Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

2461 lines
48 KiB

  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 2000
  6. //
  7. // File: A U D I T E V T . M O F
  8. //
  9. // Contents: Audit event schema definitions
  10. //
  11. //
  12. // History:
  13. // 06-January-2000 kumarp created
  14. //
  15. //------------------------------------------------------------------------
  16. /*
  17. issues:
  18. - best way to represent cred info?
  19. - some events were separately defined the success and failure cases.
  20. I merged them into one.
  21. For example:
  22. SE_AUDITID_ADD_SID_HISTORY_SUCCESS/SE_AUDITID_ADD_SID_HISTORY_FAILURE
  23. SE_AUDITID_ACCOUNT_MAPPED/SE_AUDITID_ACCOUNT_NOT_MAPPED
  24. SE_AUDITID_ACCOUNT_LOGON_SUCCESS/SE_AUDITID_ACCOUNT_LOGON_FAILURE
  25. - category: logon and account logon
  26. - need to define how the audit-format string is to be specified
  27. for new (non-legacy) auditevents
  28. - need to have a link between SE_AUDITID_PROCESS_CREATED/EXIT
  29. - why is that some events have both primary/client user info while
  30. some others have only primary (e.g. AuditEvent_ProcessExit)
  31. - should PID be 32 or 64 bit?
  32. - type of UserRight ?
  33. - tdo ops: DomainId type?
  34. - confirm that account-id (rid) is uint32
  35. - ask shaohua about SE_AUDITID_DOMAIN_POLICY_CHANGE
  36. - for events that are specifically success or failure type.
  37. need to set Success to TRUE/FALSE
  38. - how to handle delegated client contexts in n-tier apps
  39. - when a process opens an object on a remote machine, which
  40. pid gets logged?
  41. - make sure that all corresponding properties have identical name
  42. across different classes
  43. */
  44. //
  45. // base class for all audit events
  46. //
  47. [abstractevent]
  48. class AuditEvent : __ExtrinsicEvent
  49. {
  50. uint16 CategoryId;
  51. uint32 AuditId;
  52. uint64 CreationTime;
  53. Boolean Success = TRUE;
  54. };
  55. /////////////////////////////////////////////////////////////////////////////
  56. // //
  57. // //
  58. // Messages for Category: SE_CATEGID_SYSTEM //
  59. // //
  60. /////////////////////////////////////////////////////////////////////////////
  61. //
  62. // represents SE_CATEGID_SYSTEM category
  63. //
  64. [abstractevent]
  65. class AuditEvent_System : AuditEvent
  66. {
  67. };
  68. //
  69. //
  70. // SE_AUDITID_SYSTEM_RESTART
  71. //
  72. // Category: SE_CATEGID_SYSTEM
  73. //
  74. class AuditEvent_SystemRestart : AuditEvent_System
  75. {
  76. uint32 AuditId = 0x0200;
  77. };
  78. //
  79. //
  80. // SE_AUDITID_SYSTEM_SHUTDOWN
  81. //
  82. // Category: SE_CATEGID_SYSTEM
  83. //
  84. class AuditEvent_SystemShutdown
  85. {
  86. uint32 AuditId = 0x0201;
  87. };
  88. //
  89. //
  90. // SE_AUDITID_SYSTEM_AUTH_PACKAGE_LOAD
  91. //
  92. // Category: SE_CATEGID_SYSTEM
  93. //
  94. class AuditEvent_AuthPackageLoad : AuditEvent_System
  95. {
  96. uint32 AuditId = 0x0202;
  97. string AuthenticationPackageName;
  98. };
  99. //
  100. //
  101. // SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER
  102. //
  103. // Category: SE_CATEGID_SYSTEM
  104. //
  105. class AuditEvent_SystemLogonProcRegister : AuditEvent_System
  106. {
  107. uint32 AuditId = 0x0203;
  108. string LogonProcessName;
  109. };
  110. //
  111. //
  112. // SE_AUDITID_AUDITS_DISCARDED
  113. //
  114. // Category: SE_CATEGID_SYSTEM
  115. //
  116. class AuditEvent_AuditsDiscarded
  117. {
  118. uint32 AuditId = 0x0204;
  119. uint32 NumberOfAuditMessagesDiscarded;
  120. };
  121. //
  122. //
  123. // SE_AUDITID_AUDIT_LOG_CLEARED
  124. //
  125. // Category: SE_CATEGID_SYSTEM
  126. //
  127. //
  128. class AuditEvent_AuditLogCleared
  129. {
  130. uint32 AuditId = 0x0205;
  131. string PrimaryUserName;
  132. string PrimaryDomain;
  133. uint64 PrimaryLogonId;
  134. string ClientUserName;
  135. string ClientDomain;
  136. uint64 ClientLogonId;
  137. };
  138. //
  139. //
  140. // SE_AUDITID_SYSTEM_NOTIFY_PACKAGE_LOAD
  141. //
  142. // Category: SE_CATEGID_SYSTEM
  143. //
  144. class AuditEvent_NotifyPackageLoad
  145. {
  146. uint32 AuditId = 0x0206;
  147. string NotificationPackageName;
  148. };
  149. /////////////////////////////////////////////////////////////////////////////
  150. // //
  151. // //
  152. // Messages for Category: SE_CATEGID_LOGON //
  153. // //
  154. // //
  155. /////////////////////////////////////////////////////////////////////////////
  156. //
  157. // represents SE_CATEGID_LOGON
  158. //
  159. [abstractevent]
  160. class AuditEvent_Logon : AuditEvent
  161. {
  162. };
  163. //
  164. // abstract class that stores fields common to all user-logon events
  165. //
  166. [abstractevent]
  167. class AuditEvent_UserLogon : AuditEvent_Logon
  168. {
  169. string UserName;
  170. string Domain;
  171. uint16 LogonType;
  172. string LogonProcess;
  173. string AuthenticationPackage;
  174. string WorkstationName;
  175. };
  176. //
  177. //
  178. // SE_AUDITID_SUCCESSFUL_LOGON
  179. //
  180. // Category: SE_CATEGID_LOGON
  181. //
  182. //
  183. class AuditEvent_SuccessfulLogon : AuditEvent_UserLogon
  184. {
  185. uint32 AuditId = 0x0210;
  186. uint64 LogonId;
  187. };
  188. //
  189. //
  190. // SE_AUDITID_UNKNOWN_USER_OR_PWD
  191. //
  192. // Category: SE_CATEGID_LOGON
  193. //
  194. class AuditEvent_UnknownUserOrPwd : AuditEvent_UserLogon
  195. {
  196. uint32 AuditId = 0x0211;
  197. };
  198. //
  199. //
  200. // SE_AUDITID_ACCOUNT_TIME_RESTR
  201. //
  202. // Category: SE_CATEGID_LOGON
  203. //
  204. class AuditEvent_AccountTimeRestr : AuditEvent_UserLogon
  205. {
  206. uint32 AuditId = 0x0212;
  207. };
  208. //
  209. //
  210. // SE_AUDITID_ACCOUNT_DISABLED
  211. //
  212. // Category: SE_CATEGID_LOGON
  213. //
  214. class AuditEvent_AccountDisabled : AuditEvent_UserLogon
  215. {
  216. uint32 AuditId = 0x0213;
  217. };
  218. //
  219. //
  220. // SE_AUDITID_ACCOUNT_EXPIRED
  221. //
  222. // Category: SE_CATEGID_LOGON
  223. //
  224. class AuditEvent_AccountExpired : AuditEvent_UserLogon
  225. {
  226. uint32 AuditId = 0x0214;
  227. };
  228. // Logon Failure:%n
  229. // %tReason:%t%tThe specified user account has expired%n
  230. //
  231. //
  232. // SE_AUDITID_WORKSTATION_RESTR
