Group Policy Messages (Part 9)
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| Provider | N/A | <tag2> |
| EventID Qualifiers | <vmid> | <vmid> |
| Version | N/A | N/A |
| Level | <severity> | <severity> |
| Task | N/A | <vendorinfo> |
| Opcode | N/A | N/A |
| Keywords | N/A | <result> |
| TimeCreated | N/A | N/A |
| EventRecordID | N/A | N/A |
| Correlation | N/A | N/A |
| Execution | <processid> | N/A |
| Threadid | <session> | N/A |
| Channel | N/A | N/A |
| Computer | <dname> | <dname> |
| Security | N/A | N/A |
| userid | <domain>, <login> | N/A |
| SupportInfo1 | N/A | N/A |
| SupportInfo2 | N/A | N/A |
| ProcessingMode | N/A | <status> |
| ProcessingTimeInMilliseconds | <milliseconds> | <milliseconds> |
| DCName | <sname> | <dname> |
| NumberOfGroupPolicyObjects | <quantity> | <quantity> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
| 1008235 | Group Policy Messages | Base Rule | Policy Notification | Information |
| EVID 1006: GP Error - Access Denied | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1006: GP Error - Invalid Credentials | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1006: GP Error - Timeout | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1055: GP Error - Insufficient Space | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1055: GP Error - User Does Not Exist | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1055: GP Error - Unable To Find Domain | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1055: GP Error - RPC Failed | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1058: GP Error - Cannot Find Path | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1058: GP Error - Access Denied | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1058: GP Error - Network Path Not Found | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1085: GP Warning - Cannot Complete Function | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1112: GP Preprocessing Warning | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1129: GP Error - Cannot Contact DC | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1500: GP Processed Successfully For Computer | Sub Rule | Policy Enabled : System | Policy | |
| EVID 1501: GP Processed Successfully For User | Sub Rule | Policy Enabled : User/Password | Policy | |
| EVID 1502: GP Processed Successfully For Computer | Sub Rule | Policy Enabled : System | Policy | |
| EVID 1503: GP Processed Successfully For User | Sub Rule | Policy Enabled : User/Password | Policy |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
| 1012760 | V 2.0 : EVID 1503: GP Settings Processed For User | Base Rule | Successful Activity | Other Audit Success |