This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Hitman
Absent Member.
Absent Member.
‎2009-11-24 20:39
1635 views

Windows Event log code

Hi everybody,

We do auditing on specific folders on windows 2003 servers.

I need to make alert on a file creation or modification on these folders.

It is hard to know when a file is create or modify. It is the same windows event number 560

I notice that, in arcsight, the  device custom sting 1 refer to Accesses in the windows event log and  have numbers like %%1538%%1541%%etc.......

Does somebody know what means theses numbers ?

Does a table conversion exist to tell   example %%1538 = READ CONTROL

                                                                    %%1537 = DELETE

Or somebody has a working solution to track a modification and a creation of a file

Thanks in advance

0 Likes
Reply
Report Inappropriate Content
29 Replies
gportnoy1
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2010-06-15 17:13

The latest Smart Connector version is 5.0.0.5560.0. I am running it on Windows, but that shouldn't make any difference.
0 Likes
Reply
Report Inappropriate Content
mmroitman1
Absent Member.
Absent Member.
‎2010-06-17 17:54

Hi Gary.

Installed version 5560 and it worked, just in time.

Thanks for the help.

Regards,

0 Likes
Reply
Report Inappropriate Content
DBurr1
Absent Member.
Absent Member.
‎2011-01-12 20:36

Gents, Am I missing something? I'm running WUC 5.0.3.5680.0 and Device Custom String 1 for both a file create event and file write event looks like

READ_CONTROL|ReadData (or ListDirectory)|WriteData (or AddFile)|AppendData (or AddSubdirectory or CreatePipeInstance)|ReadEA|WriteEA|ReadAttributes|WriteAttributes

The only difference is the write event has an associated (via File ID) open event and the file create has no associated 560 event. Actually when testing I did another file write and the open/write events had different File ID's, but I don't want to go there for now. One fubar at a time...

Thanks in advance for your assistance.

0 Likes
Reply
Report Inappropriate Content
PTse1
Absent Member.
Absent Member.
‎2011-02-08 17:08

Hi Gary,

Can you let me know if you are using one WUC to collect all your windows logs for windows 2003, windows 2008 and windows Domain Active Directory logs or do you actually separate them into different connectors?  Like you said in once of your earlier post, I am also using the Domain connector to collect file/folder audit logs on windows 2003 servers and a WUC to collect windows 2008 servers logs.  Did you consolidate your domain collector hosts into the WUC connector?  Thanks.

0 Likes
Reply
Report Inappropriate Content
gportnoy1
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2011-02-08 19:45

I am currently using separate WUCs to collect from Win2003 vs Win2008, but that was just to distribute the load equally. As far as I know you can have any combination of Win2003/2008/Local/DC logs on a single WUC.

0 Likes
Reply
Report Inappropriate Content
Hitman
Absent Member.
Absent Member.
‎2013-07-10 19:07

Hi,

The problem appear again, install version  6.0.2.6627 of WUC and %%code appear again in the Device Custom String 1  for Windows server  2003, 2008  and 2012  ?????????

Do you have the same problem too ?

Thanks in advance

Will open a ticket to Arcsigh

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.