  233. //
  234. // Category: SE_CATEGID_LOGON
  235. //
  236. class AuditEvent_WorkstationRestr : AuditEvent_UserLogon
  237. {
  238. uint32 AuditId = 0x0215;
  239. };
  240. // Logon Failure:%n
  241. // %tReason:%t%tUser not allowed to logon at this computer%n
  242. //
  243. //
  244. // SE_AUDITID_LOGON_TYPE_RESTR
  245. //
  246. // Category: SE_CATEGID_LOGON
  247. //
  248. class AuditEvent_LogonTypeRestr : AuditEvent_UserLogon
  249. {
  250. uint32 AuditId = 0x0216;
  251. };
  252. // Logon Failure:%n
  253. // %tReason:%tThe user has not been granted the requested%n
  254. // %t%tlogon type at this machine%n
  255. //
  256. //
  257. // SE_AUDITID_PASSWORD_EXPIRED
  258. //
  259. // Category: SE_CATEGID_LOGON
  260. //
  261. class AuditEvent_PasswordExpired : AuditEvent_UserLogon
  262. {
  263. uint32 AuditId = 0x0217;
  264. };
  265. // Logon Failure:%n
  266. // %tReason:%t%tThe specified accounts password has expired%n
  267. //
  268. //
  269. // SE_AUDITID_NETLOGON_NOT_STARTED
  270. //
  271. // Category: SE_CATEGID_LOGON
  272. //
  273. class AuditEvent_NetlogonNotStarted : AuditEvent_UserLogon
  274. {
  275. uint32 AuditId = 0x0218;
  276. };
  277. // Logon Failure:%n
  278. // %tReason:%t%tThe NetLogon component is not active%n
  279. //
  280. //
  281. // SE_AUDITID_UNSUCCESSFUL_LOGON
  282. //
  283. // Category: SE_CATEGID_LOGON
  284. //
  285. class AuditEvent_UnsuccessfulLogon : AuditEvent_UserLogon
  286. {
  287. uint32 AuditId = 0x0219;
  288. };
  289. // Logon Failure:%n
  290. // %tReason:%t%tAn unexpected error occurred during logon%n
  291. //
  292. //
  293. // SE_AUDITID_LOGOFF
  294. //
  295. // Category: SE_CATEGID_LOGON
  296. //
  297. class AuditEvent_Logoff : AuditEvent_Logon
  298. {
  299. uint32 AuditId = 0x021A;
  300. string UserName;
  301. string Domain;
  302. uint64 LogonId;
  303. uint16 LogonType;
  304. };
  305. // User Logoff:%n
  306. //
  307. //
  308. // SE_AUDITID_ACCOUNT_LOCKED
  309. //
  310. // Category: SE_CATEGID_LOGON
  311. //
  312. class AuditEvent_Accountlocked : AuditEvent_UserLogon
  313. {
  314. uint32 AuditId = 0x021B;
  315. };
  316. // Logon Failure:%n
  317. // %tReason:%t%tAccount locked out%n
  318. //
  319. //
  320. // SE_AUDITID_SUCCESSFUL_LOGON
  321. //
  322. // Category: SE_CATEGID_LOGON
  323. //
  324. class AuditEvent_NetworkLogon : AuditEvent_UserLogon
  325. {
  326. uint32 AuditId = 0x021c;
  327. uint64 LogonId;
  328. };
  329. // Successful Network Logon:%n
  330. //
  331. // abstract base class to represent IPSEC logon events
  332. //
  333. class AuditEvent_IpsecLogon : AuditEvent_Logon
  334. {
  335. };
  336. //
  337. //
  338. // SE_AUDITID_IPSEC_LOGON_SUCCESS
  339. //
  340. // Category: SE_CATEGID_LOGON
  341. //
  342. class AuditEvent_IpsecLogonSuccess : AuditEvent_IpsecLogon
  343. {
  344. uint32 AuditId = 0x021d;
  345. string Mode;
  346. string PeerIdentity;
  347. string Filter;
  348. string Parameters;
  349. };
  350. //IKE security association established.%n
  351. //
  352. //
  353. // SE_AUDITID_IPSEC_LOGOFF_QM
  354. //
  355. // Category: SE_CATEGID_LOGON
  356. //
  357. class AuditEvent_IpsecLogoffQm : AuditEvent_IpsecLogon
  358. {
  359. uint32 AuditId = 0x021e;
  360. string Filter;
  361. string InboundSpi;
  362. string OutboundSpi;
  363. };
  364. // IKE security association ended.%n
  365. // Mode: Data Protection (Quick mode)
  366. //
  367. //
  368. // SE_AUDITID_IPSEC_LOGOFF_MM
  369. //
  370. // Category: SE_CATEGID_LOGON
  371. //
  372. class AuditEvent_IpsecLogoffMm : AuditEvent_IpsecLogon
  373. {
  374. uint32 AuditId = 0x021f;
  375. string Filter;
  376. };
  377. // IKE security association ended.%n
  378. // Mode: Key Exchange (Main mode)%n
  379. //
  380. //
  381. // SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST
  382. //
  383. // Category: SE_CATEGID_LOGON
  384. //
  385. class AuditEvent_IpsecAuthFailCertTrust : AuditEvent_IpsecLogon
  386. {
  387. uint32 AuditId = 0x0220;
  388. string PeerIdentity;
  389. string Filter;
  390. };
  391. // IKE security association establishment failed because peer could not authenticate.
  392. // The certificate trust could not be established.%n
  393. //
  394. //
  395. // SE_AUDITID_IPSEC_AUTH_FAIL
  396. //
  397. // Category: SE_CATEGID_LOGON
  398. //
  399. class AuditEvent_IpsecAuthFail : AuditEvent_IpsecLogon
  400. {
  401. uint32 AuditId = 0x0221;
  402. string PeerIdentity;
  403. string Filter;
  404. };
  405. // IKE peer authentication failed.%n
  406. //
  407. //
  408. // SE_AUDITID_IPSEC_ATTRIB_FAIL
  409. //
  410. // Category: SE_CATEGID_LOGON
  411. //
  412. class AuditEvent_IpsecAttribFail : AuditEvent_IpsecLogon
  413. {
  414. uint32 AuditId = 0x0222;
  415. string Mode;
  416. string Filter;
  417. string Attribute;
  418. string ExpectedValue;
  419. string ReceivedValue;
  420. };
  421. // IKE security association establishment failed because peer
  422. // sent invalid proposal.%n
  423. //
  424. //
  425. // SE_AUDITID_IPSEC_NEGOTIATION_FAIL
  426. //
  427. // Category: SE_CATEGID_LOGON
  428. //
  429. class AuditEvent_IpsecNegotiationFail : AuditEvent_IpsecLogon
  430. {
  431. uint32 AuditId = 0x0223;
  432. string Mode;
  433. string Filter;
  434. string FailurePoint;
  435. string FailureReason;
  436. };
  437. // IKE security association negotiation failed.%n
  438. /////////////////////////////////////////////////////////////////////////////
  439. // //
  440. // //
  441. // Messages for Category: SE_CATEGID_OBJECT_ACCESS //
  442. // //
  443. // //
  444. /////////////////////////////////////////////////////////////////////////////
  445. //
  446. // abstract class that represents SE_CATEGID_OBJECT_ACCESS
  447. //
  448. [abstractevent]
  449. class AuditEvent_ObjectAccess : AuditEvent
  450. {
  451. string ObjectServer;
  452. uint32 ProcessId;
  453. };
  454. class AuditEvent_AuthzAccess : AuditEvent
  455. {
  456. string ObjectServer;
  457. uint32 ProcessId;
  458. string OperationType;
  459. string Objecttype;
  460. string ObjectName;
  461. // uint64 HandleId;
  462. // uint64 OperationId;
  463. uint8 PrimaryUserSid[];
  464. string PrimaryUserName;
  465. string PrimaryDomain;
  466. uint64 PrimaryLogonId;
  467. uint8 ClientUserSid[];
  468. string ClientUserName;
