Major Event ID for System Admin & Network Admin

By -

 

Here are 100 major Event IDs that may be useful for external auditors to check:

Security Event IDs:

  1. Event ID 4624 (Logon Success): Successful user logon events.

  2. Event ID 4625 (Logon Failure): Failed user logon attempts.

  3. Event ID 4648 (Explicit Credential Logon): Logon using explicit credentials.

  4. Event ID 4740 (Account Lockout): Indicates when an account is locked out due to failed logon attempts.

  5. Event ID 4768 (Kerberos Authentication): Records Kerberos authentication events.

  6. Event ID 4771 (Kerberos Pre-Authentication Failure): Failed Kerberos pre-authentication attempts.

  7. Event ID 4776 (NTLM Authentication): Logs NTLM authentication events.

  8. Event ID 4793 (The Password Policy Checking API was called): Records password policy-related events.

  9. Event ID 4946 (A change has been made to Windows Firewall exception list): Indicates changes to the Windows Firewall exception list.

  10. Event ID 5024 (The Windows Firewall Service has started successfully): Firewall service start event.

  11. Event ID 5140 (File System Authorization): File system authorization events.

  12. Event ID 5152 (Windows Filtering Platform Blocked an Application): Indicates when an application is blocked by the Windows Filtering Platform.

  13. Event ID 5156 (Filtering Platform Connection): Records network connection events.

  14. Event ID 517 (Audit Policy Change): Logs changes to audit policy settings.

  15. Event ID 538 (User Logoff): User logoff events.

  16. Event ID 560 (Object Open): Records when an object (e.g., file) is opened.

  17. Event ID 563 (Object Open Extended): Provides additional information about object access.

  18. Event ID 5719 (NETLOGON): Indicates NETLOGON events, important for domain authentication.

  19. Event ID 627 (User Account Locked Out): Records user account lockout events.

  20. Event ID 628 (User Account Unlocked): Indicates when a locked user account is unlocked.

System Event IDs:

  1. Event ID 6005 (The Event Log Service has started): Event Log Service start event.

  2. Event ID 6006 (The Event Log Service has stopped): Event Log Service stop event.

  3. Event ID 6008 (Unexpected Shutdown): Records unexpected server shutdowns.

  4. Event ID 6013 (System Uptime): Provides information about system uptime.

  5. Event ID 7024 (Service Control Manager): Logs service start and stop events.

  6. Event ID 7030 (Service Control Manager): Records network service start and stop events.

  7. Event ID 7035 (Service Control Manager): Indicates service status changes.

  8. Event ID 8003 (Browser Service Elections): Records browser election events.

  9. Event ID 8021 (Browser Service): Logs events related to the Computer Browser service.

  10. Event ID 8022 (Browser Service): Indicates network master browser election events.

  11. Event ID 1040 (Perfmon): Perfmon start/stop events for performance monitoring.

  12. Event ID 1102 (Audit Log was cleared): Records when the security event log is cleared.

  13. Event ID 1105 (Event log automatic backup): Indicates automatic backup of event logs.

  14. Event ID 1202 (Security policies were propagated with...): Logs application of group policy settings.

  15. Event ID 12288 (Software Protection Platform): Records Software Protection Platform service events.

Active Directory Event IDs:

  1. Event ID 1100 (Event log startup): Event log startup events.

  2. Event ID 1101 (Audit events have been dropped): Indicates dropped audit events.

  3. Event ID 12294 (SAM Account Name Conflict): Records SAM account name conflicts.

  4. Event ID 16969 (A security-disabled local group was changed): Logs changes to security-disabled local groups.

  5. Event ID 16970 (A security-disabled global group was changed): Records changes to security-disabled global groups.

  6. Event ID 5136 (Directory Service Changes): Logs Active Directory object changes.

  7. Event ID 5312 (Filtering Platform Packet Drop): Records packet drop events by the Filtering Platform.

  8. Event ID 5632 (Windows Firewall was unable to notify the user that it blocked an application): Indicates blocked applications by Windows Firewall.

