What’s in that Event Log? Discovering possible Event ID’s

Introduction

Hello world!  My name is Scott Brondel, and I’m a Senior Premier Field Engineer with Microsoft specializing in Active Directory, Security topics, and scripting. I’m also a member of the endangered species known as “Microsoft Certified Master – Directory Services“. In this post I’d like to share some tips on discovering what events are possible inside many event logs.

Applications and Services Logs

Windows Server 2008 / Windows Vista introduced a new section into Event Viewer, where applications could create their own event logs and register whatever events they wanted.  This was very handy compared to the classic model of dumping everything into the generic Application event log that’s been in Windows since the NT days.  Unfortunately, that flexibility came at a cost – very few of these logs come with any documentation that show what Event ID’s are registered, so you can learn which events might be of interest and useful for monitoring / alerting / forwarding into a SIEM, etc.

I ran into this personally with a customer that I’m helping deploy our own IPAM role that’s free with Windows Server (haven’t checked it out?  You should!  But that’ll be the subject of a different post).  The customer was curious what they could natively use for monitoring IPAM’s activities, vs what they should think about writing their own PowerShell scripts for using IPAM’s cmdlets.  Here’s the process I walked through, which you can utilize for many of these new Applications and Services Logs sitting in the Microsoft folder.

First, off to the documentation! That page shows that there are three logs in Applications and Services Logs > Microsoft > Windows > IPAM by default, and if you turn on “Show Analytic and Debug Logs” an additional two more can appear.  I decided to focus on the Admin log as it “captures events that are related to IPAM user actions and IPAM periodic tasks”, as most of what IPAM does behind-the-scenes is driven by several actions registered in Task Scheduler.  That’s the most I could find via public documentation though – no breakout of what Event ID’s are in there or what they’re useful for.

I purposely turned some things off in my IPAM test lab to ensure there would be some fun activity, and sure enough I found warnings and errors:

A sample of an IPAM log where a managed DHCP server is offline

Looks like some good candidates for monitoring appeared, but what else is there?  To tackle this question, I first right-clicked on the Admin event log and clicked Properties to verify what Windows has registered as the full name of this log:

Properties of the Admin IPAM log in Event Viewer

With this info, I went to one of those rarely used built-in commands, wevtutil. The “gl” command of wevtutil can tell you a lot about an event log, including a wonderful piece of info called the owningPublisher:

wevtutil gl "Microsoft-Windows-IPAM/Admin"

name: Microsoft-Windows-IPAM/Admin
enabled: true
type: Admin
owningPublisher: Microsoft-Windows-IPAM
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-IPAM%4Admin.evtx
  retention: false
  autoBackup: false
  maxSize: 1052672
publishing:
  fileMax: 1

The owningPublisher attribute is the full internal name of the Provider that has been registered with Windows for that event log – you can find more details about Providers here. Once we know the name of a provider, we can use the Get-WinEvent cmdlet in PowerShell to see if there are any Events that are registered:

(Get-WinEvent -ListProvider Microsoft-Windows-IPAM).Events.Count

946

Wow, 946 events!  Let’s unpack that cmdlet a bit.  The part inside the parentheses will return some information about that provider:

Get-WinEvent -ListProvider Microsoft-Windows-IPAM

Name     : Microsoft-Windows-IPAM
LogLinks : {Microsoft-Windows-IPAM/Operational, Microsoft-Windows-IPAM/Admin,
           Microsoft-Windows-IPAM/ConfigurationChange, Microsoft-Windows-IPAM/Debug...}
Opcodes  : {Modify, Import, Export, Delete...}
Tasks    : {AddressSpaceManagement, Discovery, Audit, MultiServerManagement...}

Piping that command to Format-List, or fl as an alias, allows us to use the -Property parameter to get a full list of information…

Get-WinEvent -ListProvider Microsoft-Windows-IPAM | fl -Property *

ProviderName      : Microsoft-Windows-IPAM
Name              : Microsoft-Windows-IPAM
Id                : ab636baa-dff3-4cb0-abf0-56e192dac2b3
MessageFilePath   : C:\Windows\system32\ipamres.dll
ResourceFilePath  : C:\Windows\system32\ipamres.dll
ParameterFilePath :
HelpLink          : https://go.microsoft.com/fwlink/events.asp?CoName=Microsoft Corporation&ProdName=Microsoft®
                    Windows® Operating System&ProdVer=10.0.17763.1&FileName=ipamres.dll&FileVer=10.0.17763.1
DisplayName       : Microsoft-Windows-IPAM
LogLinks          : {Microsoft-Windows-IPAM/Operational, Microsoft-Windows-IPAM/Admin,
                    Microsoft-Windows-IPAM/ConfigurationChange, Microsoft-Windows-IPAM/Debug...}
Levels            : {win:Critical, win:Error, win:Warning, win:Informational}
Opcodes           : {Modify, Import, Export, Delete...}
Keywords          : {IPBlock, IPRange, IPAddress, IPAMField...}
Tasks             : {AddressSpaceManagement, Discovery, Audit, MultiServerManagement...}
Events            : {10001, 10002, 10003, 10004...}