  469. string ClientDomain;
  470. uint64 ClientLogonId;
  471. uint32 AccessMask;
  472. string AdditionalInfo;
  473. };
  474. //
  475. //
  476. // SE_AUDITID_OPEN_HANDLE
  477. //
  478. // Category: SE_CATEGID_OBJECT_ACCESS
  479. //
  480. class AuditEvent_OpenHandle : AuditEvent_ObjectAccess
  481. {
  482. uint32 AuditId = 0x0230;
  483. string ObjectType;
  484. string ObjectName;
  485. uint64 NewHandleId;
  486. uint64 OperationId;
  487. string PrimaryUserName;
  488. string PrimaryDomain;
  489. uint64 PrimaryLogonId;
  490. string ClientUserName;
  491. string ClientDomain;
  492. uint64 ClientLogonId;
  493. string Privileges[];
  494. };
  495. // Object Open:%n
  496. //
  497. //
  498. // SE_AUDITID_CREATE_HANDLE
  499. //
  500. // Category: SE_CATEGID_OBJECT_ACCESS
  501. //
  502. class AuditEvent_CreateHandle : AuditEvent_ObjectAccess
  503. {
  504. uint32 AuditId = 0x0231;
  505. uint64 HandleId;
  506. uint64 OperationId;
  507. };
  508. //Handle Allocated:%n
  509. //
  510. //
  511. // SE_AUDITID_CLOSE_HANDLE
  512. //
  513. // Category: SE_CATEGID_OBJECT_ACCESS
  514. //
  515. class AuditEvent_CloseHandle : AuditEvent_ObjectAccess
  516. {
  517. uint32 AuditId = 0x0232;
  518. uint64 HandleId;
  519. };
  520. //Handle Closed:%n
  521. //
  522. //
  523. // SE_AUDITID_OPEN_OBJECT_FOR_DELETE
  524. //
  525. // Category: SE_CATEGID_OBJECT_ACCESS
  526. //
  527. class AuditEvent_OpenObjectForDelete : AuditEvent_ObjectAccess
  528. {
  529. uint32 AuditId = 0x0233;
  530. string ObjectType;
  531. string ObjectName;
  532. uint64 NewHandleId;
  533. uint64 OperationId;
  534. string PrimaryUserName;
  535. string PrimaryDomain;
  536. uint64 PrimaryLogonId;
  537. string ClientUserName;
  538. string ClientDomain;
  539. uint64 ClientLogonId;
  540. string Privileges[];
  541. };
  542. //Object Open for Delete:%n
  543. //
  544. //
  545. // SE_AUDITID_DELETE_OBJECT
  546. //
  547. // Category: SE_CATEGID_OBJECT_ACCESS
  548. //
  549. class AuditEvent_DeleteObject : AuditEvent_ObjectAccess
  550. {
  551. uint32 AuditId = 0x0234;
  552. uint64 HandleId;
  553. };
  554. //Object Deleted:%n
  555. //
  556. //
  557. // SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE
  558. //
  559. // Category: SE_CATEGID_OBJECT_ACCESS
  560. //
  561. class AuditEvent_OpenHandleObjectType : AuditEvent_ObjectAccess
  562. {
  563. uint32 AuditId = 0x0235;
  564. string ObjectType;
  565. string ObjectName;
  566. uint64 NewHandleId;
  567. uint64 OperationId;
  568. string PrimaryUserName;
  569. string PrimaryDomain;
  570. uint64 PrimaryLogonId;
  571. string ClientUserName;
  572. string ClientDomain;
  573. uint64 ClientLogonId;
  574. string Properties;
  575. string Privileges[];
  576. };
  577. //Object Open:%n
  578. // SE_AUDITID_OBJECT_OPERATION
  579. //
  580. // Category: SE_CATEGID_OBJECT_ACCESS
  581. //
  582. class AuditEvent_ObjectOperation : AuditEvent_ObjectAccess
  583. {
  584. uint32 AuditId = 0x0236;
  585. string OperationType;
  586. string Objecttype;
  587. string ObjectName;
  588. uint64 HandleId;
  589. uint64 OperationId;
  590. string PrimaryUserName;
  591. string PrimaryDomain;
  592. uint64 PrimaryLogonId;
  593. string ClientUserName;
  594. string ClientDomain;
  595. uint64 ClientLogonId;
  596. uint32 RequestedAccesses;
  597. };
  598. //Object Operation:%n
  599. /////////////////////////////////////////////////////////////////////////////
  600. // //
  601. // //
  602. // Messages for Category: SE_CATEGID_PRIVILEGE_USE //
  603. // //
  604. // //
  605. /////////////////////////////////////////////////////////////////////////////
  606. //
  607. // represents SE_CATEGID_PRIVILEGE_USE
  608. //
  609. [abstractevent]
  610. class AuditEvent_PrivilegeUse : AuditEvent
  611. {
  612. string Privileges[];
  613. };
  614. //
  615. //
  616. // SE_AUDITID_ASSIGN_SPECIAL_PRIV
  617. //
  618. // Category: SE_CATEGID_PRIVILEGE_USE
  619. //
  620. class AuditEvent_AssignSpecialPriv : AuditEvent_PrivilegeUse
  621. {
  622. uint32 AuditId = 0x0240;
  623. string UserName;
  624. string Domain;
  625. uint64 LogonId;
  626. };
  627. //Special privileges assigned to new logon:%n
  628. //
  629. //
  630. // SE_AUDITID_PRIVILEGED_SERVICE
  631. //
  632. // Category: SE_CATEGID_PRIVILEGE_USE
  633. //
  634. class AuditEvent_PrivilegedService : AuditEvent_PrivilegeUse
  635. {
  636. uint32 AuditId = 0x0241;
  637. string Server;
  638. string Service;
  639. string PrimaryUserName;
  640. string PrimaryDomain;
  641. uint64 PrimaryLogonId;
  642. string ClientUserName;
  643. string ClientDomain;
  644. uint64 ClientLogonId;
  645. };
  646. //Privileged Service Called:%n
  647. //.
  648. //
  649. //
  650. // SE_AUDITID_PRIVILEGED_OBJECT
  651. //
  652. // Category: SE_CATEGID_PRIVILEGE_USE
  653. //
  654. class AuditEvent_PrivilegedObject : AuditEvent_PrivilegeUse
  655. {
  656. uint32 AuditId = 0x0242;
  657. string ObjectHandle;
  658. string PrimaryUserName;
  659. string PrimaryDomain;
  660. uint64 PrimaryLogonId;
  661. string ClientUserName;
  662. string ClientDomain;
  663. uint64 ClientLogonId;
  664. };
  665. //Privileged object operation:%n
  666. //.
  667. /////////////////////////////////////////////////////////////////////////////
  668. // //
  669. // //
  670. // Messages for Category: SE_CATEGID_DETAILED_TRACKING //
  671. // //
  672. // Event IDs: //
  673. // SE_AUDITID_PROCESS_CREATED //
  674. // SE_AUDITID_PROCESS_EXIT //
  675. // SE_AUDITID_DUPLICATE_HANDLE //
  676. // SE_AUDITID_INDIRECT_REFERENCE //
  677. // //
  678. /////////////////////////////////////////////////////////////////////////////
  679. //
  680. // abstract class that represents SE_CATEGID_DETAILED_TRACKING
  681. //
  682. [abstractevent]
  683. class AuditEvent_DetailedTracking : AuditEvent
  684. {
  685. };
  686. //
  687. //
  688. // SE_AUDITID_PROCESS_CREATED
  689. //
  690. // Category: SE_CATEGID_DETAILED_TRACKING
  691. //
  692. class AuditEvent_ProcessCreated : AuditEvent_DetailedTracking
  693. {
  694. uint32 AuditId = 0x0250;
  695. uint32 ProcessId;
  696. string ImageFileName;
  697. uint32 CreatorProcessId;
  698. string UserName;
  699. string Domain;
  700. uint64 LogonId;
  701. };
  702. //A new process has been created:%n
  703. //.
