This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
keo.fua@amd.com
Absent Member.
Absent Member.
‎2015-04-23 08:47
1527 views

Status or Sub-status code for Windows Event ID 4625

Jump to solution

Hi everyone,

I have an existing rules for Windows Servers 2008 that filter up event ID 4625, is it possible to filter down to the status or substatus code number?

For example, the status code below:-

0xc000015bThe user has not been granted the requested logon type (aka logon right) at this machine

Is it possible to filter Event ID 4625 AND Status Code 0xc000015b? If yes, what fields should i put for the filter?

I looked at the MicrosoftWindows2008EventLogMappingsConfig.pdf and MicrosoftWindows2008EventLogMappingsNativeConfig.pdf but found nothing related to Status Code.

Thanks,

Keo

Labels (2)
Labels
0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
rkent1
Fleet Admiral
Fleet Admiral
‎2015-04-28 15:40

Jump to solution

You're right, I don't see it in the mapping documentation, but I checked events from a 2008 R2 system and I *DO* see the value you are looking for stored in FlexString1:

P724_Win4625_Status_code.png

View solution in original post

0 Likes
Reply
Report Inappropriate Content
2 Replies
rkent1
Fleet Admiral
Fleet Admiral
‎2015-04-28 15:40

Jump to solution

You're right, I don't see it in the mapping documentation, but I checked events from a 2008 R2 system and I *DO* see the value you are looking for stored in FlexString1:

P724_Win4625_Status_code.png

View solution in original post

0 Likes
Reply
Report Inappropriate Content
alomotan
Absent Member.
Absent Member.
‎2015-06-03 17:25

Jump to solution

Hi Keo,

If the reply provided was sufficient in solving your query, please mark the question as answered.

Thanks!

Alexandra

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.