Windows Server Event ID Lookup

DustinB3403

I'm attempting to find a specific Event ID from a Windows 2019 File server, specifically one that relates to share permissions and if someone unsuccessfully attempts to access a network share resource that they don't have access too.

Does anyone have any idea of what this EventID number is off hand?

DustinB3403

Found it, 5145 has both success and deny events. So now just to figure out the filtering for just the denied 5145 events.

wirestyle22

@DustinB3403 Isn't this included in file auditing? Event ID 4663 or something similar

wirestyle22

@DustinB3403 said in Windows Server Event ID Lookup:

5145

Ah, cool.

DustinB3403

@wirestyle22 said in Windows Server Event ID Lookup:

@DustinB3403 Isn't this included in file auditing? Event ID 4663 or something similar

That might work as well, the bigger issue is Windows doesn't have this log turned on by default. . . so now I have to turn that on and see if it works.

Not a huge ordeal, just a nice to know so I can deal with it.

wirestyle22

@DustinB3403 said in Windows Server Event ID Lookup:

@wirestyle22 said in Windows Server Event ID Lookup:

@DustinB3403 Isn't this included in file auditing? Event ID 4663 or something similar

That might work as well, the bigger issue is Windows doesn't have this log turned on by default. . . so now I have to turn that on and see if it works.

Not a huge ordeal, just a nice to know so I can deal with it.

Yeah I actually wasn't sure. It's a good question

black3dynamite

@DustinB3403 said in Windows Server Event ID Lookup:

Found it, 5145 has both success and deny events. So now just to figure out the filtering for just the denied 5145 events.

Is 5145 a application, security, or system log?

DustinB3403

@black3dynamite said in Windows Server Event ID Lookup:

@DustinB3403 said in Windows Server Event ID Lookup:

Found it, 5145 has both success and deny events. So now just to figure out the filtering for just the denied 5145 events.

Is 5145 a application, security, or system log?

A log, which indicates if something was accessed, successfully or not. (Still need to enable the logging for this to show up) but I'm thinking that is what I would use.

IRJ

You should just use wazuh and elk

IRJ

It will makes sense of all the alerts and centralize everything

Solved Windows Server Event ID Lookup