  9. Event ID 5805 (Session Setup): Logs session setup events, important for security.

  10. Event ID 680 (Account Logon): Account logon events.

  11. Event ID 681 (Account Logon): Account logon events.

  12. Event ID 682 (Account Logon): Account logon events.

  13. Event ID 683 (Account Logon): Account logon events.

  14. Event ID 1207 (Account logon): Account logon events.

  15. Event ID 1221 (The database engine attached a database...): Records database engine attachment events.

DNS Event IDs:

  1. Event ID 4000 (DNS Server): Indicates DNS server issues related to Active Directory integration.

  2. Event ID 4010 (DNS Server): Logs critical DNS events, including server startup and configuration changes.

  3. Event ID 5015 (DNS Server): Records DNS server service startup and shutdown.

  4. Event ID 5501 (DNS Server): Indicates DNS server forwarder configuration changes.

  5. Event ID 7062 (DNS Server): Logs DNS server zone transfer events.

  6. Event ID 762 (DNS Client): Records DNS client cache events.

  7. Event ID 11001 (DNS Client Events): Provides information about DNS client events.

  8. Event ID 11164 (DNS Client Events): Indicates DNS client cache registration events.

  9. Event ID 4007 (DNS Server): Logs DNS server critical errors.

  10. Event ID 4521 (DNS Server): Records DNS server service events, including successful startups.

Group Policy Event IDs:

  1. Event ID 1500 (User Profile Service): User Profile Service events.

  2. Event ID 1502 (User Profile Service): Logs user profile load and unload events.

  3. Event ID 5016 (Group Policy Settings): Records changes to Group Policy settings.

  4. Event ID 5116 (Group Policy Settings): Indicates Group Policy processing events.

  5. Event ID 5320 (Group Policy Initialization): Logs Group Policy initialization events.

  6. Event ID 8001 (Group Policy Service): Records Group Policy service startup and shutdown.

  7. Event ID 8004 (Group Policy Service): Indicates Group Policy client-side extension events.

  8. Event ID 8005 (Group Policy Service): Records Group Policy client-side extension events.

  9. Event ID 8016 (Group Policy Service): Logs Group Policy processing start events.

  10. Event ID 8017 (Group Policy Service): Indicates Group Policy processing end events.

File System Event IDs:

  1. Event ID 4663 (File System Access - Object Access): Detailed information about file and folder access.

  2. Event ID 5145 (File System Object Change): Records changes to file system objects, including file copying and moving operations.

  3. Event ID 5140 (File System Authorization): File system authorization events.

  4. Event ID 4660 (File System Object Deleted): Indicates when a file system object is deleted.

  5. Event ID 5142 (File System Access - Object Closed): Records when an object (e.g., file) is closed.

  6. Event ID 4656 (File System Access - Object Open): Indicates when an object (e.g., file) is opened.

  7. Event ID 4662 (File System Access - Object Handle): Logs when an object handle is requested.

  8. Event ID 560 (Object Open): Records when an object (e.g., file) is opened.

  9. Event ID 562 (File System Object Deleted): Logs when a file system object is deleted.

  10. Event ID 567 (File System Object Access): Provides information about file system object access.

Print Server Event IDs:

  1. Event ID 307 (Print Queue Job): Records print job events on a print server.

  2. Event ID 805 (Print Services): Indicates print spooler events on a print server.

  3. Event ID 10 (Print Queue Properties): Logs changes to print queue properties.

  4. Event ID 12 (Print Job Management): Records print job management events.

  5. Event ID 30 (Printer Driver Management): Indicates printer driver management events.

  6. Event ID 40 (Printer Driver Installation): Logs printer driver installation events.

  7. Event ID 70 (Print Queue Document): Records print queue document events.

  8. Event ID 221 (Print Service): Indicates general print service events.

  9. Event ID 322 (Printer Driver): Logs printer driver events on a print server.

  10. Event ID 370 (Print Queue Properties): Records changes to print queue properties.

Remote Desktop Services (RDS) Event IDs:

  1. Event ID 1149 (Remote Desktop Services Authentication): Logs RDS authentication events.

  2. Event ID 1152 (Remote Desktop Services Session Disconnected): Indicates RDS session disconnection events.

  3. Event ID 1154 (Remote Desktop Services Session Reconnected): Records RDS session reconnection events.

  4. Event ID 1155 (Remote Desktop Services Session Ended): Logs RDS session end events.

  5. Event ID 131 (Remote Desktop Services Listener): Indicates RDS listener events.

  6. Event ID 101 (Remote Desktop Services Manager): Records RDS manager events.

  7. Event ID 103 (Remote Desktop Services Manager): Logs RDS manager events.

  8. Event ID 102 (Remote Desktop Services Manager): Records RDS manager events.

  9. Event ID 105 (Remote Desktop Services Manager): Logs RDS manager events.

  10. Event ID 123 (Remote Desktop Services Manager): Indicates RDS manager events.

     

    Web Server Event ID

     

    1. Event ID 1007 (IIS Application Pool Recycling): Records when an Internet Information Services (IIS) application pool is recycled, which can affect web application availability.

