Status or Sub-status code for Windows Event ID 4625

Hi everyone,

I have an existing rules for Windows Servers 2008 that filter up event ID 4625, is it possible to filter down to the status or substatus code number?

For example, the status code below:-

0xc000015bThe user has not been granted the requested logon type (aka logon right) at this machine

Is it possible to filter Event ID 4625 AND Status Code 0xc000015b? If yes, what fields should i put for the filter?

I looked at the MicrosoftWindows2008EventLogMappingsConfig.pdf and MicrosoftWindows2008EventLogMappingsNativeConfig.pdf but found nothing related to Status Code.

Thanks,

Keo

Parents Reply Children
No Data