0

In my Windows Server 2008 R2 Enterprise Security Event Log all entries have 'N/A' for the "User:" field.

Is there something I can do to have this field filled in?

I noticed that this information is recorded in the message of the log entry; I'd just like to see this information in the User: field to make the log a bit easier to parse.

EDIT:
I'd like to see the "User:" field filled in for events associated with user logons and logoffs (so Event IDs 4624 and 4634, 4647).

Jay Riggs
  • 243
  • 4
  • 14

1 Answers1

1

Not every event in the Security event log is associated with a user. For instance, the system time changing due to DST will generate an event in the Security event log, but the event is not associated with a user. What Event ID's are you looking at specifically?

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Thanks for prompting me to clarify - I edited my question. – Jay Riggs Oct 27 '10 at 21:55
  • What's the logon type in the events that you're looking at? Can you post the text of a few of the representative events that you're referring to? – joeqwerty Oct 27 '10 at 22:13
  • @joeqwerty - I haven't been able to get a copy and paste of a typical event log messsage I'm interested in (ids 4624, 4634) to format properly in an edited message, but eyeballing a number of these events makes me think they all have a 'Logon Type:' of '3'. – Jay Riggs Oct 27 '10 at 22:37
  • OK, depending on what generated the event, it may not be associated with a user. Logon type 3 is a network logon, but may be associated with a service, or IIS, etc. Have a look here for the various logon types explained: http://www.windowsecurity.com/articles/Logon-Types.html – joeqwerty Oct 27 '10 at 22:48
  • @joeqwerty - It's logons to IIS in my case. I found if a user logs on and does nothing but log off 20 seconds later the Security Event Log records several logon & logoff events for that user. I'm concluding that this particular approach for solving my problem is a dead end; I might return to it if left with no alternatives In the meantime I have at least learned quite a bit about the Security log. Thanks for your help (and that link). – Jay Riggs Oct 28 '10 at 05:04
  • Glad to help... – joeqwerty Oct 28 '10 at 11:36