Elements of an Event Record

All event-log records, regardless of type, consist of a header containing standard information, a description that varies depending on the event type, and (optionally) additional data. Most security log entries consist of the header and a description.

The event-record header contains the following information:

Date

The date the event occurred.

Time

The (local) time the event occurred.

User

The username of the user on whose behalf the event occurred. This is the client ID if the event was actually caused by a server process, or the primary ID if impersonation is not taking place. Where applicable, a security log entry contains both the primary and impersonation IDs.

Computer

The name of the computer where the event occurred. (Event Viewer can be used to view event logs on other Windows NT computers on a network.)

Event ID

A unique number identifying the particular event type. The first line of the description usually contains the name of the event type. For example, 562 is the ID of the event that occurs when a new object handle is created, and so the first line of the description of such an event is "Handle Allocated."

Source

The name of the system component that actually recorded the event in the security log. Usually, this is Security, indicating that it is the result of Windows NT security auditing. Applications can also define their own auditable events that can be recorded in the security log.

Type

Either Success Audit or Failure Audit, indicating whether the audit is a record of a successful or failed attempt. In Event Viewer's normal list view, these are represented by a key or a lock, respectively.

Category

A classification of the event by the event source. For security audits, this corresponds to one of the event types for which success or failure auditing can be enabled in the User Manager Audit Policy dialog.


The format and contents of the description that appears with these items vary with the event category. The various event categories are discussed later, under "Audit Categories."