Microsoft-Windows-Security-Audit-Configuration-Client

32 events across 2 channels

Event ID	Title	Channel
100	Group policy processing for audit settings initiated.	Diagnostic
101	Group policy processing for audit settings could not be started.	Operational
102	List of applicable GPOs.	Operational
103	Group policy processing for audit settings started.	Diagnostic
104	Failed to create local directory for downloading audit settings.	Operational
105	Processing audit settings from the following GPO.	Diagnostic
106	Successfully downloaded the audit settings file as follows.	Diagnostic
107	Failed to downloaded the audit settings file as follows.	Operational
108	Successfully configured the audit settings on the system.	Diagnostic
109	Failed to configure the audit settings on the system.	Operational
110	Successfully generated RSoP data in WMI.	Diagnostic
111	Failed to generate RSoP data in WMI.	Operational
112	Group policy processing for audit settings finished successfully.	Diagnostic
113	Group policy processing for audit settings finished with error.	Operational
114	Successfully communicated the results of the operation to group policy engine.	Diagnostic
115	Failed to communicate the results of the operation to group policy engine.	Operational
200	Group policy processing for central access policy settings initiated.	Diagnostic
201	Group policy processing for central access policy settings could not be started.	Operational
202	List of applicable GPOs.	Operational
203	Group policy processing for central access policy settings started.	Diagnostic
204	Failed to create local directory for downloading central access policy settings.	Operational
205	Processing central access policy settings from the following GPO.	Diagnostic
206	Successfully downloaded the central access policy settings file as follows.	Diagnostic
207	Failed to downloaded the central access policy settings file as follows.	Operational
208	Successfully configured the central access policy settings on the system.	Diagnostic
209	Failed to configure the central access policy settings on the system.	Operational
210	Successfully generated RSoP data in WMI.	Diagnostic
211	Failed to generate RSoP data in WMI.	Operational
212	Group policy processing for central access policy settings finished …	Diagnostic
213	Group policy processing for central access policy settings finished with error.	Operational
214	Successfully communicated the results of the operation to group policy engine.	Diagnostic
215	Failed to communicate the results of the operation to group policy engine.	Operational

Event ID 100 — Group policy processing for audit settings initiated.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic
Opcode: Start

Description

Group policy processing for audit settings initiated.

Message #

Group policy processing for audit settings initiated.

Event ID 101 — Group policy processing for audit settings could not be started.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational
Opcode: Stop

Description

Group policy processing for audit settings could not be started. Error: ErrorCode.

Message #

Group policy processing for audit settings could not be started. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 102 — List of applicable GPOs.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational
Level: Informational

Description

List of applicable GPOs.

Message #

List of applicable GPOs:
%1

Fields #

Name	Description
`GPOList` UnicodeString	List of applicable GPOs

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Audit-Configuration-Client",
    "guid": "08466062-AED4-4834-8B04-CDDB414504E5",
    "event_source_name": "",
    "event_id": 102,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T23:49:58.045589+00:00",
    "event_record_id": 40,
    "correlation": {
      "ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
    },
    "execution": {
      "process_id": 8540,
      "thread_id": 9876
    },
    "channel": "Microsoft-Windows-Security-Audit-Configuration-Client/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "GPOList": "Local Group Policy\n"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 103 — Group policy processing for audit settings started.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic
Opcode: Start

Description

Group policy processing for audit settings started.

Message #

Group policy processing for audit settings started.

Event ID 104 — Failed to create local directory for downloading audit settings.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational

Description

Failed to create local directory for downloading audit settings. Error: ErrorCode.

Message #

Failed to create local directory for downloading audit settings. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 105 — Processing audit settings from the following GPO.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic

Description

Processing audit settings from the following GPO.

Message #

Processing audit settings from the following GPO.
Display Name: %1
GPO ID: %2
SYSVOL Path: %3

Fields #

Name	Description
`Display_Name` UnicodeString	—
`GPO_ID` UnicodeString	—
`SYSVOL_Path` UnicodeString	—
`GPOName` UnicodeString	—
`GPOID` UnicodeString	—
`SysvolPath` UnicodeString	—

Event ID 106 — Successfully downloaded the audit settings file as follows.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic

Description

Successfully downloaded the audit settings file as follows.

Message #

Successfully downloaded the audit settings file as follows.
Remote File: %1
Local File: %2
GPO Name: %3

Fields #

Name	Description
`Remote_File` UnicodeString	—
`Local_File` UnicodeString	—
`GPO_Name` UnicodeString	—
`RemoteFile` UnicodeString	—
`LocalFile` UnicodeString	—
`GPOName` UnicodeString	—

Event ID 107 — Failed to downloaded the audit settings file as follows.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational

Description

Failed to downloaded the audit settings file as follows.

Message #

Failed to downloaded the audit settings file as follows.
Remote File: %1
Local File: %2
GPO Name: %3
Error: %4

Fields #

Name	Description
`Remote_File` UnicodeString	—
`Local_File` UnicodeString	—
`GPO_Name` UnicodeString	—
`Error` UInt32	—
`RemoteFile` UnicodeString	—
`LocalFile` UnicodeString	—
`GPOName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 108 — Successfully configured the audit settings on the system.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic

Description

Successfully configured the audit settings on the system.

Message #

Successfully configured the audit settings on the system.

Event ID 109 — Failed to configure the audit settings on the system.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational

Description

Failed to configure the audit settings on the system.

Message #

Failed to configure the audit settings on the system.
Error: %1

Fields #

Name	Description
`Error` UInt32	—
`ErrorCode` UInt32	—

Event ID 110 — Successfully generated RSoP data in WMI.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic

Description

Successfully generated RSoP data in WMI.

