group Member Removed:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledLocalGroupCreated : AuditEvent_GroupChange
{
uint32 AuditId = 0x0288;
};
//Security Disabled Local Group Created:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledLocalGroupChange : AuditEvent_GroupChange
{
uint32 AuditId = 0x0289;
};
//Security Disabled Local Group Changed:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledLocalGroupAdd : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x028A;
};
//Security Disabled Local Group Member Added:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledLocalGroupRem : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x028B;
};
//Security Disabled Local Group Member Removed:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledLocalGroupDeleted : AuditEvent_GroupChange
{
uint32 AuditId = 0x028C;
};
//Security Disabled Local Group Deleted:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledGlobalGroupCreated : AuditEvent_GroupChange
{
uint32 AuditId = 0x028D;
};
//Security Disabled Global Group Created:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledGlobalGroupChange : AuditEvent_GroupChange
{
uint32 AuditId = 0x028E;
};
//Security Disabled Global Group Changed:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledGlobalGroupAdd : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x028F;
};
//Security Disabled Global Group Member Added:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledGlobalGroupRem : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x0290;
};
//Security Disabled Global Group Member Removed:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledGlobalGroupDeleted : AuditEvent_GroupChange
{
uint32 AuditId = 0x0291;
};
//Security Disabled Global Group Deleted:%n
//.
//
//
// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityEnabledUniversalGroupCreated : AuditEvent_GroupChange
{
uint32 AuditId = 0x0292;
};
//Security Enabled Universal Group Created:%n
//.
//
//
// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityEnabledUniversalGroupChange : AuditEvent_GroupChange
{
uint32 AuditId = 0x0293;
};
//Security Enabled Universal Group Changed:%n
//.
//
//
// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityEnabledUniversalGroupAdd : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x0294;
};
//Security Enabled Universal Group Member Added:%n
//.
//
//
// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityEnabledUniversalGroupRem : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x0295;
};
//Security Enabled Universal Group Member Removed:%n
//.
//
//
// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityEnabledUniversalGroupDeleted : AuditEvent_GroupChange
{
uint32 AuditId = 0x0296;
};
//Security Enabled Universal Group Deleted:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledUniversalGroupCreated : AuditEvent_GroupChange
{
uint32 AuditId = 0x0297;
};
//Security Disabled Universal Group Created:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledUniversalGroupChange : AuditEvent_GroupChange
{
uint32 AuditId = 0x0298;
};
//Security Disabled Universal Group Changed:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledUniversalGroupAdd : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x0299;
};
//Security Disabled Universal Group Member Added:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledUniversalGroupRem : AuditEvent_GroupMembershipChange
{
uint32 AuditId = 0x029A;
};
//Security Disabled Universal Group Member Removed:%n
//.
//
//
// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_SecurityDisabledUniversalGroupDeleted
{
uint32 AuditId = 0x029B;
};
//Security Disabled Universal Group Deleted:%n
//.
//
//
// SE_AUDITID_OTHER_ACCOUNT_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
// Note: not used
//
class AuditEvent_OtherAccountChange : AuditEvent_AccountManagement
{
uint32 AuditId = 0x0280;
string TypeOfChange;
string ObjectType;
string ObjectName;
string ObjectId; // type?
string CallerUserName;
string CallerDomain;
uint64 CallerLogonId;
};
//General Account Database Change:%n
//.
//
//
// SE_AUDITID_GROUP_TYPE_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_GroupTypeChange : AuditEvent_GroupChange
{
uint32 AuditId = 0x029C;
uint8 NewType;
};
//Group Type Changed:%n
//.
//
//
// SE_AUDITID_DOMAIN_POLICY_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
//$ BUGBUG kumarp 23-February-2000
// which class to derive from?
//
class AuditEvent_DomainPolicyChange
{
uint32 AuditId = 0x0283;
string TypeOfChange;
string Domain;
string DomainId;
string CallerUserName;
string CallerDomain;
string CallerLogonId;
string Privileges[];
};
//Domain Policy Changed: %1 modified%n
//.
//
//
// SE_AUDITID_ACCOUNT_AUTO_LOCKED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_AccountAutoLocked : AuditEvent_AccountChange
{
uint32 AuditId = 0x0284;
string CallerMachineName;
};
//User Account Locked Out:%n
//.
//
// abstract class that groups common fields for computer account change opns
//
[abstractevent]
class AuditEvent_ComputerAccountChange : AuditEvent_AccountChange
{
};
//
//
// SE_AUDITID_COMPUTER_CREATED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_ComputerCreated : AuditEvent_ComputerAccountChange
{
uint32 AuditId = 0x0285;
string Privileges[];
};
//Computer Account Created:%n
//.
//
//
// SE_AUDITID_COMPUTER_CHANGE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_ComputerChange : AuditEvent_ComputerAccountChange
{
uint32 AuditId = 0x0286;
string TypeOfChange;
string Privileges[];
};
//Computer Account Changed:%n
//.
//
//
// SE_AUDITID_COMPUTER_DELETED
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_ComputerDeleted : AuditEvent_ComputerAccountChange
{
uint32 AuditId = 0x0287;
string Privileges[];
};
//Computer Account Deleted:%n
//.