  704. //
  705. //
  706. // SE_AUDITID_PROCESS_EXIT
  707. //
  708. // Category: SE_CATEGID_DETAILED_TRACKING
  709. //
  710. class AuditEvent_ProcessExit : AuditEvent_DetailedTracking
  711. {
  712. uint32 AuditId = 0x0251;
  713. uint32 ProcessId;
  714. string UserName;
  715. string Domain;
  716. uint64 LogonId;
  717. };
  718. //A process has exited:%n
  719. //.
  720. //
  721. //
  722. // SE_AUDITID_DUPLICATE_HANDLE
  723. //
  724. // Category: SE_CATEGID_DETAILED_TRACKING
  725. //
  726. class AuditEvent_DuplicateHandle : AuditEvent_DetailedTracking
  727. {
  728. uint32 AuditId = 0x0252;
  729. uint64 SourceHandleId;
  730. uint32 SourceProcessId;
  731. uint64 TargetHandleId;
  732. uint32 TargetProcessId;
  733. };
  734. //A handle to an object has been duplicated:%n
  735. //.
  736. //
  737. //
  738. // SE_AUDITID_INDIRECT_REFERENCE
  739. //
  740. // Category: SE_CATEGID_DETAILED_TRACKING
  741. //
  742. class AuditEvent_IndirectReference : AuditEvent_DetailedTracking
  743. {
  744. uint32 AuditId = 0x0253;
  745. string ObjectType;
  746. string ObjectName;
  747. uint32 ProcessId;
  748. string PrimaryUserName;
  749. string PrimaryDomain;
  750. uint64 PrimaryLogonId;
  751. string ClientUserName;
  752. string ClientDomain;
  753. uint64 ClientLogonId;
  754. uint32 GrantedAccess;
  755. };
  756. //Indirect access to an object has been obtained:%n
  757. //.
  758. /////////////////////////////////////////////////////////////////////////////
  759. // //
  760. // //
  761. // Messages for Category: SE_CATEGID_POLICY_CHANGE //
  762. // //
  763. // Event IDs: //
  764. // SE_AUDITID_USER_RIGHT_ASSIGNED //
  765. // SE_AUDITID_USER_RIGHT_REMOVED //
  766. // SE_AUDITID_TRUSTED_DOMAIN_ADD //
  767. // SE_AUDITID_TRUSTED_DOMAIN_REM //
  768. // SE_AUDITID_POLICY_CHANGE //
  769. // SE_AUDITID_IPSEC_POLICY_START //
  770. // SE_AUDITID_IPSEC_POLICY_DISABLED //
  771. // SE_AUDITID_IPSEC_POLICY_CHANGED //
  772. // SE_AUDITID_IPSEC_POLICY_FAILURE //
  773. // //
  774. /////////////////////////////////////////////////////////////////////////////
  775. //
  776. // abstract class that represents SE_CATEGID_POLICY_CHANGE
  777. //
  778. [abstractevent]
  779. class AuditEvent_PolicyChange : AuditEvent
  780. {
  781. };
  782. //
  783. // abstract class that represents user-rights operations
  784. //
  785. [abstractevent]
  786. class AuditEvent_UserRightsOperation : AuditEvent_PolicyChange
  787. {
  788. string UserRight;
  789. uint8 TargetUser[];
  790. // caller
  791. string UserName;
  792. string Domain;
  793. uint64 LogonId;
  794. };
  795. //
  796. //
  797. // SE_AUDITID_USER_RIGHT_ASSIGNED
  798. //
  799. // Category: SE_CATEGID_POLICY_CHANGE
  800. //
  801. class AuditEvent_UserRightAssigned : AuditEvent_UserRightsOperation
  802. {
  803. uint32 AuditId = 0x0260;
  804. };
  805. //User Right Assigned:%n
  806. //.
  807. //
  808. //
  809. // SE_AUDITID_USER_RIGHT_REMOVED
  810. //
  811. // Category: SE_CATEGID_POLICY_CHANGE
  812. //
  813. class AuditEvent_UserRightRemoved : AuditEvent_UserRightsOperation
  814. {
  815. uint32 AuditId = 0x0261;
  816. };
  817. //User Right Removed:%n
  818. //.
  819. //
  820. // abstract class that represents TDO operations
  821. //
  822. [abstractevent]
  823. class AuditEvent_TrustedDomainOperation : AuditEvent_PolicyChange
  824. {
  825. string DomainName;
  826. string DomainId;
  827. string UserName;
  828. string Domain;
  829. uint64 LogonId;
  830. };
  831. //
  832. //
  833. // SE_AUDITID_TRUSTED_DOMAIN_ADD
  834. //
  835. // Category: SE_CATEGID_POLICY_CHANGE
  836. //
  837. class AuditEvent_TrustedDomainAdd : AuditEvent_TrustedDomainOperation
  838. {
  839. uint32 AuditId = 0x0262;
  840. };
  841. //New Trusted Domain:%n
  842. //.
  843. //
  844. //
  845. // SE_AUDITID_TRUSTED_DOMAIN_REM
  846. //
  847. // Category: SE_CATEGID_POLICY_CHANGE
  848. //
  849. class AuditEvent_TrustedDomainRem : AuditEvent_TrustedDomainOperation
  850. {
  851. uint32 AuditId = 0x0263;
  852. };
  853. //Removing Trusted Domain:%n
  854. //.
  855. //
  856. //
  857. // SE_AUDITID_TRUSTED_DOMAIN_MOD
  858. //
  859. // Category: SE_CATEGID_POLICY_CHANGE
  860. //
  861. class AuditEvent_TrustedDomainMod : AuditEvent_TrustedDomainOperation
  862. {
  863. uint32 AuditId = 0x026C;
  864. };
  865. //Trusted Domain Information Modified:%n
  866. //.
  867. //
  868. //
  869. // SE_AUDITID_POLICY_CHANGE
  870. //
  871. // Category: SE_CATEGID_POLICY_CHANGE
  872. //
  873. class AuditEvent_PolicyChange : AuditEvent_PolicyChange
  874. {
  875. uint32 AuditId = 0x0264;
  876. // ... new policy here...
  877. string UserName;
  878. string DomainName;
  879. uint64 LogonId;
  880. };
  881. //Audit Policy Change:%n
  882. //New Policy:%n
  883. //...
  884. //Changed By:%n
  885. //.
  886. //
  887. // abstract class that represents Ipsec policy operations
  888. //
  889. [abstractevent]
  890. class AuditEvent_IpsecPolicy : AuditEvent_PolicyChange
  891. {
  892. };
  893. //
  894. //
  895. // SE_AUDITID_IPSEC_POLICY_START
  896. //
  897. // Category: SE_CATEGID_POLICY_CHANGE
  898. //
  899. class AuditEvent_IpsecPolicyStart : AuditEvent_IpsecPolicy
  900. {
  901. uint32 AuditId = 0x0265;
  902. };
  903. //IPSec policy agent started: %t%1%n
  904. //Policy Source: %t%2%n
  905. //.
  906. //
  907. //
  908. // SE_AUDITID_IPSEC_POLICY_DISABLED
  909. //
  910. // Category: SE_CATEGID_POLICY_CHANGE
  911. //
  912. class AuditEvent_IpsecPolicyDisabled : AuditEvent_IpsecPolicy
  913. {
  914. uint32 AuditId = 0x0266;
  915. };
  916. //IPSec policy agent disabled: %t%1%n
  917. //.
  918. //
  919. //
  920. // SE_AUDITID_IPSEC_POLICY_CHANGED
  921. //
  922. // Category: SE_CATEGID_POLICY_CHANGE
  923. //
  924. class AuditEvent_IpsecPolicyChanged : AuditEvent_IpsecPolicy
  925. {
  926. uint32 AuditId = 0x0267;
  927. };
  928. //IPSEC PolicyAgent Service: %t%1%n
  929. //.
  930. //
  931. //
  932. // SE_AUDITID_IPSEC_POLICY_FAILURE
  933. //
  934. // Category: SE_CATEGID_POLICY_CHANGE
  935. //
  936. class AuditEvent_IpsecPolicyFailure : AuditEvent_IpsecPolicy
  937. {
  938. uint32 AuditId = 0x0268;
  939. };
  940. //IPSec policy agent encountered a potentially serious failure.%n
  941. //.
