ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    Solved Windows Server Event ID Lookup

    IT Discussion
    windows graylog auditing
    4
    10
    274
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DustinB3403
      DustinB3403 last edited by

      I'm attempting to find a specific Event ID from a Windows 2019 File server, specifically one that relates to share permissions and if someone unsuccessfully attempts to access a network share resource that they don't have access too.

      Does anyone have any idea of what this EventID number is off hand?

      wirestyle22 1 Reply Last reply Reply Quote 0
      • DustinB3403
        DustinB3403 last edited by

        Found it, 5145 has both success and deny events. So now just to figure out the filtering for just the denied 5145 events.

        wirestyle22 black3dynamite 2 Replies Last reply Reply Quote 0
        • DustinB3403
          DustinB3403 last edited by

          Found it, 5145 has both success and deny events. So now just to figure out the filtering for just the denied 5145 events.

          wirestyle22 black3dynamite 2 Replies Last reply Reply Quote 0
          • wirestyle22
            wirestyle22 @DustinB3403 last edited by

            @DustinB3403 Isn't this included in file auditing? Event ID 4663 or something similar

            DustinB3403 1 Reply Last reply Reply Quote 1
            • wirestyle22
              wirestyle22 @DustinB3403 last edited by

              @DustinB3403 said in Windows Server Event ID Lookup:

              5145

              Ah, cool.

              1 Reply Last reply Reply Quote 0
              • DustinB3403
                DustinB3403 @wirestyle22 last edited by

                @wirestyle22 said in Windows Server Event ID Lookup:

                @DustinB3403 Isn't this included in file auditing? Event ID 4663 or something similar

                That might work as well, the bigger issue is Windows doesn't have this log turned on by default. . . so now I have to turn that on and see if it works.

                Not a huge ordeal, just a nice to know so I can deal with it.

                wirestyle22 1 Reply Last reply Reply Quote 0
                • wirestyle22
                  wirestyle22 @DustinB3403 last edited by

                  @DustinB3403 said in Windows Server Event ID Lookup:

                  @wirestyle22 said in Windows Server Event ID Lookup:

                  @DustinB3403 Isn't this included in file auditing? Event ID 4663 or something similar

                  That might work as well, the bigger issue is Windows doesn't have this log turned on by default. . . so now I have to turn that on and see if it works.

                  Not a huge ordeal, just a nice to know so I can deal with it.

                  Yeah I actually wasn't sure. It's a good question

                  1 Reply Last reply Reply Quote 0
                  • black3dynamite
                    black3dynamite @DustinB3403 last edited by

                    @DustinB3403 said in Windows Server Event ID Lookup:

                    Found it, 5145 has both success and deny events. So now just to figure out the filtering for just the denied 5145 events.

                    Is 5145 a application, security, or system log?

                    DustinB3403 1 Reply Last reply Reply Quote 0
                    • DustinB3403
                      DustinB3403 @black3dynamite last edited by

                      @black3dynamite said in Windows Server Event ID Lookup:

                      @DustinB3403 said in Windows Server Event ID Lookup:

                      Found it, 5145 has both success and deny events. So now just to figure out the filtering for just the denied 5145 events.

                      Is 5145 a application, security, or system log?

                      A log, which indicates if something was accessed, successfully or not. (Still need to enable the logging for this to show up) but I'm thinking that is what I would use.

                      1 Reply Last reply Reply Quote 0
                      • IRJ
                        IRJ last edited by

                        You should just use wazuh and elk

                        1 Reply Last reply Reply Quote 0
                        • IRJ
                          IRJ last edited by

                          It will makes sense of all the alerts and centralize everything

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post