I’m hearing lots of complaints that we don’t have KB articles on these yet. Doriansoft has a blog post complaining that the “add 4096” rule doesn’t work because we collapsed the logon events into a single success event and failure event (from 2 success events [528, 540] and 10 failure events [529-537, 539]).
Well, In Vista and beyond the event log is self-documenting. From an elevated command prompt (one with admin privileges), type the following:
wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true
This example dumps only the 360 or so unique security event messages (publisher=Microsoft-Windows-Security-Auditing); other publishers can be enumerated with the ep switch of wevtutil.
Event messages can be formatted as XML using the /f switch, see the command-line help.
As a side note, this is, in slightly different format, the same information we publish in the KB, and a KB article is in the works.
Why did we renumber the events? As explained in my earlier post, we changed the internal detail of each event so much (to improve understandability, readability, consistency, etc.) that we would have broken essentially all existing automation anyway. By renumbering the events we made the automation break in as obvious a way as possible, and also made it as clear as possible that THESE ARE DIFFERENT EVENTS.
The “add 4096” rule is not meant to imply that the events are the same, but rather allows you to find the new equivalent event, if you have knowledge of the old event. Simply renumbering your automation will not make it work. It’s a mental aid for you, the Windows security professional.
[2007-10-12 Update: changed tags]