I'm new to Splunk and could use some help with Windows Event Codes. Where can I find an explanation of the Windows Event codes? I have several reports that show audit failure based on an event code, but I have no explanation of what the event is for. Thanks in Advance
Google is your best friend in cases like this. Searching for "windows eventCode 5152" brings up many useful-looking resources. I found this site quite helpful https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
Google is your best friend in cases like this. Searching for "windows eventCode 5152" brings up many useful-looking resources. I found this site quite helpful https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
Big help. Thank you so much.
@efranklin - Did the answer provided by richgalloway help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". Thank you.
I believe this is what I have been looking for. I have searched Goggle, but didn't stumble onto this. Thanks you so much, you have saved me hours of further searching!!
Hi,
Thanks for responding. I am attaching a screen shot of the results I got for a search I have for Audit Failure. I created the report to search on the keyword Audit Failure. The results I get has a list of Event Codes where the word Audit Failure appears; however, I don't have an explanation of what each Event Code represents.
![alt text][1]
i use this website for windows event codes:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5152
i find it pretty good
hope it helps
do you have an example of the failure text?
i found this about event codes, but i can't find much else. I want to make sure we're talking about the same thing.
http://docs.splunk.com/Documentation/Splunk/6.3.10/Data/MonitorfilesystemchangesonWindows
Not sure if you received my response. I am attaching a screen shot of the results of my search I created for the keyword Audit Failure. My search has a series of codes i.e., 5152, 5157, 4656, 4625, 4653, etc. Each one of these Event codes appear as a link within the search, when I click on the link, I am not getting an explanation as to what the event code represents.