  942. //
  943. // abstract class that represents kerberos policy operations
  944. //
  945. [abstractevent]
  946. class AuditEvent_KerberosPolicy : AuditEvent_PolicyChange
  947. {
  948. };
  949. //
  950. //
  951. // SE_AUDITID_KERBEROS_POLICY_CHANGE
  952. //
  953. // Category: SE_CATEGID_POLICY_CHANGE
  954. //
  955. class AuditEvent_KerberosPolicyChange : AuditEvent_KerberosPolicy
  956. {
  957. uint32 AuditId = 0x0269;
  958. // changed by
  959. string UserName;
  960. string DomainName;
  961. uint64 LogonId;
  962. // changes made
  963. };
  964. //Kerberos Policy Changed:%n
  965. //Changed By:%n
  966. //Changes made:%n
  967. //.
  968. //
  969. // abstract class that represents EFS policy operations
  970. //
  971. [abstractevent]
  972. class AuditEvent_EfsPolicy : AuditEvent_PolicyChange
  973. {
  974. };
  975. //
  976. //
  977. // SE_AUDITID_EFS_POLICY_CHANGE
  978. //
  979. // Category: SE_CATEGID_POLICY_CHANGE
  980. //
  981. class AuditEvent_EfsPolicyChange : AuditEvent_EfsPolicy
  982. {
  983. uint32 AuditId = 0x026a;
  984. // changed by
  985. string UserName;
  986. string DomainName;
  987. uint64 LogonId;
  988. // changes made
  989. };
  990. //Encrypted Data Recovery Policy Changed:%n
  991. //Changed By:%n
  992. //Changes made:%n
  993. //.
  994. //
  995. // abstract class that represents QoS policy operations
  996. //
  997. [abstractevent]
  998. class AuditEvent_QosPolicy : AuditEvent_PolicyChange
  999. {
  1000. };
  1001. //
  1002. //
  1003. // SE_AUDITID_QOS_POLICY_CHANGE
  1004. //
  1005. // Category: SE_CATEGID_POLICY_CHANGE
  1006. //
  1007. class AuditEvent_QosPolicyChange : AuditEvent_QosPolicy
  1008. {
  1009. uint32 AuditId = 0x026b;
  1010. // changed by
  1011. string UserName;
  1012. string DomainName;
  1013. uint64 LogonId;
  1014. // changes made
  1015. };
  1016. //Quality of Service Policy Changed:%n
  1017. //Changes made:%n
  1018. //Changed By:%n
  1019. //.
  1020. /////////////////////////////////////////////////////////////////////////////
  1021. // //
  1022. // //
  1023. // Messages for Category: SE_CATEGID_ACCOUNT_MANAGEMENT //
  1024. // //
  1025. // Event IDs: //
  1026. // SE_AUDITID_USER_CREATED //
  1027. // SE_AUDITID_USER_CHANGE //
  1028. // SE_AUDITID_ACCOUNT_TYPE_CHANGE //
  1029. // SE_AUDITID_USER_ENABLED //
  1030. // SE_AUDITID_USER_PWD_CHANGED //
  1031. // SE_AUDITID_USER_PWD_SET //
  1032. // SE_AUDITID_USER_DISABLED //
  1033. // SE_AUDITID_USER_DELETED //
  1034. // //
  1035. // SE_AUDITID_COMPUTER_CREATED //
  1036. // SE_AUDITID_COMPUTER_CHANGE //
  1037. // SE_AUDITID_COMPUTER_DELETED //
  1038. // //
  1039. // SE_AUDITID_GLOBAL_GROUP_CREATED //
  1040. // SE_AUDITID_GLOBAL_GROUP_ADD //
  1041. // SE_AUDITID_GLOBAL_GROUP_REM //
  1042. // SE_AUDITID_GLOBAL_GROUP_DELETED //
  1043. // SE_AUDITID_LOCAL_GROUP_CREATED //
  1044. // SE_AUDITID_LOCAL_GROUP_ADD //
  1045. // SE_AUDITID_LOCAL_GROUP_REM //
  1046. // SE_AUDITID_LOCAL_GROUP_DELETED //
  1047. // //
  1048. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED //
  1049. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE //
  1050. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD //
  1051. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM //
  1052. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED //
  1053. // //
  1054. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED //
  1055. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE //
  1056. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD //
  1057. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM //
  1058. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED //
  1059. // //
  1060. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED //
  1061. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE //
  1062. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD //
  1063. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM //
  1064. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED //
  1065. // //
  1066. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED //
  1067. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE //
  1068. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD //
  1069. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM //
  1070. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED //
  1071. // //
  1072. // SE_AUDITID_GROUP_TYPE_CHANGE //
  1073. // //
  1074. // SE_AUDITID_ADD_SID_HISTORY_SUCCESS //
  1075. // SE_AUDITID_ADD_SID_HISTORY_FAILURE //
  1076. // //
  1077. // SE_AUDITID_OTHER_ACCT_CHANGE //
  1078. // SE_AUDITID_DOMAIN_POLICY_CHANGE //
  1079. // SE_AUDITID_ACCOUNT_AUTO_LOCKED //
  1080. // //
  1081. // //
  1082. /////////////////////////////////////////////////////////////////////////////
  1083. //
  1084. // abstract class that represents SE_CATEGID_ACCOUNT_MANAGEMENT
  1085. //
  1086. [abstractevent]
  1087. class AuditEvent_AccountManagement : AuditEvent
  1088. {
  1089. };
  1090. //
  1091. // abstract class that groups common fields for account change opns
  1092. //
  1093. [abstractevent]
  1094. class AuditEvent_AccountChange : AuditEvent_AccountManagement
  1095. {
  1096. string TargetAccountName;
  1097. string TargetDomain;
  1098. uint32 TargetAccountId;
  1099. string CallerUserName;
  1100. string CallerDomain;
  1101. uint64 CallerLogonId;
  1102. };
  1103. //
  1104. //
  1105. // SE_AUDITID_USER_CREATED
  1106. //
  1107. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1108. //
  1109. class AuditEvent_UserCreated : AuditEvent_AccountChange
  1110. {
  1111. uint32 AuditId = 0x0270;
  1112. string Privileges[];
  1113. };
  1114. //User Account Created:%n
  1115. //.
  1116. //
  1117. //
  1118. // SE_AUDITID_ACCOUNT_TYPE_CHANGE
  1119. //
  1120. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1121. //
  1122. class AuditEvent_AccountTypeChange : AuditEvent_AccountChange
  1123. {
  1124. uint32 AuditId = 0x0271;
  1125. string NewType;
  1126. };
  1127. //User Account Type Change:%n
  1128. //.
  1129. //
  1130. //
  1131. // SE_AUDITID_USER_ENABLED
  1132. //
  1133. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1134. //
  1135. class AuditEvent_UserEnabled : AuditEvent_AccountChange
  1136. {
  1137. uint32 AuditId = 0x0272;
  1138. };
  1139. //User Account Enabled:%n
  1140. //.
  1141. //
  1142. //
  1143. // SE_AUDITID_USER_PWD_CHANGED
  1144. //
  1145. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1146. //
  1147. class AuditEvent_UserPwdChanged : AuditEvent_AccountChange
  1148. {
  1149. uint32 AuditId = 0x0273;
  1150. string Privileges[];
  1151. };
  1152. //Change Password Attempt:%n
  1153. //.
  1154. //
  1155. //
  1156. // SE_AUDITID_USER_PWD_SET
  1157. //
  1158. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1159. //
  1160. class AuditEvent_UserPwdSet : AuditEvent_AccountChange
  1161. {
  1162. uint32 AuditId = 0x0274;
  1163. };
  1164. //User Account password set:%n
  1165. //.
