Solved

Programming NT security log

Posted on 1997-06-23
2
286 Views
Last Modified: 2013-12-28
HI,

Does anyone knows how to retrieve events logged by the security log file in windows NT?

I'm programming using Windows SDK.  Are there APIs that I can use to retrieve the information I want from the security log file?

Thanks!
kianbeng

0
Comment
Question by:YamSeng
2 Comments
 
LVL 1

Accepted Solution

by:
moosach earned 20 total points
ID: 1779125
Hi,

that shouldn't be a major problem.  There are a couple of API's in the Win32 SDK like OpenEvenLog, ReadEventLog and so on.

Check also the MS knowledgebase article below. Is still valid for NT 4.0.

Regards

Toni

.......................................................................................................

 Accessing the Event Logs

PSS ID Number: Q108230
Article last modified on 11-02-1995
PSS database name: WIN32SDK
 
3.10 3.50
 
WINDOWS NT
 

-------------------------------------------------------------------------
The information in this article applies to:
 
 - Microsoft Win32 Application Programming Interface (API) included with:
 
    - Microsoft Windows NT versions 3.1 and 3.5
-------------------------------------------------------------------------
 
SUMMARY
=======
 
Event logs are used to store significant events, such as warnings, errors,
or information. There are five operations that can be performed on event
logs through the event logging application programming interface (API):
backup, clear, query, read, and write.
 
The default event logs are the Application event log, the Security event
log, and the System event log. Access to these event logs is determined by
which account the application is running under.
 
MORE INFORMATION
================
 
The following table shows which accounts are granted access to which logs
and what type of access is granted under Windows NT 3.1:
 
   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write
 
   Security      LocalSys    read write clear
                 Admins      read       clear
 
   System        LocalSys    read write clear
                 Admins      read       clear
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 1 - access granted in Windows NT 3.1
 
The Local System account (LocalSys) is a special account that may be used
by Windows NT services. The Administrator account (Admins) consists of the
administrators for the system. The Server Operator account (ServerOp)
consists of the administrators of the domain server. The World account
includes all users on all systems.
 
Changes made were for Windows NT 3.5:
 
   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write
 
   Security      LocalSys    read write clear
                 Admins      read       clear
                 World       read       clear *
 
   System        LocalSys    read write clear
                 Admins      read write clear **
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 2 - access granted under Windows NT 3.5
 
    * Users that have been granted manage auditing and security log rights
      can read and clear the Security log.
 
   ** Admins can write to the System log.
 
The following table shows which types of access are required for the
corresponding event logging API:
 
   Event Logging API         Access Required
   -------------------------------------------
   OpenEventLog()            read
   OpenBackupEventLog()      read
   RegisterEventSource()     write
   ClearEventLog()           clear
   -------------------------------------------
   Table 3 - access required for event logging APIs
 
As an example, OpenEventLog() requires read access (see Table 2). A member
of the ServerOp account can call OpenEventLog() for the Application event
log and the System event log, because ServerOp has read access for both of
these logs (see Table 1). However, a member of the ServerOp account cannot
call OpenEventLog() for the Security log, because it does not have read
access for this log (see Table 1).
 
Additional reference words: 3.10 3.50
KBCategory: kbprg
KBSubcategory: BseMisc
=============================================================================
Copyright Microsoft Corporation 1995.


 

0
 
LVL 1

Author Comment

by:YamSeng
ID: 1779126
I've got the answer....thanks!
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question