Audit Event Record Contents and Meaning

This section describes the contents and meaning of each audit event record.

Common Event Record Data

Audit event records include header information that is present in all event records. The following list describes this common information.

When an event is displayed in detail, this information is displayed at the top of that window. The following is an example of how this information is displayed:


Date:            8/12/96            Event ID:    172
Time:            10:32:11 AM        Source:    Security
User:            Administrator        Type:        Failure Audit
Computer:    ACCTG            Category:    Logon/Logoff

Audit Categories

Audit event records are divided into auditing categories. These categories are displayed by Event Viewer and allow a user to visually distinguish or automatically filter audit events of interest. These audit categories are listed in the following table, and discussed in detail in the Audit Categories Help file (Auditcat.hlp).

Category

Description

System Event

Events in this category indicate that something affecting the security of the entire system or of the audit log has occurred.

Logon/Logoff

Events in this category describe a single successful or unsuccessful logon or logoff. Included in each logon description is an indication of what type of logon was requested/performed (for example, interactive, network, or service).

Object Access

Events in this category describe both successful and unsuccessful accesses to protected objects.

Privilege Use

Events in this category describe both successful and unsuccessful attempts to use privileges. The Privilege Use category also covers a special case of informing when some special privileges are assigned. These special privileges are only audited when they are assigned, not when they are used.

Account Management

Events in this category describe high-level changes to the security account database, such as the creation of a user account or a change in group membership. There can also be a finer granularity of auditing performed at the object level under the Object Access category.

Policy Change

Events in this category describe high-level changes in security policy, such as the assignment of privileges or changes in the audit policy. There can also be a finer granularity of auditing performed at the object level under the Object Access category.

Detailed Tracking

Events in this category provide detailed subject tracking information, such as program activation, some forms of handle duplication and indirect object accesses, and process exit.