Message #

Successfully generated RSoP data in WMI.

Event ID 111 — Failed to generate RSoP data in WMI.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational

Description

Failed to generate RSoP data in WMI. Error:ErrorCode.

Message #

Failed to generate RSoP data in WMI. Error:%1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 112 — Group policy processing for audit settings finished successfully.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic
Opcode: Stop

Description

Group policy processing for audit settings finished successfully.

Message #

Group policy processing for audit settings finished successfully.

Event ID 113 — Group policy processing for audit settings finished with error.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational
Opcode: Stop

Description

Group policy processing for audit settings finished with error. Error: ErrorCode.

Message #

Group policy processing for audit settings finished with error. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 114 — Successfully communicated the results of the operation to group policy engine.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic

Description

Successfully communicated the results of the operation to group policy engine.

Message #

Successfully communicated the results of the operation to group policy engine.

Event ID 115 — Failed to communicate the results of the operation to group policy engine.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational

Description

Failed to communicate the results of the operation to group policy engine. Error: ErrorCode.

Message #

Failed to communicate the results of the operation to group policy engine. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 200 — Group policy processing for central access policy settings initiated.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic
Opcode: Start

Description

Group policy processing for central access policy settings initiated.

Message #

Group policy processing for central access policy settings initiated.

Event ID 201 — Group policy processing for central access policy settings could not be started.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational
Opcode: Stop

Description

Group policy processing for central access policy settings could not be started. Error: ErrorCode.

Message #

Group policy processing for central access policy settings could not be started. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 202 — List of applicable GPOs.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational

Description

List of applicable GPOs.

Message #

List of applicable GPOs:
%1

Fields #

Name	Description
`GPOList` UnicodeString	—

Event ID 203 — Group policy processing for central access policy settings started.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic
Opcode: Start

Description

Group policy processing for central access policy settings started.

Message #

Group policy processing for central access policy settings started.

Event ID 204 — Failed to create local directory for downloading central access policy settings.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational

Description

Failed to create local directory for downloading central access policy settings. Error: ErrorCode.

Message #

Failed to create local directory for downloading central access policy settings. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 205 — Processing central access policy settings from the following GPO.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic

Description

Processing central access policy settings from the following GPO.

Message #

Processing central access policy settings from the following GPO.
Display Name: %1
GPO ID: %2
SYSVOL Path: %3

Fields #

Name	Description
`Display_Name` UnicodeString	—
`GPO_ID` UnicodeString	—
`SYSVOL_Path` UnicodeString	—
`GPOName` UnicodeString	—
`GPOID` UnicodeString	—
`SysvolPath` UnicodeString	—

Event ID 206 — Successfully downloaded the central access policy settings file as follows.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic

Description

Successfully downloaded the central access policy settings file as follows.

Message #

Successfully downloaded the central access policy settings file as follows.
Remote File: %1
Local File: %2
GPO Name: %3

Fields #

Name	Description
`Remote_File` UnicodeString	—
`Local_File` UnicodeString	—
`GPO_Name` UnicodeString	—
`RemoteFile` UnicodeString	—
`LocalFile` UnicodeString	—
`GPOName` UnicodeString	—

Event ID 207 — Failed to downloaded the central access policy settings file as follows.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational

Description

Failed to downloaded the central access policy settings file as follows.

Message #

Failed to downloaded the central access policy settings file as follows.
Remote File: %1
Local File: %2
GPO Name: %3
Error: %4

Fields #

Name	Description
`Remote_File` UnicodeString	—
`Local_File` UnicodeString	—
`GPO_Name` UnicodeString	—
`Error` UInt32	—
`RemoteFile` UnicodeString	—
`LocalFile` UnicodeString	—
`GPOName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 208 — Successfully configured the central access policy settings on the system.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic

Description

Successfully configured the central access policy settings on the system.

Message #

Successfully configured the central access policy settings on the system.

Event ID 209 — Failed to configure the central access policy settings on the system.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational

Description

Failed to configure the central access policy settings on the system.

Message #

Failed to configure the central access policy settings on the system.
Error: %1

Fields #

Name	Description
`Error` UInt32	—
`ErrorCode` UInt32	—

Event ID 210 — Successfully generated RSoP data in WMI.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic

Description

Successfully generated RSoP data in WMI.

Message #

Successfully generated RSoP data in WMI.

Event ID 211 — Failed to generate RSoP data in WMI.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational

Description

Failed to generate RSoP data in WMI. Error:ErrorCode.

Message #

Failed to generate RSoP data in WMI. Error:%1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 212 — Group policy processing for central access policy settings finished successfully.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic
Opcode: Stop

Description

Group policy processing for central access policy settings finished successfully.

Message #

Group policy processing for central access policy settings finished successfully.

Event ID 213 — Group policy processing for central access policy settings finished with error.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational
Opcode: Stop

Description

Group policy processing for central access policy settings finished with error. Error: ErrorCode.

Message #

Group policy processing for central access policy settings finished with error. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 214 — Successfully communicated the results of the operation to group policy engine.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Diagnostic

Description

Successfully communicated the results of the operation to group policy engine.

Message #

Successfully communicated the results of the operation to group policy engine.

Event ID 215 — Failed to communicate the results of the operation to group policy engine.

Provider: Microsoft-Windows-Security-Audit-Configuration-Client
Channel: Operational

Description

Failed to communicate the results of the operation to group policy engine. Error: ErrorCode.

Message #

Failed to communicate the results of the operation to group policy engine. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—