Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 576 Source: Security

Special privileges assigned to new logon:
User Name: <user name>
Domain: <domain name>
Logon ID: <logon id>
Assigned: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege
As per Microsoft: "This event record indicates that a privilege that is not auditable on an individual-use basis has been assigned to a user's security context at logon". See MSW2KDB for additional information about this event.
If your system performance decreases after you configure an audit policy in Windows Server 2003, see ME822774 to fix this problem.

As per Microsoft: "This behavior can occur when the audit policy includes auditing for the successful use of user rights". See ME264769 for more details.
Special privileges assigned to new logon.
Some posts in the newsgroup state that the user and domain (1st and 2nd) entries in a 576 audit event may be left blank if the associated logon session has gone away before the audit event is generated (because audit event generation is asynchronous), but that you can always use the logon-id field (3rd entry) to find the user and domain from an earlier logon audit.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.