  1166. //
  1167. //
  1168. // SE_AUDITID_USER_DISABLED
  1169. //
  1170. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1171. //
  1172. class AuditEvent_UserDisabled : AuditEvent_AccountChange
  1173. {
  1174. uint32 AuditId = 0x0275;
  1175. };
  1176. //User Account Disabled:%n
  1177. //.
  1178. //
  1179. //
  1180. // SE_AUDITID_USER_DELETED
  1181. //
  1182. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1183. //
  1184. class AuditEvent_UserDeleted : AuditEvent_AccountChange
  1185. {
  1186. uint32 AuditId = 0x0276;
  1187. string Privileges[];
  1188. };
  1189. //User Account Deleted:%n
  1190. //.
  1191. //
  1192. //
  1193. // SE_AUDITID_USER_CHANGE
  1194. //
  1195. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1196. //
  1197. class AuditEvent_UserChange : AuditEvent_AccountChange
  1198. {
  1199. uint32 AuditId = 0x0282;
  1200. string TypeOfChange;
  1201. string Privileges[];
  1202. };
  1203. //User Account Changed:%n
  1204. //.
  1205. // ======================================================================
  1206. //
  1207. // abstract class that groups common fields for group change opns
  1208. //
  1209. [abstractevent]
  1210. class AuditEvent_GroupChange : AuditEvent_AccountManagement
  1211. {
  1212. string TargetAccountName;
  1213. string TargetDomain;
  1214. uint32 TargetAccountId;
  1215. string CallerUserName;
  1216. string CallerDomain;
  1217. uint64 CallerLogonId;
  1218. string Privileges[];
  1219. };
  1220. //
  1221. // abstract class that groups common fields for group membership opns
  1222. //
  1223. [abstractevent]
  1224. class AuditEvent_GroupMembershipChange : AuditEvent_GroupChange
  1225. {
  1226. string MemberName;
  1227. uint32 MemberId;
  1228. };
  1229. //
  1230. //
  1231. // SE_AUDITID_GLOBAL_GROUP_CREATED
  1232. //
  1233. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1234. //
  1235. class AuditEvent_GlobalGroupCreated : AuditEvent_GroupChange
  1236. {
  1237. uint32 AuditId = 0x0277;
  1238. };
  1239. //Security Enabled Global Group Created:%n
  1240. //.
  1241. //
  1242. //
  1243. // SE_AUDITID_GLOBAL_GROUP_DELETED
  1244. //
  1245. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1246. //
  1247. class AuditEvent_GlobalGroupDeleted : AuditEvent_GroupChange
  1248. {
  1249. uint32 AuditId = 0x027A;
  1250. };
  1251. //Security Enabled Global Group Deleted:%n
  1252. //.
  1253. //
  1254. //
  1255. // SE_AUDITID_GLOBAL_GROUP_CHANGE
  1256. //
  1257. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1258. //
  1259. class AuditEvent_GlobalGroupChange : AuditEvent_GroupChange
  1260. {
  1261. uint32 AuditId = 0x0281;
  1262. };
  1263. //Security Enabled Global Group Changed:%n
  1264. //.
  1265. //
  1266. //
  1267. // SE_AUDITID_GLOBAL_GROUP_ADD
  1268. //
  1269. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1270. //
  1271. class AuditEvent_GlobalGroupAdd : AuditEvent_GroupMembershipChange
  1272. {
  1273. uint32 AuditId = 0x0278;
  1274. };
  1275. //Security Enabled Global Group Member Added:%n
  1276. //.
  1277. //
  1278. //
  1279. // SE_AUDITID_GLOBAL_GROUP_REM
  1280. //
  1281. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1282. //
  1283. class AuditEvent_GlobalGroupRem : AuditEvent_GroupMembershipChange
  1284. {
  1285. uint32 AuditId = 0x0279;
  1286. };
  1287. //Security Enabled Global Group Member Removed:%n
  1288. //.
  1289. //
  1290. //
  1291. // SE_AUDITID_LOCAL_GROUP_CREATED
  1292. //
  1293. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1294. //
  1295. class AuditEvent_LocalGroupCreated : AuditEvent_GroupChange
  1296. {
  1297. uint32 AuditId = 0x027B;
  1298. };
  1299. //Security Enabled Local Group Created:%n
  1300. //.
  1301. //
  1302. //
  1303. // SE_AUDITID_LOCAL_GROUP_DELETED
  1304. //
  1305. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1306. //
  1307. class AuditEvent_LocalGroupDeleted : AuditEvent_GroupChange
  1308. {
  1309. uint32 AuditId = 0x027E;
  1310. };
  1311. //Security Enabled Local Group Deleted:%n
  1312. //.
  1313. //
  1314. //
  1315. // SE_AUDITID_LOCAL_GROUP_CHANGE
  1316. //
  1317. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1318. //
  1319. class AuditEvent_LocalGroupChange : AuditEvent_GroupChange
  1320. {
  1321. uint32 AuditId = 0x027F;
  1322. };
  1323. //Security Enabled Local Group Changed:%n
  1324. //.
  1325. //
  1326. //
  1327. // SE_AUDITID_LOCAL_GROUP_ADD
  1328. //
  1329. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1330. //
  1331. class AuditEvent_LocalGroupAdd : AuditEvent_GroupMembershipChange
  1332. {
  1333. uint32 AuditId = 0x027C;
  1334. };
  1335. //Security Enabled Local Group Member Added:%n
  1336. //.
  1337. //
  1338. //
  1339. // SE_AUDITID_LOCAL_GROUP_REM
  1340. //
  1341. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1342. //
  1343. class AuditEvent_LocalGroupRem : AuditEvent_GroupMembershipChange
  1344. {
  1345. uint32 AuditId = 0x027D;
  1346. };
  1347. //Security Enabled Local Group Member Removed:%n
  1348. //.
  1349. //
  1350. //
  1351. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED
  1352. //
  1353. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1354. //
  1355. class AuditEvent_SecurityDisabledLocalGroupCreated : AuditEvent_GroupChange
  1356. {
  1357. uint32 AuditId = 0x0288;
  1358. };
  1359. //Security Disabled Local Group Created:%n
  1360. //.
  1361. //
  1362. //
  1363. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE
  1364. //
  1365. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1366. //
  1367. class AuditEvent_SecurityDisabledLocalGroupChange : AuditEvent_GroupChange
  1368. {
  1369. uint32 AuditId = 0x0289;
  1370. };
  1371. //Security Disabled Local Group Changed:%n
  1372. //.
  1373. //
  1374. //
  1375. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD
  1376. //
  1377. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1378. //
  1379. class AuditEvent_SecurityDisabledLocalGroupAdd : AuditEvent_GroupMembershipChange
  1380. {
  1381. uint32 AuditId = 0x028A;
  1382. };
  1383. //Security Disabled Local Group Member Added:%n
  1384. //.
  1385. //
  1386. //
  1387. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM
  1388. //
  1389. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1390. //
  1391. class AuditEvent_SecurityDisabledLocalGroupRem : AuditEvent_GroupMembershipChange
  1392. {
  1393. uint32 AuditId = 0x028B;
  1394. };
  1395. //Security Disabled Local Group Member Removed:%n
  1396. //.
  1397. //
  1398. //
  1399. // SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED
  1400. //
  1401. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1402. //
  1403. class AuditEvent_SecurityDisabledLocalGroupDeleted : AuditEvent_GroupChange
  1404. {
  1405. uint32 AuditId = 0x028C;
  1406. };
  1407. //Security Disabled Local Group Deleted:%n
  1408. //.
  1409. //
  1410. //
  1411. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED
  1412. //
  1413. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1414. //
  1415. class AuditEvent_SecurityDisabledGlobalGroupCreated : AuditEvent_GroupChange
  1416. {
  1417. uint32 AuditId = 0x028D;
  1418. };
  1419. //Security Disabled Global Group Created:%n
  1420. //.