//
//
// SE_AUDITID_ADD_SID_HISTORY_SUCCESS+SE_AUDITID_ADD_SID_HISTORY_FAILURE
//
// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
//
class AuditEvent_AddSidHistory : AuditEvent_AccountChange
{
uint32 AuditId = 0x029D;
string SourceAccountName;
string SourceAccountId;
string Privileges[];
};
//Add SID History:%n
//.
/////////////////////////////////////////////////////////////////////////////
// //
// //
// Messages for Category: SE_CATEGID_ACCOUNT_LOGON //
// //
// Event IDs: //
// SE_AUDITID_AS_TICKET_SUCCESS //
// SE_AUDITID_TGS_TICKET_SUCCESS //
// SE_AUDITID_TICKET_RENEW_SUCCESS //
// SE_AUDITID_PREAUTH_FAILURE //
// SE_AUDITID_AS_TICKET_FAILURE //
// SE_AUDITID_TGS_TICKET_FAILURE //
// SE_AUDITID_ACCOUNT_MAPPED //
// SE_AUDITID_ACCOUNT_NOT_MAPPED //
// SE_AUDITID_ACCOUNT_LOGON_SUCCESS //
// SE_AUDITID_ACCOUNT_LOGON_FAILURE //
// //
/////////////////////////////////////////////////////////////////////////////
//
// abstract class that represents SE_CATEGID_ACCOUNT_LOGON
//
[abstractevent]
class AuditEvent_AccountLogon : AuditEvent
{
};
//
// abstract class that groups common fields for kerberos logon
//
[abstractevent]
class AuditEvent_KerberosLogon : AuditEvent_AccountLogon
{
};
//
//
// SE_AUDITID_AS_TICKET_SUCCESS+SE_AUDITID_AS_TICKET_FAILURE
//
// Category: SE_CATEGID_ACCOUNT_LOGON
//
class AuditEvent_AsTicket : AuditEvent_KerberosLogon
{
uint32 AuditId = 0x02a0;
string UserName;
string SuppliedRealmName;
string UserId;
string ServiceName;
string ServiceId;
string TicketOptions;
string TicketEncryptionType;
string PreAuthenticationType;
string ClientAddress;
uint32 StatusCode = 0;
};
//Authentication Ticket Granted:%n
//.
//
//
// SE_AUDITID_TGS_TICKET_SUCCESS+SE_AUDITID_TGS_TICKET_FAILURE
//
// Category: SE_CATEGID_ACCOUNT_LOGON
//
class AuditEvent_TgsTicket : AuditEvent_KerberosLogon
{
uint32 AuditId = 0x02a1;
string UserName;
string UserDomain;
string ServiceName;
string ServiceId;
string TicketOptions;
string TicketEncryptionType;
string ClientAddress;
uint32 StatusCode = 0;
};
//Service Ticket Granted:%n
//.
//
//
// SE_AUDITID_TICKET_RENEW_SUCCESS
//
// Category: SE_CATEGID_ACCOUNT_LOGON
//
class AuditEvent_TicketRenewSuccess : AuditEvent_KerberosLogon
{
uint32 AuditId = 0x02a2;
string UserName;
string UserDomain;
string ServiceName;
string ServiceId;
string TicketOptions;
string TicketEncryptionType;
string ClientAddress;
};
//Ticket Granted Renewed:%n
//.
//
//
// SE_AUDITID_PREAUTH_FAILURE
//
// Category: SE_CATEGID_ACCOUNT_LOGON
//
class AuditEvent_PreauthFailure : AuditEvent_KerberosLogon
{
uint32 AuditId = 0x02a3;
string UserName;
string UserId;
string ServiceName;
string PreAuthenticationType;
string FailureCode;
string ClientAddress;
};
//Pre-authentication failed:%n
//.
//
//
// SE_AUDITID_ACCOUNT_MAPPED+SE_AUDITID_ACCOUNT_NOT_MAPPED
//
// Category: SE_CATEGID_ACCOUNT_LOGON
//
class AuditEvent_AccountMapping : AuditEvent_KerberosLogon
{
uint32 AuditId = 0x02a6;
string SourceName;
string ClientName;
string MappedName;
};
//Account Mapped for Logon by: %1%n
//.
//
//
// SE_AUDITID_ACCOUNT_LOGON_SUCCESS+SE_AUDITID_ACCOUNT_LOGON_FAILURE
//
// Category: SE_CATEGID_ACCOUNT_LOGON
//
class AuditEvent_AccountLogonAttempt
{
uint32 AuditId = 0x02a8;
string ClientName;
string AccountName;
string Workstation;
uint32 StatusCode = 0;
};
//Account Used for Logon by: %1%n
//.
//
// abstract class that groups common fields for session connection
//
[abstractevent]
class AuditEvent_SessionConnection : AuditEvent_AccountLogon
{
string UserName;
string Domain;
uint64 LogonId;
string SessionName;
string ClientName;
string ClientAddress;
string Winstation;
};
//
//
// SE_AUDITID_SESSION_RECONNECTED
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_SessionReconnected : AuditEvent_SessionConnection
{
uint32 AuditId = 0x02aa;
};
//Session reconnected to winstation:%n
//.
//
//
// SE_AUDITID_SESSION_DISCONNECTED
//
// Category: SE_CATEGID_LOGON
//
class AuditEvent_SessionDisconnected : AuditEvent_SessionConnection
{
uint32 AuditId = 0x02ab;
};
//Session disconnected from winstation:%n
//.