The viewer will no longer be able to look up an account which has been deleted.

Note that a similar problem occurs if you just embed the name; if the account is renamed you lose track of the account's activities with standard queries.

This was addressed in Windows Vista which now embeds the SID and the textual account name.

Eric

-----Original Message-----
From: loganalysis-bounces (at) loganalysis (dot) org [email concealed] [mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]] On Behalf Of Vincent Bernat
Sent: Monday, June 25, 2007 12:59 PM
To: loganalysis
Subject: Re: [logs] Syslog and Windows

OoO Pendant le journal télévisé du lundi 25 juin 2007, vers 20:54, Eric
Fitzgerald <Eric.Fitzgerald (at) microsoft (dot) com [email concealed]> disait:

> In Windows events, it's common to embed invariants rather than strings-
> for instance instead of storing "Account Enabled" we store "%%2048";
> which Event Viewer looks up as "Account Enabled" in the locale of the
> viewer. Likewise we store security IDs and AD object GUIDs rather than
> the actual names of the objects; the names have to be looked up before
> presenting to the user; in SEM this is typically done at the agent prior
> to transmission to the SEM server.

What happens if a user get deleted from AD ?
--
BEWITCHED, DOES NOT PROMOTE SATANISM
BEWITCHED, DOES NOT PROMOTE SATANISM
BEWITCHED, DOES NOT PROMOTE SATANISM
-+- Bart Simpson on chalkboard in episode 2F17
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]