  1421. //
  1422. //
  1423. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE
  1424. //
  1425. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1426. //
  1427. class AuditEvent_SecurityDisabledGlobalGroupChange : AuditEvent_GroupChange
  1428. {
  1429. uint32 AuditId = 0x028E;
  1430. };
  1431. //Security Disabled Global Group Changed:%n
  1432. //.
  1433. //
  1434. //
  1435. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD
  1436. //
  1437. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1438. //
  1439. class AuditEvent_SecurityDisabledGlobalGroupAdd : AuditEvent_GroupMembershipChange
  1440. {
  1441. uint32 AuditId = 0x028F;
  1442. };
  1443. //Security Disabled Global Group Member Added:%n
  1444. //.
  1445. //
  1446. //
  1447. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM
  1448. //
  1449. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1450. //
  1451. class AuditEvent_SecurityDisabledGlobalGroupRem : AuditEvent_GroupMembershipChange
  1452. {
  1453. uint32 AuditId = 0x0290;
  1454. };
  1455. //Security Disabled Global Group Member Removed:%n
  1456. //.
  1457. //
  1458. //
  1459. // SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED
  1460. //
  1461. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1462. //
  1463. class AuditEvent_SecurityDisabledGlobalGroupDeleted : AuditEvent_GroupChange
  1464. {
  1465. uint32 AuditId = 0x0291;
  1466. };
  1467. //Security Disabled Global Group Deleted:%n
  1468. //.
  1469. //
  1470. //
  1471. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED
  1472. //
  1473. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1474. //
  1475. class AuditEvent_SecurityEnabledUniversalGroupCreated : AuditEvent_GroupChange
  1476. {
  1477. uint32 AuditId = 0x0292;
  1478. };
  1479. //Security Enabled Universal Group Created:%n
  1480. //.
  1481. //
  1482. //
  1483. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE
  1484. //
  1485. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1486. //
  1487. class AuditEvent_SecurityEnabledUniversalGroupChange : AuditEvent_GroupChange
  1488. {
  1489. uint32 AuditId = 0x0293;
  1490. };
  1491. //Security Enabled Universal Group Changed:%n
  1492. //.
  1493. //
  1494. //
  1495. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD
  1496. //
  1497. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1498. //
  1499. class AuditEvent_SecurityEnabledUniversalGroupAdd : AuditEvent_GroupMembershipChange
  1500. {
  1501. uint32 AuditId = 0x0294;
  1502. };
  1503. //Security Enabled Universal Group Member Added:%n
  1504. //.
  1505. //
  1506. //
  1507. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM
  1508. //
  1509. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1510. //
  1511. class AuditEvent_SecurityEnabledUniversalGroupRem : AuditEvent_GroupMembershipChange
  1512. {
  1513. uint32 AuditId = 0x0295;
  1514. };
  1515. //Security Enabled Universal Group Member Removed:%n
  1516. //.
  1517. //
  1518. //
  1519. // SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED
  1520. //
  1521. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1522. //
  1523. class AuditEvent_SecurityEnabledUniversalGroupDeleted : AuditEvent_GroupChange
  1524. {
  1525. uint32 AuditId = 0x0296;
  1526. };
  1527. //Security Enabled Universal Group Deleted:%n
  1528. //.
  1529. //
  1530. //
  1531. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED
  1532. //
  1533. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1534. //
  1535. class AuditEvent_SecurityDisabledUniversalGroupCreated : AuditEvent_GroupChange
  1536. {
  1537. uint32 AuditId = 0x0297;
  1538. };
  1539. //Security Disabled Universal Group Created:%n
  1540. //.
  1541. //
  1542. //
  1543. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE
  1544. //
  1545. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1546. //
  1547. class AuditEvent_SecurityDisabledUniversalGroupChange : AuditEvent_GroupChange
  1548. {
  1549. uint32 AuditId = 0x0298;
  1550. };
  1551. //Security Disabled Universal Group Changed:%n
  1552. //.
  1553. //
  1554. //
  1555. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD
  1556. //
  1557. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1558. //
  1559. class AuditEvent_SecurityDisabledUniversalGroupAdd : AuditEvent_GroupMembershipChange
  1560. {
  1561. uint32 AuditId = 0x0299;
  1562. };
  1563. //Security Disabled Universal Group Member Added:%n
  1564. //.
  1565. //
  1566. //
  1567. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM
  1568. //
  1569. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1570. //
  1571. class AuditEvent_SecurityDisabledUniversalGroupRem : AuditEvent_GroupMembershipChange
  1572. {
  1573. uint32 AuditId = 0x029A;
  1574. };
  1575. //Security Disabled Universal Group Member Removed:%n
  1576. //.
  1577. //
  1578. //
  1579. // SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED
  1580. //
  1581. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1582. //
  1583. class AuditEvent_SecurityDisabledUniversalGroupDeleted
  1584. {
  1585. uint32 AuditId = 0x029B;
  1586. };
  1587. //Security Disabled Universal Group Deleted:%n
  1588. //.
  1589. //
  1590. //
  1591. // SE_AUDITID_OTHER_ACCOUNT_CHANGE
  1592. //
  1593. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1594. //
  1595. // Note: not used
  1596. //
  1597. class AuditEvent_OtherAccountChange : AuditEvent_AccountManagement
  1598. {
  1599. uint32 AuditId = 0x0280;
  1600. string TypeOfChange;
  1601. string ObjectType;
  1602. string ObjectName;
  1603. string ObjectId; // type?
  1604. string CallerUserName;
  1605. string CallerDomain;
  1606. uint64 CallerLogonId;
  1607. };
  1608. //General Account Database Change:%n
  1609. //.
  1610. //
  1611. //
  1612. // SE_AUDITID_GROUP_TYPE_CHANGE
  1613. //
  1614. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1615. //
  1616. class AuditEvent_GroupTypeChange : AuditEvent_GroupChange
  1617. {
  1618. uint32 AuditId = 0x029C;
  1619. uint8 NewType;
  1620. };
  1621. //Group Type Changed:%n
  1622. //.
  1623. //
  1624. //
  1625. // SE_AUDITID_DOMAIN_POLICY_CHANGE
  1626. //
  1627. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1628. //
  1629. //$ BUGBUG kumarp 23-February-2000
  1630. // which class to derive from?
  1631. //
  1632. class AuditEvent_DomainPolicyChange
  1633. {
  1634. uint32 AuditId = 0x0283;
  1635. string TypeOfChange;
  1636. string Domain;
  1637. string DomainId;
  1638. string CallerUserName;
  1639. string CallerDomain;
  1640. string CallerLogonId;
  1641. string Privileges[];
  1642. };
  1643. //Domain Policy Changed: %1 modified%n
  1644. //.
  1645. //
  1646. //
  1647. // SE_AUDITID_ACCOUNT_AUTO_LOCKED
  1648. //
  1649. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1650. //
  1651. class AuditEvent_AccountAutoLocked : AuditEvent_AccountChange
  1652. {
  1653. uint32 AuditId = 0x0284;
  1654. string CallerMachineName;
  1655. };
  1656. //User Account Locked Out:%n
  1657. //.
  1658. //
  1659. // abstract class that groups common fields for computer account change opns
  1660. //
  1661. [abstractevent]
  1662. class AuditEvent_ComputerAccountChange : AuditEvent_AccountChange
  1663. {
  1664. };
  1665. //
  1666. //
  1667. // SE_AUDITID_COMPUTER_CREATED
  1668. //
  1669. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1670. //
  1671. class AuditEvent_ComputerCreated : AuditEvent_ComputerAccountChange
  1672. {
  1673. uint32 AuditId = 0x0285;
  1674. string Privileges[];
  1675. };
  1676. //Computer Account Created:%n
  1677. //.
  1678. //
  1679. //
  1680. // SE_AUDITID_COMPUTER_CHANGE
  1681. //
  1682. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1683. //
  1684. class AuditEvent_ComputerChange : AuditEvent_ComputerAccountChange
  1685. {
  1686. uint32 AuditId = 0x0286;
  1687. string TypeOfChange;
  1688. string Privileges[];
  1689. };
  1690. //Computer Account Changed:%n
  1691. //.
