Here's another event missing firld names: Event ID 4627 which lists the
group membership of a user when he logs on is missing field names.
2017 Feb 21 13:33:23 WinEvtLog: Security: AUDIT_SUCCESS(4627):
Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname:
S-1-5-18 HOSTNAME$ DOMAN 0x3e7
S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Username HOSTNAME 0x22d8dd8
7 1 1 <LF><CR>
<TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX}
<TAB><TAB>%{S-1-1-0}
<TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX}
<TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX}
<TAB><TAB>%{S-1-5-32-562}
<TAB><TAB>%{S-1-5-32-578}
<TAB><TAB>%{S-1-5-32-556}
<TAB><TAB>%{S-1-5-32-555}
<TAB><TAB>%{S-1-5-32-545}
<TAB><TAB>%{S-1-5-4}
<TAB><TAB>%{S-1-2-1}
<TAB><TAB>%{S-1-5-11}
<TAB><TAB>%{S-1-5-15}
<TAB><TAB>%{S-1-5-113}
<TAB><TAB>%{S-1-2-0}
<TAB><TAB>%{S-1-5-64-10}
<TAB><TAB>%{S-1-16-8448}<SPACE>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
