This section describes the contents and meaning of each audit event record.
Audit event records include header information that is present in all event records. The following list describes this common information.
When an event is displayed in detail, this information is displayed at the top of that window. The following is an example of how this information is displayed:
Date: 9/8/92 Event ID: 172 Time: 10:32:11 AM Source: Security User: Administrator Type: Failure Audit Computer: ACCTG Category: Logon/Logoff
Audit event records are divided into auditing categories. These categories are displayed by Event Viewer and allow a user to visually distinguish or automatically filter audit events of interest. These audit categories are listed in the following table, and discussed in detail in the Audit Categories Help file (AUDITCAT.HLP).
Category | Description |
System Event | Events in this category indicate that something affecting the security of the entire system or of the audit log has occurred. |
Logon/Logoff | Events in this category describe a single successful or unsuccessful logon or logoff. Included in each logon description is an indication of what type of logon was requested/performed (for example, interactive, network, or service). |
Object Access | Events in this category describe both successful and unsuccessful accesses to protected objects. |
Privilege Use | Events in this category describe both successful and unsuccessful attempts to use privileges. The Privilege Use category also covers a special case of informing when some special privileges are assigned. These special privileges are only audited when they are assigned, not when they are used. |
Account Management | Events in this category describe high-level changes to the security account database, such as the creation of a user account or a change in group membership. There can also be a finer granularity of auditing performed at the object level under the Object Access category. |
Policy Change | Events in this category describe high-level changes in security policy, such as the assignment of privileges or changes in the audit policy. There can also be a finer granularity of auditing performed at the object level under the Object Access category. |
Detailed Tracking | Events in this category provide detailed subject tracking information, such as program activation, some forms of handle duplication and indirect object accesses, and process exit. |