V 2.0 : Event Logging Service Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Event Logging Service Messages | Base Rule | Information | General Logging Information |
| V 2.0 : EVID 1100 : Event Logging Service Shutdown | Sub Rule | Startup and Shutdown | Process/Service Stopped |
| V 2.0 : EVID 1102 : Audit Log Cleared | Sub Rule | Access Success | Log Cleared |
| V 2.0 : EVID 1104 : Security Log Full | Sub Rule | Error | Log Full |
| V 2.0 : EVID 1105 : EventLog AutomaticallyBackedUp | Sub Rule | Information | Backup Completed |
| V 2.0 : EVID 1108 : Error Encountered Process Event | Sub Rule | Error | General Event Log Error |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Provider | N/A | N/A | Identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
| EventID | <vmid> | Number | The identifier that the provider used to identify the event. |
| Version | N/A | N/A | The version number of the event's definition. |
| Level | <severity> | Text/String | The severity level defined in the event. |
| Task | <vendorinfo> | Text/String | The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Opcode | N/A | N/A | The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Keywords | <result> | Text/String | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| TimeCreated | N/A | N/A | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
| EventRecordID | N/A | N/A | The record number assigned to the event when it was logged. |
| Correlation | N/A | N/A | The activity identifiers that consumers can use to group related events together. |
| Execution | N/A | N/A | Contains information about the process and thread that logged the event. |
| Channel | N/A | N/A | The channel to which the event was logged. |
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| Channel | N/A | Text/String | The name of the log which was archived (new event log file was created and previous event log was archived). Always Security for Security Event Logs. |
| BackupPath | <object> | Text/String | The full path and filename of archived log file. The format of archived log file name is: Archive-LOG_FILE_NAME-YYYY-MM-DD-hh-mm-ss-nnn.evtx. Where:
The time in this event is always in GMT+0/UTC+0 time zone. |
| SubjectUserName | <login> | Text/String | The name of the account that cleared the system security audit log. |
| SubjectDomainName | <domainorigin> | Text/String | Subject’s domain or computer name. Formats vary, and include the following:
For local user accounts, this field will contain the name of the computer or device to which this account belongs. |
| SubjectLogonId | <session> | Text/String/Number | A hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID |
| Error Code | <responsecode> | Number | A unique error code. |
| PublisherID | <subject> | Text/String/Number | The name of the security event source from which the event was received for processing. |