    2. Event ID 1009 (IIS Application Pool Restarted): Indicates when an IIS application pool is manually restarted, often done for troubleshooting purposes.

    3. Event ID 1010 (IIS Application Pool Stopped): Logs when an IIS application pool is manually stopped, impacting web application availability.

    4. Event ID 1020 (IIS Application Pool Availability): Provides information about the availability of an IIS application pool.

    5. Event ID 1001 (IIS Web Site Started): Records when an IIS web site is started, indicating its availability.

    6. Event ID 1002 (IIS Web Site Stopped): Logs when an IIS web site is manually stopped, affecting its availability.

    7. Event ID 1074 (IIS Worker Process Crash): Indicates when an IIS worker process (w3wp.exe) crashes, potentially causing web application failures.

    8. Event ID 1316 (ASP.NET Runtime Error): Logs ASP.NET runtime errors, including issues affecting web applications.

    9. Event ID 5002 (DFS Namespace): Records Distributed File System (DFS) namespace events, which can impact web application file paths.

    10. Event ID 5050 (DFS Replication): Indicates DFS Replication service events, which can affect web application file replication.

       

      Network administrator Useful Event ID 

       

      1. Event ID 27 (Network Link is Up): Indicates that a network interface card (NIC) detected that its link to the network is up.

      2. Event ID 51 (An error was detected on device): Logs disk I/O errors that can affect network performance.

      3. Event ID 1001 (Name resolution for the name...): Records DNS name resolution events.

      4. Event ID 2001 (PerfOS): Provides performance monitoring information, including network-related metrics.

      5. Event ID 2011 (Network Errors): Records network-related errors.

      6. Event ID 2012 (Server Message Block (SMB) Redirector): Logs events related to the SMB protocol, which is used for file sharing.

      7. Event ID 2017 (The server was unable to allocate from the system nonpaged pool...): Indicates memory allocation issues that can impact network services.

      8. Event ID 2020 (The server was unable to find a free connection...): Logs issues related to network connection limits.

      9. Event ID 2021 (Server was unable to allocate from the system paged pool...): Records issues related to paged pool memory allocation.

      10. Event ID 2022 (The server was unable to register the Administration Tool discovery information...): Logs issues with registering network services.

      11. Event ID 4000 (DNS Server): Indicates DNS server issues related to Active Directory integration.

      12. Event ID 4010 (DNS Server): Logs critical DNS events, including server startup and configuration changes.

      13. Event ID 4625 (Logon Failure): Logs failed logon attempts, including those related to network authentication.

      14. Event ID 4662 (An operation was performed on an object): Provides information about object access and changes, which can include network resource access.

      15. Event ID 4771 (Kerberos pre-authentication failed): Records failed Kerberos pre-authentication attempts.

      16. Event ID 5002 (DFS Namespace): Logs Distributed File System (DFS) namespace events, which are critical for network file sharing.

      17. Event ID 5027 (Firewall): Indicates Windows Firewall service events, including rule changes and firewall state.

      18. Event ID 5061 (Security Policy Changes): Logs changes to security policies that can impact network security.

      19. Event ID 5152 (Windows Filtering Platform Blocked an Application): Records events related to network traffic blocked by the Windows Filtering Platform.

      20. Event ID 6011 (Performance Monitoring): Provides performance-related data, including network-related metrics.

      21. Event ID 6013 (System Uptime): Gives information about system uptime, which can be relevant for network stability assessments.

      22. Event ID 7030 (Service Control Manager): Logs network service start and stop events.

      23. Event ID 7040 (Service Control Manager): Records changes to network services' startup types.

      24. Event ID 8003 (Browser Service Elections): Logs browser election events in network environments.

      25. Event ID 8021 (Browser Service): Indicates events related to the Computer Browser service, which helps in network browsing.

      26. Event ID 8022 (Browser Service): Logs events related to network master browser elections.

      27. Event ID 9003 (DNS Server): Records DNS server events and issues.

      28. Event ID 9010 (DNS Server): Logs DNS server startup and configuration changes.

      29. Event ID 903 (Remote Desktop Services): Provides information about Remote Desktop Services (RDS) connections and sessions.

      30. Event ID 10000 (DCOM): Logs Distributed Component Object Model (DCOM) issues, which can affect network communication.