… and from there, I can see that there are some events!  One more bit of PowerShell pipelining will give me a nice list that I can send to a file if I choose for later reference:

(Get-WinEvent -ListProvider Microsoft-Windows-IPAM).Events | select -Property Id, Description | ft -AutoSize -Wrap

   Id Description
   -- -----------
10001 The IPv4 address block %1 has been added with the value %2 for the configuration setting %3.IPv4 address block:
      %1Configuration setting: %3Value: %2
10002 The IPv4 address block %1 has been added.IPv4 address block: %1
10003 The IPv4 address block %1 has been updated with the value %2 for the configuration setting %3. The previous
      value was %4.IPv4 address block: %1Configuration setting: %3Previous value: %4Value: %2
10004 The IPv4 address block %1 has been deleted.IPv4 address block: %1
10005 The IPv6 address block %1 has been added with the value %2 for the configuration setting %3.IPv6 address block:
      %1Configuration setting: %3Value: %2
10006 The IPv6 address block %1 has been updated with the value %2 for the configuration setting %3. The previous
      value was %4.IPv6 address block: %1Configuration setting: %3Previous value: %4Value: %2
10007 The IPv6 address block %1 has been deleted.IPv6 address block: %1
10008 IPv4 address range %1 of type %2 having start IP address %3, end IP address %4, managed by %5, service instance
      %6 and address space %7 has been added.IPv4 address range: %1
10009 IPv4 address range %1 of type %2 having start IP address %3, end IP address %4, managed by %5, service instance
      %6 and address space %7 has been updated with the value %8 for the configuration setting %9. The previous value
      was %10.IPv4 address range: %1Configuration setting: %9Previous value: %10Value: %8
...
60061 Var1: %1 ,Var2: %2
60062 Var1: %1 ,Var2: %2
60063 Var1: %1 ,Var2: %2
60064 Var1: %1 ,Var2: %2
60065 Var1: %1 ,Var2: %2

Note that it’s quite possible that you’ll find some Event ID’s like those last ones, which appear to be registered but not fully defined / utilized currently.

What if you want to find a full list of providers and query that to see what’s available?  We can do that – let’s suppose we’re looking for anything related to PowerShell.  Let’s first get a list of all providers and store them in a variable:

$providers = Get-WinEvent -ListProvider *

Note: Don’t be worried if that cmdlet produces a few errors – I’ve seen several providers throw errors with this cmdlet, and it appears to be normal behavior based on what those providers do.  You can also get a similar list without PowerShell via “wevtutil ep” or “wevtutil enum-publishers” .

Once I have that list, I can search it for anything I’m curious about:

$providers.name | Select-String -Pattern "powershell"

PowerShell
Microsoft-Windows-PowerShell
Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager

And here’s where you’ll get some mixed results – not all providers appear to have specific Events registered for them.  The Microsoft-Windows-PowerShell one does (which is the provider behind the Applications and Services Logs > Microsoft > PowerShell > Operational log) :

Get-WinEvent -ListProvider Microsoft-Windows-PowerShell | fl -Property Events

Events : {4097, 4098, 4099, 4100...}

… but the PowerShell provider (which is registered with Applications and Services Logs > Windows PowerShell) does not:

Get-WinEvent -ListProvider PowerShell | fl -Property Events

Events : {}

In fact, if we check out that “Windows PowerShell” log, we’ll see that there’s no single owningPublisher defined:

wevtutil gl "Windows PowerShell"

name: Windows PowerShell
enabled: true
type: Admin
owningPublisher:
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\Windows PowerShell.evtx
  retention: false
  autoBackup: false
  maxSize: 15728640
publishing:
  fileMax: 1

So some Event Logs are still a mystery, but this technique will unlock many logs for you where documentation doesn’t exist. One more tip: the Get-WinEvent cmdlet also has a -ListLog parameter which can tell you information about an event log, including the owningProvider from wevtutil – PowerShell calls it the OwningProviderName:

(Get-WinEvent -ListLog "Microsoft-Windows-IPAM/Admin") | ft -Property LogName, OwningProviderName

LogName                      OwningProviderName
-------                      ------------------
Microsoft-Windows-IPAM/Admin Microsoft-Windows-IPAM

The PowerShell output also includes another attribute called ProviderNames, which is extremely useful for things like the built-in System and Application logs which have lots of different sources registered with them. Want to find out exactly how many sources are registered in your Application log?

((Get-WinEvent -ListLog "Application").ProviderNames).Count

162

Conclusion

Don’t let a lack of documentation stop you from uncovering useful events! Lots of useful Event ID’s are waiting for you to discover them, like Microsoft-Windows-Backup/Operational, Event ID 51 (The backup storage location is running out of free space) or Microsoft-Windows-Ntfs/Operational, Event ID 141 (An operation failed because the disk was full). Dig deep into the Applicatons and Services Logs hierarchy in Event Viewer, find some logs of interest, and try these techniques – I hope they help you discover some more useful events for your security and monitoring efforts! Until next time…

-Scott

Authors