Skip to main content
Skip table of contents

EVID 4675...4933 : Microsoft Windows Security Auditing (XML - Security)

Event Details

Event TypeAudit Directory Service Replication, Audit Detailed Directory Service Replication, Audit Logon
Event Description
  • 4675(S) : SIDs were filtered.
  • 4928(S, F) : An Active Directory replica source naming context was established.
  • 4931(S, F) : An Active Directory replica destination naming context was modified.
  • 4932(S) : Synchronization of a replica of an Active Directory naming context has begun.
  • 4933(S, F) : Synchronization of a replica of an Active Directory naming context has ended.
Event IDs4675, 4928, 4931, 4932, 4933

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
Provider<vendorinfo>N/A
EventID<vmid><vmid>
Version<version>N/A
Level<severity><severity>
Task<process><vendorinfo>
OpcodeN/AN/A
Keywords<result>, <tag1><result>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
ExecutionN/AN/A
ChannelN/AN/A
Computer<dname><dname>
DestinationDRAN/AN/A
SourceDRA<sname>N/A
NamingContextN/AN/A
OptionsN/AN/A
SessionID<session><session>
StartUSNN/AN/A
StatusCode<status><responsecode>, <tag1>
ProcessId<processid>N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1010539Microsoft Windows Security AuditingBase RuleGroup Membership InformationInformation
Security Audit : SuccessSub RuleWindows Audit Success EventOther Audit Success
Security Audit : FailureSub RuleWindows Audit Failure EventOther Audit Failure

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1011140V 2.0 : Active Directory Replica Context EventsBase RuleGeneral Replication InformationInformation
V 2.0 : EVID 4928 : AD Replica Source Naming ConteSub RuleConfiguration Loaded : Directory ServicesConfiguration
V 2.0 : EVID 4928 : Failed AD Replica Context CrSub RuleFailed ConfigurationOther Audit Failure
V 2.0 : EVID 4929 : AD Replica Source Naming CntReSub RuleConfiguration Deleted : Directory ServicesConfiguration
V 2.0 : EVID 4929 : Failed AD Replica Context DltSub RuleFailed ConfigurationOther Audit Failure
V 2.0 : EVID 4930 : AD Replica Source Naming ConteSub RuleConfiguration Modified : Directory ServicesConfiguration
V 2.0 : EVID 4930 : Failed AD Replica Context ModiSub RuleFailed ConfigurationOther Audit Failure
V 2.0 : EVID 4931 : AD Replica Destination NamingSub RuleConfiguration Modified : Directory ServicesConfiguration
V 2.0 : EVID 4931 : Failed AD Replica Context ModiSub RuleFailed ConfigurationOther Audit Failure
V 2.0 : EVID 4932 : AD Naming Context SynchroBegunSub RuleGeneral Active Directory ReplicationInformation
V 2.0 : EVID 4933 : AD Naming Context Sync CompleteSub RuleReplication SuccessfulInformation
V 2.0 : EVID 4933 : AD Naming Context Sync FailedSub RuleReplication FailureError
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close