Correcting Event ID 644 in the ACS database
I ran into an issue the other day where Account Lockout events (Event ID 644) did not display properly in the "All Events With Specified Event ID" ACS report. I'm looking for the name of the computer that is listed as "Caller Machine Name" in the event (the machine that passed the bad credentials that caused the account to be locked). According to the following info from https://support.microsoft.com/kb/301677, this should be seen as Parameter 2:
Event ID: 644 (0x0284)
Type: Success Audit
Description: User Account Locked Out
Target Account Name: %1
Target Account ID: %3
Caller Machine Name: %2
Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Here is the event from the Domain Controller:
Looking at the report, I would expect the String02 column to display this computer name, but instead it is showing a SID....this is the SID for the account that has been locked out:
So, I look in the ACS database and see the following for the event (querying the adtserver.dvall5 view):
Looks like the TargetSid and String02 columns are reversed. So, where does the Event Parameter --> Database Column mapping come from? It comes from the EventSchema.xml file which is located in the %windir%\system32\security\adtserver directory on the ACS collector. Eric Fitzgerald has a great blog on this at https://blogs.msdn.com/ericfitz/archive/2008/02/27/acs-event-transformation-demystified.aspx. So, I open the EventSchema.xml file and search on '644' and find four instances of the following (relevant parts in red):
<Event SourceId="644" SourceName="SE_AUDITID_ACCOUNT_AUTO_LOCKED">
<Call Name="AppendString" Param1="1" Param2="0" />
<Call Name="AppendString" Param1="3" Param2="0" />
<Call Name="AppendString" Param1="2" Param2="0" />
<Call Name="AppendString" Param1="4" Param2="0" />
<Call Name="AppendString" Param1="5" Param2="0" />
<Call Name="AppendString" Param1="6" Param2="0" />
<Call Name="AppendSidFromNames" Param1="4" Param2="5" />
<Call Name="AppendNamesFromSid" Param1="3" Param2="0" />
<Param TypeName="typeUserDn" />
<Param TypeName="typeComputerName" />
<Param TypeName="typeTargetSid" />
<Param TypeName="typeClientUser" />
<Param TypeName="typeClientDomain" />
<Param TypeName="typeClientLogonId" />
<Param TypeName="typeClientSid" />
<Param TypeName="typeTargetUser" />
<Param TypeName="typeTargetDomain" />
</Event>
Basically, what is happening here is Parameter 3 (Target Account ID) is being converted to SID and stored as String02, and Parameter 2 (Caller Machine Name) is being stored as TargetSID. We need to fix this so that Parameter 2 (Caller Machine Name) is stored as String02 and the SID for Parameter 3 (Target Account ID) is stored as TargetSID. To accomplish this, we only need to make the following change to each instance of Event 644 in the EventSchema.xml file:
Original:
<Param TypeName="typeComputerName" />
<Param TypeName="typeTargetSid" />
Change:
<Param TypeName="typeTargetSid" />
<Param TypeName="typeComputerName" />
All we are doing is switching the order so that typeTargetSid is listed second and typComputerName is listed third. We could probably accomplish the same thing by switching the "Call Name" lines instead.
**Note that there are four instances of event 644 in the EventSchema.xml file....you'll need to change all of them.
So, after modifying and saving the EventSchema.xml file, I restart the Operations Manager Audit Collection Service on the Collector server (to force it to reload the event schema), and generate another account lockout.
Now, the event in the database looks like this:
And the report looks like this:
Perfect!!!
NOTE:
This change will NOT have any effect on existing 644 events in the database....it will only affect events that are created AFTER making the change.
Comments
- Anonymous
January 13, 2009
The comment has been removed - Anonymous
January 14, 2009
For event 642, look in the adtserver.dvall5 view. The important columns would be: ClientUser - The user that made the change TargetUser - The user account that was changed String05 - The change that was made This is what I am seeing for a Win2k3 server....don't have a Win2k server in my environment, but I think it should be the same.