Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Success Audit|
Special privileges assigned to new logon:
User Name: <user name>
Domain: <domain name>
Logon ID: <logon id>
Assigned: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege
|English: This information is only available to subscribers. An example of English, please!|
As per Microsoft: "This event record indicates that a privilege that is not auditable on an individual-use basis has been assigned to a user's security context at logon". See MSW2KDB for additional information about this event.
If your system performance decreases after you configure an audit policy in Windows Server 2003, see ME822774 to fix this problem.
As per Microsoft: "This behavior can occur when the audit policy includes auditing for the successful use of user rights". See ME264769 for more details.
Special privileges assigned to new logon.
Some posts in the microsoft.public.win2000.security newsgroup state that the user and domain (1st and 2nd) entries in a 576 audit event may be left blank if the associated logon session has gone away before the audit event is generated (because audit event generation is asynchronous), but that you can always use the logon-id field (3rd entry) to find the user and domain from an earlier logon audit.
|Private comment: Subscribers only. See example of private comment|
|Links: ME174074, ME264769, ME822774, Online Analysis of Security Event Log, MSW2KDB|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated