Microsoft Windows Security Event Log sample event messages

Use these sample event messages to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Microsoft Windows Security Event Log sample messages when you use WinCollect

The following sample has an event ID of 4624 that shows a successful login for the <account_name> user that has a source IP address of and a destination IP of

<13>May 08 10:45:44 AgentDevice=WindowsLog   AgentLogFile=Security   PluginVersion= Source=Microsoft-Windows-Security-Auditing OriginatingComputer=    User=   Domain= EventID=4624    EventIDCode=4624    EventType=8 EventCategory=12544 RecordNumber=649155826  TimeGenerated=1588945541    TimeWritten=1588945541  Level=Log Always    Keywords=Audit Success  Task=SE_ADT_LOGON_LOGON Opcode=Info Message=An account was successfully logged on.  Subject:  Security ID:  NT AUTHORITY\SYSTEM  Account Name:  account_name$  Account Domain:  account_domain  Logon ID:  0x3E7  Logon Information:  Logon Type:  10  Restricted Admin Mode: No  Virtual Account:  No  Elevated Token:  Yes  Impersonation Level:  Impersonation  New Logon:  Security ID:  account_domain\account_name  Account Name:  account_name  Account Domain:  domain_name  Logon ID:  0x9A4D3C17  Linked Logon ID:  0x9A4D3CD6  Network Account Name: -  Network Account Domain: -  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x3e4  Process Name:  C:\Windows\System32\svchost.exe  Network Information:  Workstation Name: workstation_name  Source Network Address:  Source Port:  0  Detailed Authentication Information:  Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.  The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.  The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).  The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.  The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.  The impersonation level field indicates the extent to which a process in the logon session can impersonate.  The authentication information fields provide detailed information about this specific logon request.  - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.  - Transited services indicate which intermediate services have participated in this logon request.  - Package name indicates which sub-protocol was used among the NTLM protocols.  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

The following sample has an event ID of 4624 that shows a successful login for the <target_user_name> user that has a source IP address of

<13>May 08 14:54:03 AgentDevice=NetApp AgentLogFile=Security PluginVersion= Source=NetApp-Security-Auditing Computer=00000000-0000-000000005-000000000000/11111111-1111-1111-1111-111111111111 OriginatingComputer=00000000-0000-0000-0000-000000000000/11111111-1111-1111-1111-111111111111 User= Domain= EventID=4624 EventIDCode=4624 EventType=8 EventCategory=0 RecordNumber=6706 TimeGenerated=1588960308 TimeWritten=1588960308 Level=LogAlways Keywords=AuditSuccess Task=None Opcode=Info Message=IpAddress= IpPort=49155 TargetUserSID=S-0-0-00-00000000-0000000000-0000000000-0000 TargetUserName=target_user_name TargetUserIsLocal=false TargetDomainName=target_domain_name AuthenticationPackageName=NTLM_V2 LogonType=3 ObjectType=(null) HandleID=(null) ObjectName=(null) AccessList=(null) AccessMask=(null) DesiredAccess=(null) Attributes=(null)

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs in Snare format

The following sample has an event ID of 4724 that shows that an attempt was made to reset an account's password, and that the attempt was made by the account name Administrator.

Important: The logs that you send to QRadar must be tab-delimited. If you cut and paste the code from this sample, make sure that you press the tab key where indicated by the <tab> variables, then remove the variables.
<133>Aug 15 23:12:08 MSWinEventLog<tab>1<tab>Security<tab>839<tab>Wed Aug 15 23:12:08 2012<tab>4724<tab>Microsoft-Windows-Security-Auditing<tab>user<tab>N/A<tab>Success Audit<tab>w2k8<tab>User Account Management<tab>An attempt was made to reset an account's password.    Subject:   Security ID:  subject_security_id   Account Name:  Administrator   Account Domain:  DOMAIN   Logon ID:  0x5cbdf    Target Account:   Security ID:  target_security_id   Account Name:  target_account_name   Account Domain:  DOMAIN  355

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs in LEEF format

The following sample has an event ID of 8194 that shows that the event generated a Volume Shadow Copy Service error that was initiated by the <user_name> user.

