Windows Event Logs

Owned by Engineering (Unlicensed)
Last updated: Nov 18, 2015 by Haim Koschitzky
2 min read

Synopsis

The page contains patterns examples of Windows Events Logs such as Application, Security and System.
Windows event log is a record of a computer's alerts and notifications. The Windows operating system classifies events by type. For example, an information event describes the successful completion of a task, such as installing an application.  A warning event notifies the administrator of a potential problem, such as low disk space.  An error message describes a significant problem that may result in a loss of functionality.  A success audit event indicates the completion of an audited security event, such as an end user successfully logging on.  A failure audit event describes an audited security event that did not complete successfully, such as an end user locking himself out by entering incorrect passwords.

Examples

Example 1 - Application Log Sample: 

Information*;*1397756882000*;*Microsoft-Windows-User Profiles Service*;*None*;*1531*;*SYSTEM*;*37L4247F27-26*;*The User Profile Service has started successfully.

Success*;*1397756885000*;*WinMgmt*;*None*;*5615*;**;*37L4247F27-26*;*Message was not found: 5615

Success*;*1397756885000*;*WinMgmt*;*None*;*5617*;**;*37L4247F27-26*;*Message was not found: 5617

Example 1 - Application Log Pattern: 

{priority:Type,Error;Warning;Information;Success;Audit Failure;Audit Success}*;*{timestamp:Date,MM/dd/yyyy HH:mm:ss}*;*{text:Source}*;*{text:Category}*;*{number:Event}*;*{text:User}*;*{text:Computer}*;*{string:Description}

Example 2 - Security Log Sample:  

Audit Success*;*1409379094000*;*Microsoft-Windows-Security-Auditing*;*12544*;*4624*;**;*WINXPOLOG45QA6.xpolog.local*;*An account was successfully logged on.

Subject:

    Security ID:        S-1-0-0

    Account Name:        -

    Account Domain:        -

    Logon ID:        0x0

Logon Type:            3

Example 2 - Security Log Pattern: 

{priority:Type,Error;Warning;Information;Success;Audit Failure;Audit Success}*;*{timestamp:Date,MM/dd/yyyy HH:mm:ss}*;*{text:Source}*;*{text:Category}*;*{number:Event}*;*{text:User}*;*{text:Computer}*;*{string:Description}

Example 3 - System Log Sample: 

Information*;*1290311759000*;*Service Control Manager*;*None*;*7036*;**;*37L4247F27-26*;*The Windows Event Log service entered the stopped state.

Information*;*1397756882000*;*EventLog*;*None*;*6011*;**;*37L4247F27-26*;*The NetBIOS name and DNS host name of this machine have been changed from 37L4247F27-26 to WIN-D2JU8NFHCP2.

Information*;*1397756882000*;*EventLog*;*None*;*6009*;**;*37L4247F27-26*;*Microsoft (R) Windows (R) 6.01. 7601 Service Pack 1 Multiprocessor Free.

Example 3 - System Log Pattern:

{priority:Type,Error;Warning;Information;Success;Audit Failure;Audit Success}*;*{timestamp:Date,MM/dd/yyyy HH:mm:ss}*;*{text:Source}*;*{text:Category}*;*{number:Event}*;*{text:User}*;*{text:Computer}*;*{string:Description}

Links

Template applying instructions:

  1. Download the templates - Windows Event - Templates

  2. Import the templates (see Importing a Template)

  3. Apply the templates on multiple logs (see Applying a Template on Multiple Logs)


 



 

Â