This document explains the changes required to apply new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project for the MS Windows Event Logging XML - System log source type.
Prerequisites
-
Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
-
Enable the new MPE rules in the LogRhythm System Monitor.Select log source type MS Windows Event Logging XML - System.Enable log processing policy LogRhythm Default v2.0.For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.
Supported Log Messages
The following table lists the log message types supported in the current MPE rules. Each page contains detailed information on parsing changes and new log processing settings.
|
Log Message Type |
Event Type |
|---|---|
|
Catch All : Level 2 |
General Information |
|
Connection Status Events |
Connection Information |
|
DHCP Scope Full/Nearly Full |
DHCP Potentially Serious Problem |
|
Disk Messages |
General Disk Information |
|
EVID 1 & 6 : Filter Driver Load/Unload |
Process/Service Startup Or Shutdown Activity |
|
EVID 1 : System Time Changed |
System Time Updated |
|
EVID 11 : KDC Duplicate Name |
General Kerberos Error |
|
EVID 28 : Kerberos Unsuitable Key Verification |
General Kerberos Warning |
|
EVID 35 & 37 : Time Sychronization |
General NTP Information |
|
EVID 56 : Client Disconnected - Protocol Error |
Disconnect Session |
|
EVID 98 : Offline Chkdsk Needed For Volume |
General Information |
|
EVID 104 : Log Cleared |
Log Cleared |
|
EVID 109 : Kernel Power Initiated Shutdown |
System Shutting Down |
|
EVID 137 : Transact. Resource Mgr Error On Volume |
General Disk Error |
|
EVID 156 : ExtMirr Unable To Get File System Info |
General Disk Warning |
|
EVID 219 : Driver Failed To Load |
Driver Failed To Load |
|
EVID 220 : Resync Of Volume |
Synchronization Started |
|
EVID 1001 : Bugcheck Reboot |
Unclean Shutdown |
|
EVID 1014 : Name Resolution Timed Out |
Timeout |
|
EVID 1030 : Failed Processing Of Group Policy |
Windows Group Policy Problem |
|
EVID 1044 : DHCP/BINL Service Authorized To Start |
Process/Service Started |
|
EVID 1063 : No IPs Available For Lease In Scope |
DHCP Lease Cannot Be Obtained |
|
EVID 1067 : Cannot Register SPN |
Registration Failure |
|
EVID 1074 & 1076 : Restart/Shutdown Events |
Process/Service Startup Or Shutdown Activity |
|
EVID 1085 : Group Policy Extension Failure |
Windows Group Policy Problem |
|
EVID 1111 : Term Services : Unknown Printer Driver |
Printer Not Ready |
|
EVID 1151 & 1152 : Dell Server Voltage Sensor Info |
Power Info Msg |
|
EVID 1340 : DNS Registration Failed For Client |
General DNS Warning |
|
EVID 1342 : Scope Out Of IPs |
DHCP Address Pool Exhausted |
|
EVID 1376 : DHCP Scope Nearly Exhausted |
General DHCPServer Warning |
|
EVID 4105 : Cannot Update License Attributes |
License Warning |
|
EVID 5719 : Logon Domain Controller |
MS Windows Domain Controller Allow Serve |
|
EVID 5722 & 5723 : NETLOGON Authentication Failure |
Computer Logon Failure |
|
EVID 5805 : Session Setup Failed To Authenticate |
Authentication Failure Activity |
|
EVID 5807 : Connections From Unmapped IP Addresses |
Unable To Verify Connections |
|
EVID 5823 : System Password Changed On DC |
Authentication Activity |
|
EVID 5840: NETLOGON: Netlogon Service |
Channel Status |
|
EVID 7000 : Service Failed To Start |
Failed Service Start |
|
EVID 7001-7002 : CEIP Notification |
Authentication Activity |
|
EVID 7001-7003 : Service Start Errors |
Failed Service Start |
|
EVID 7009 & 7011 : Service Timeout |
General Service Control Manager Information |
|
EVID 7032 : Service Recovery Failed |
Process/Service Stopped |
|
EVID 7034 : Service Terminated Unexpectedly |
Process/Service Stopped |
|
EVID 7036 : Service Status |
Process/Service Startup Or Shutdown Activity |
|
EVID 7038 : Service Unable To Logon |
Service Start Failure |
|
EVID 7040 : Service Start Type Changed |
Process/Service Startup Or Shutdown Activity |
|
EVID 7042 : Service Stopped Successfully |
Process/Service Stopped |
|
EVID 7045: Service Installed |
Software Installed |
|
EVID 8018 : Failed To Register Host Records |
General DNS Warning |
|
EVID 10009 : DCOM Unable To Communicate With Comp |
Communication Failure |
|
EVID 10016 : DCOM Access Denied |
Access Denied |
|
EVID 10028 : DCOM Unable To Communicate With Comp |
Communication Failure |
|
EVID 10154 : WinRM - SPN Creation Failure |
Failed Configuration |
|
EVID 12294 : SAM Lockout Failed : Resources |
Lock User Request Failed |
|
EVID 14554 :Shared Folder Initialization By DfsSvc |
General DfsSvc Information |
|
EVID 20250: User Connected |
Session Connected |
|
EVID 20271 And 20255 : Connection Prevented |
Authentication Method Not Supported |
|
EVID 20272: User Disconnected |
Session Disconnected |
|
EVID 20274: IP Address Assigned To User |
IP Address Assigned |
|
EVID 20275: User Disconnected |
Session Disconnected |
|
EVID 36867 : Creating SSL Credential |
Object Created |
|
EVID 36880 : Handshake Completed Successfully |
SSL Connection Created |
|
EVID 45058 : Oldest Cached Logon Info Removed |
General Maintenance Information |
|
EVID : 6013 System Uptime |
Uptime |
|
Group Policy Messages |
Policy Notification |
|
Kerberos Key Integrity Error |
General Kerberos Error |
|
Kernel EVID 16 : Hive Access History Cleared |
Object Deleted/Removed |
|
Machine Account Vulnerable NetLogon Connections |
General Threat Message |
|
Microsoft Windows Bits Client Messages |
General BITS Information |
|
Mirror State Change |
Object Modified |
|
MPIO Messages |
General Disk Information |
|
NTP Local And Manual |
General NTP Message |
|
NTP Messages |
NTPD Information |
|
NTP Time Synchronization Offset |
NTPD Warning |
|
Pattern 2 : General Error Messages |
General Operations |
|
Pattern 3 : General Warning Messages |
General Operations |
|
Pattern 4 : General Informational Messages |
General Operations |
|
Pattern Catch All : Level 3 |
General Information |
|
RPM Session Events |
Session Information |
|
RPM Session Events |
Session Information |
|
Service Error |
Process/Service Stopped |
|
Service Terminated Unexpectedly |
Process/Service Stopped |
|
Shadow Copy Messages |
General Volume Shadow Copy Svc Task Information |
|
Storage Adapter Messages |
ISCSI Information |
|
TCP/IP Network Interface Configuration |
Network Interface Changed State |
|
Trust Account Vulnerable NetLogon Connections |
General Threat Message |
|
Windows Update Client |
Update Event |
Log Processing Policy Updates
This section details log processing policy updates made to AIE Rules, system reports, system investigations, system report templates, and system tails as part of LSO.
Updates to AIE Rules
-
No changes
Updates to System Reports
-
No changes
Updates to System Investigations
-
No changes
Updates to System Report Templates
-
No changes
Updates to System Tails
-
No changes