      31. Event ID 1001 (Windows Error Reporting): Records application or system errors that may affect network services.

      32. Event ID 1002 (Application Hang): Logs application hangs that can impact network applications.

      33. Event ID 1010 (Perfmon): Indicates when Performance Monitor starts or stops collecting data, which can include network metrics.

      34. Event ID 1014 (Name resolution for the name...): Logs DNS name resolution events.

      35. Event ID 1074 (Shutdown initiated by...): Indicates when a server is intentionally shut down or restarted, which can affect network services.

      36. Event ID 2013 (NTDS Replication): Provides information about Active Directory replication events, critical for network infrastructure.

      37. Event ID 3000 (PerfOS): Logs performance monitoring data, which includes network-related metrics.

      38. Event ID 4199 (TCP/IP): Records TCP/IP network stack events, which can be critical for network troubleshooting.

      39. Event ID 4226 (TCP/IP Network Stack Limit Reached): Indicates when the TCP/IP network stack's maximum connection limit is reached, impacting network performance.

      40. Event ID 5009 (Winlogon): Logs Windows logon-related events, including network logon events.

      41. Event ID 5027 (Firewall): Records Windows Firewall events, including rule changes that affect network traffic.

      42. Event ID 5061 (Security Policy Changes): Logs changes to security policies that impact network security.

      43. Event ID 5156 (Windows Filtering Platform): Provides information about network traffic allowed or blocked by the Windows Filtering Platform.

      44. Event ID 6010 (Performance Monitoring): Indicates when Performance Monitor starts or stops collecting data, including network-related metrics.

      45. Event ID 7030 (Service Control Manager): Records network service start and stop events.

      46. Event ID 7034 (Service Control Manager): Indicates service termination events, including network services.

      47. Event ID 8003 (Browser Service Elections): Logs browser election events in network environments.

      48. Event ID 8021 (Browser Service): Indicates events related to the Computer Browser service, which helps in network browsing.

      49. Event ID 8022 (Browser Service): Logs events related to network master browser elections.

      50. Event ID 9003 (DNS Server): Records DNS server events and issues.

       

Comments

Post a Comment

Popular posts from this blog

CCNA Router and Catalyst Switch IOS Command Reference

By -
CCNA Router and Catalyst Switch IOS Command Reference By Jamison Schmidt This reference guide provides router and switch commands to help you prepare for Cisco's CCNA certification exam. This guide covers IOS version 11 and higher. We will try to get VLSM and Supernetting commands added for the new 640-801 CCNA exam. Reference Quick Links Router Commands Show Commands Catalyst Commands Router Commands Terminal Controls: ·   Config# terminal editing - allows for enhanced editing commands ·   Config# terminal monitor - shows output on telnet session ·   Config# terminal ip netmask-format hexadecimal|bit-count|decimal - changes the format of subnet masks Host Name: ·   Config# hostname ROUTER_NAME Banner: ·   Config# banner motd # TYPE MESSAGE HERE # - # can be substituted for any character, must start and finish the message Descriptions: ·   Config# description THIS IS THE SOUTH ROUTER - can be entered ...
Read more

Network Technologies

By -
Image
Common Networking Protocols TCP - TCP breaks data into manageable packets and tracks information such as source and destination of packets. It is able to reroute packets and is responsible for guaranteed delivery of the data. IP - This is a connectionless protocol, which means that a session is not created before sending data. IP is responsible for addressing and routing of packets between computers. It does not guarantee delivery and does not give acknowledgement of packets that are lost or sent out of order as this is the responsibility of higher layer protocols such as TCP. UDP - A connectionless, datagram service that provides an unreliable, best-effort delivery. ICMP - Internet Control Message Protocol enables systems on a TCP/IP network to share status and error information such as with the use of PING and TRACERT utilities. SMTP - Used to reliably send and receive mail over the Internet. FTP - ...
Read more

About myself

By -
With a track record of delivering innovative IT solutions and optimizing technology infrastructure, Prashant Shrivastava is the driving force behind the organization's digital transformation journey from 2007. Expertise in ERP Implementation: Prashant Shrivastava brings a wealth of experience in Enterprise Resource Planning (ERP) implementation, having successfully overseen multiple projects. ERP systems are vital for streamlining business processes, enhancing data visibility, and improving decision-making. He possesses a deep understanding of ERP modules, such as finance, human resources, supply chain, and customer relationship management, ensuring seamless integration across all departments. Infrastructure Administration and System Administration: As a Head of IT, Prashant Shrivastava has a strong foundation in both Infrastructure and System Administration. This expertise includes managing servers, networks, databases, and ensuring the overall stability and security of the IT env...
Read more