  1692. //
  1693. //
  1694. // SE_AUDITID_COMPUTER_DELETED
  1695. //
  1696. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1697. //
  1698. class AuditEvent_ComputerDeleted : AuditEvent_ComputerAccountChange
  1699. {
  1700. uint32 AuditId = 0x0287;
  1701. string Privileges[];
  1702. };
  1703. //Computer Account Deleted:%n
  1704. //.
  1705. //
  1706. //
  1707. // SE_AUDITID_ADD_SID_HISTORY_SUCCESS+SE_AUDITID_ADD_SID_HISTORY_FAILURE
  1708. //
  1709. // Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  1710. //
  1711. class AuditEvent_AddSidHistory : AuditEvent_AccountChange
  1712. {
  1713. uint32 AuditId = 0x029D;
  1714. string SourceAccountName;
  1715. string SourceAccountId;
  1716. string Privileges[];
  1717. };
  1718. //Add SID History:%n
  1719. //.
  1720. /////////////////////////////////////////////////////////////////////////////
  1721. // //
  1722. // //
  1723. // Messages for Category: SE_CATEGID_ACCOUNT_LOGON //
  1724. // //
  1725. // Event IDs: //
  1726. // SE_AUDITID_AS_TICKET_SUCCESS //
  1727. // SE_AUDITID_TGS_TICKET_SUCCESS //
  1728. // SE_AUDITID_TICKET_RENEW_SUCCESS //
  1729. // SE_AUDITID_PREAUTH_FAILURE //
  1730. // SE_AUDITID_AS_TICKET_FAILURE //
  1731. // SE_AUDITID_TGS_TICKET_FAILURE //
  1732. // SE_AUDITID_ACCOUNT_MAPPED //
  1733. // SE_AUDITID_ACCOUNT_NOT_MAPPED //
  1734. // SE_AUDITID_ACCOUNT_LOGON_SUCCESS //
  1735. // SE_AUDITID_ACCOUNT_LOGON_FAILURE //
  1736. // //
  1737. /////////////////////////////////////////////////////////////////////////////
  1738. //
  1739. // abstract class that represents SE_CATEGID_ACCOUNT_LOGON
  1740. //
  1741. [abstractevent]
  1742. class AuditEvent_AccountLogon : AuditEvent
  1743. {
  1744. };
  1745. //
  1746. // abstract class that groups common fields for kerberos logon
  1747. //
  1748. [abstractevent]
  1749. class AuditEvent_KerberosLogon : AuditEvent_AccountLogon
  1750. {
  1751. };
  1752. //
  1753. //
  1754. // SE_AUDITID_AS_TICKET_SUCCESS+SE_AUDITID_AS_TICKET_FAILURE
  1755. //
  1756. // Category: SE_CATEGID_ACCOUNT_LOGON
  1757. //
  1758. class AuditEvent_AsTicket : AuditEvent_KerberosLogon
  1759. {
  1760. uint32 AuditId = 0x02a0;
  1761. string UserName;
  1762. string SuppliedRealmName;
  1763. string UserId;
  1764. string ServiceName;
  1765. string ServiceId;
  1766. string TicketOptions;
  1767. string TicketEncryptionType;
  1768. string PreAuthenticationType;
  1769. string ClientAddress;
  1770. uint32 StatusCode = 0;
  1771. };
  1772. //Authentication Ticket Granted:%n
  1773. //.
  1774. //
  1775. //
  1776. // SE_AUDITID_TGS_TICKET_SUCCESS+SE_AUDITID_TGS_TICKET_FAILURE
  1777. //
  1778. // Category: SE_CATEGID_ACCOUNT_LOGON
  1779. //
  1780. class AuditEvent_TgsTicket : AuditEvent_KerberosLogon
  1781. {
  1782. uint32 AuditId = 0x02a1;
  1783. string UserName;
  1784. string UserDomain;
  1785. string ServiceName;
  1786. string ServiceId;
  1787. string TicketOptions;
  1788. string TicketEncryptionType;
  1789. string ClientAddress;
  1790. uint32 StatusCode = 0;
  1791. };
  1792. //Service Ticket Granted:%n
  1793. //.
  1794. //
  1795. //
  1796. // SE_AUDITID_TICKET_RENEW_SUCCESS
  1797. //
  1798. // Category: SE_CATEGID_ACCOUNT_LOGON
  1799. //
  1800. class AuditEvent_TicketRenewSuccess : AuditEvent_KerberosLogon
  1801. {
  1802. uint32 AuditId = 0x02a2;
  1803. string UserName;
  1804. string UserDomain;
  1805. string ServiceName;
  1806. string ServiceId;
  1807. string TicketOptions;
  1808. string TicketEncryptionType;
  1809. string ClientAddress;
  1810. };
  1811. //Ticket Granted Renewed:%n
  1812. //.
  1813. //
  1814. //
  1815. // SE_AUDITID_PREAUTH_FAILURE
  1816. //
  1817. // Category: SE_CATEGID_ACCOUNT_LOGON
  1818. //
  1819. class AuditEvent_PreauthFailure : AuditEvent_KerberosLogon
  1820. {
  1821. uint32 AuditId = 0x02a3;
  1822. string UserName;
  1823. string UserId;
  1824. string ServiceName;
  1825. string PreAuthenticationType;
  1826. string FailureCode;
  1827. string ClientAddress;
  1828. };
  1829. //Pre-authentication failed:%n
  1830. //.
  1831. //
  1832. //
  1833. // SE_AUDITID_ACCOUNT_MAPPED+SE_AUDITID_ACCOUNT_NOT_MAPPED
  1834. //
  1835. // Category: SE_CATEGID_ACCOUNT_LOGON
  1836. //
  1837. class AuditEvent_AccountMapping : AuditEvent_KerberosLogon
  1838. {
  1839. uint32 AuditId = 0x02a6;
  1840. string SourceName;
  1841. string ClientName;
  1842. string MappedName;
  1843. };
  1844. //Account Mapped for Logon by: %1%n
  1845. //.
  1846. //
  1847. //
  1848. // SE_AUDITID_ACCOUNT_LOGON_SUCCESS+SE_AUDITID_ACCOUNT_LOGON_FAILURE
  1849. //
  1850. // Category: SE_CATEGID_ACCOUNT_LOGON
  1851. //
  1852. class AuditEvent_AccountLogonAttempt
  1853. {
  1854. uint32 AuditId = 0x02a8;
  1855. string ClientName;
  1856. string AccountName;
  1857. string Workstation;
  1858. uint32 StatusCode = 0;
  1859. };
  1860. //Account Used for Logon by: %1%n
  1861. //.
  1862. //
  1863. // abstract class that groups common fields for session connection
  1864. //
  1865. [abstractevent]
  1866. class AuditEvent_SessionConnection : AuditEvent_AccountLogon
  1867. {
  1868. string UserName;
  1869. string Domain;
  1870. uint64 LogonId;
  1871. string SessionName;
  1872. string ClientName;
  1873. string ClientAddress;
  1874. string Winstation;
  1875. };
  1876. //
  1877. //
  1878. // SE_AUDITID_SESSION_RECONNECTED
  1879. //
  1880. // Category: SE_CATEGID_LOGON
  1881. //
  1882. class AuditEvent_SessionReconnected : AuditEvent_SessionConnection
  1883. {
  1884. uint32 AuditId = 0x02aa;
  1885. };
  1886. //Session reconnected to winstation:%n
  1887. //.
  1888. //
  1889. //
  1890. // SE_AUDITID_SESSION_DISCONNECTED
  1891. //
  1892. // Category: SE_CATEGID_LOGON
  1893. //
  1894. class AuditEvent_SessionDisconnected : AuditEvent_SessionConnection
  1895. {
  1896. uint32 AuditId = 0x02ab;
  1897. };
  1898. //Session disconnected from winstation:%n
  1899. //.