<131>Apr 04 10:03:18 LEEF:1.0|Microsoft|Windows|2k8r2|8194|devTime=2019-04-04T10:03:18GMT+02:00  devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz    cat=Error   sev=2 usrName=domain_name\user_name   application=Group Policy Registry   message=domain_name\user_name: Application Group Policy Registry: [Error] The client-side extension could not apply computer policy settings for '00 - C - Domain - Baseline (Enforced) {00000000-0000-0000-0000-000000000000}' because it failed with error code '0x80070002 The system cannot find the file specified.' See trace file for more details. (EventID 8194)

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs in CEF format

The following sample has an event ID of 7036 Service Stopped that shows that a service entered the stopped state.

CEF:0|Microsoft|Microsoft Windows||Service Control Manager:7036|Service entered the stopped state|Low| eventId=132 externalId=7036 categorySignificance=/Normal categoryBehavior=/Execute/Response categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Application/Service art=1358378879917 cat=System deviceSeverity=Information act=stopped rt=1358379018000 destinationServiceName=Portable Device Enumerator Service cs2=0 cs3=Service Control Manager cs2Label=EventlogCategory cs3Label=EventSource cs4Label=Reason or Error Code ahost= agt= agentZoneURI=/All Zones/example System/Private Address Space Zones/RFC1918: av= atz=Country/City_Name aid=00000000000000000000000\\=\\= at=windowsfg dvchost=host.domain.test dtz=Country/City_Name _cefVer=0.1 ad.Key[0]=Portable Device Enumerator Service ad.Key[1]=stopped ad.User= ad.ComputerName=host.domain.test ad.DetectTime=2013-1-16 15:30:18 ad.EventS

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs by using Winlogbeats

The following sample has an event ID of System that shows that NtpClient was unable to set a manual peer to use as a time source.

{"@timestamp":"2017-02-13T01:54:07.745Z","beat":{"hostname":"","name":"","version":"5.6.3"},"computer_name":"","event_data":{"DomainPeer":",0x9","ErrorMessage":"No such host is known. (0x80072AF9)","RetryMinutes":"15"},"event_id":134,"level":"Warning","log_name":"System","message":"NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ',0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)","opcode":"Info","process_id":996,"provider_guid":"{00000000-0000-0000-0000-000000000000}","record_number":"40292","source_name":"Microsoft-Windows-Time-Service","thread_id":3312,"type":"wineventlog","user":{"domain":"NT AUTHORITY","identifier":"user_identifier","name":"LOCAL SERVICE","type":"Well Known Group"}}

Microsoft Windows Security Event Log sample message when you use Syslog to collect logs by using Azure Event Hubs

The following sample has an event ID of 5061 that shows that there was a cryptographic operation that is completed by the <subject_user_name> user.

{"time":"2019-05-07T17:53:30.0648172Z","category":"WindowsEventLogsTable","level":"Informational","properties":{"DeploymentId":"00000000-0000-0000-0000-000000000000","Role":"IaaS","RoleInstance":"_role_instance","ProviderGuid":"{00000000-0000-0000-0000-000000000000}","ProviderName":"Microsoft-Windows-Security-Auditing","EventId":5061,"Level":0,"Pid":700,"Tid":1176,"Opcode":0,"Task":12290,"Channel":"Security","Description":"Cryptographic operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tsecurity_id\r\n\tAccount Name:\t\taccount_name\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tRSA\r\n\tKey Name:\t{11111111-1111-1111-1111-111111111111}\r\n\tKey Type:\tMachine key.\r\n\r\nCryptographic Operation:\r\n\tOperation:\tOpen Key.\r\n\tReturn Code:\t0x0","RawXml":"<Event xmlns=''><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{22222222-2222-2222-2222-222222222222}'/><EventID>5061</EventID><Version>0</Version><Level>0</Level><Task>12290</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-05-07T17:53:30.064817200Z'/><EventRecordID>291478</EventRecordID><Correlation ActivityID='{33333333-3333-3333-3333-333333333333}'/><Execution ProcessID='700' ThreadID='1176'/><Channel>Security</Channel><Computer>computer_name</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>subject_user_sid</Data><Data Name='SubjectUserName'>subject_user_name</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ProviderName'>Microsoft Software Key Storage Provider</Data><Data Name='AlgorithmName'>RSA</Data><Data Name='KeyName'>{44444444-4444-4444-4444-444444444444}</Data><Data Name='KeyType'>%%2499</Data><Data Name='Operation'>%%2480</Data><Data Name='ReturnCode'>0x0</Data></EventData></Event>"}}