So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published “Security Event Descriptions“. This article was the “schema” so to speak, for the Windows NT 4.0 security event log events.
Technically Windows events are not schematized until Windows Vista; or put another way the schema is implicit based on the instrumentation in the code- since the event is raised by some function in the code, the “schema” could be interpreted as the parameter order in the call to that function.
Anyway security monitoring types love that article, but I hate it. It’s just better than nothing. It doesn’t state which events map to which audit policy categories. It does tell you whether the event is a succss or failure event but it doesn’t alert you to the cases where the same event is used for success and failure (e.g. event 560).
When Windows 2000 came around and we added two new audit policy categories (DS Access and Account Logon [which was a huge naming blunder]), I wrote an article for the Windows 2000 security events. However it was so large I broke it into two articles.
I didn’t write an article for Windows Server 2003. At first I didn’t think it was necessary because we propagated all the WS03 events to the Technet Events & Errors Message Center web site. I wrote custom content for the top 30 or so events by volume of searches
(On a side note, did you ever wonder what happens when you click the “More Information” link at the bottom of the Event Viewer event description? We send the event source, event ID, OS version and so forth to the Technet E&E site and display the content that is returned. We count the number of hits for each OS Version/Source/Event ID combination and then our writing teams pester the component owners to populate that content.)
Anyway, I was making excu^h^h er, explaining why I didn’t write the KB articles for Windows Server 2003 security events. So I thought the E&E message center would be all that anyone needed. It didn’t strike me as that important that you had to have seen the event (or at least know it exists) before you could use the site. However since then I have received a large number of requests for the event definitions, mainly from people who were creating security event management solutions.
So here’s what I have for you, courtesy of Ned, one of the audit log posse here at Microsoft. If you want a complete list of WS03 security events, then I suggest you look at chapter 4 of the Windows Server 2003 Security Guide. This documents the event IDs of all the security events on Windows Server 2003. Plus, it groups them by policy category, in case you ever wanted to know what you are in for if you enable one of the categories for audit. If you want the layout of the event (what data is in the description field, and in what order) then just look for that specific event on the Technet E&E site or click the link in the bottom of the event description in Event Viewer.
I’ve already described how the Vista and Windows Server 2008 (and subsequent releases) event systems are self-documenting, so I won’t go into that further here.
One last tip: If you own Microsoft System Center Operations Manager 2007, then you can search for a file called EventSchema.xml on the media. It is an XML document that describes one possible normalization all the security events from Windows 2000 forward, and the semantic content of the normalized events.
2007-10-31 UPDATE: There is also an event-id-to-audit-policy-category map here.