From OSSEC Wiki
[edit]
Log samples for the Windows event log in the NTSyslog format
Oct 25 00:09:27 192.168.1.100 security[failure] 577 IBM17M\Jeremy Lee Privileged Service Called: Server:Security Service:- Primary User Name:IBM17M$ Primary Domain:LEETHERNET Primary Logon ID:(0x0,0x3E7) Client User Name:Jeremy Lee Client Domain:IBM17M Client Logon ID:(0x0,0x1447F) Privileges:SeSecurityPrivilege
Oct 31 18:02:37 192.168.1.100 security[success] 680 NT AUTHORITY\SYSTEM Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: Jeremy Lee Source Workstation: IBM17M Error Code: 0x0
Oct 31 18:02:37 192.168.1.100 security[success] 528 IBM17M\Jeremy Lee Successful Logon: User Name:Jeremy Lee Domain:IBM17M Logon ID:(0x0,0x3A2E471) Logon Type:2 Logon Process:User32 Authentication Package:Negotiate Workstation Name:IBM17M Logon GUID: {00000000-0000-0000-0000-000000000000}
Oct 31 18:02:37 192.168.1.100 security[success] 576 IBM17M\Jeremy Lee Special privileges assigned to new logon: User Name: Domain: Logon ID:(0x0,0x3A2E471) Privileges: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege
Oct 31 18:02:39 192.168.1.100 security[success] 682 NT AUTHORITY\SYSTEM Session reconnected to winstation: User Name:Jeremy Lee Domain:IBM17M Logon ID:(0x0,0x1F5A9C) Session Name:Console Client Name:Unknown Client Address:Unknown
Oct 31 18:02:39 192.168.1.100 security[success] 538 IBM17M\Jeremy Lee User Logoff: User Name:Jeremy Lee Domain:IBM17M Logon ID:(0x0,0x3A2E471) Logon Type:2
Nov 2 17:23:16 192.168.1.100 security[failure] 680 NT AUTHORITY\SYSTEM Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: Jeremy Lee Source Workstation: IBM17M Error Code: 0xC000006A
Nov 2 17:23:16 192.168.1.100 security[failure] 529 NT AUTHORITY\SYSTEM Logon Failure: Reason:Unknown user name or bad password User Name:Jeremy Lee Domain:IBM17M Logon Type:2 Logon Process:User32 Authentication Package:Negotiate Workstation Name:IBM17M