Security Reference  

Correlation of Windows Process Tracking Events

Created on 2003-03-04 by Rainer Gerhards.

Applies to: Windows 2000

Events Correlated are:

Desired result:

We would like to have a single event that specifies

  • at which time a process started and stopped
  • what was the image name
  • the user that it began to run under end ended to run under
  • any other properties that can be helpful

While correlating the event, we will probably lose information, for example if

  • the user identy changes more than once

Other anomalies can be caused by missing events, which yields to missing information on the overall process. This can potentially become a warning sign in its own. As such, it can make sense to generate alerts when one or more of the following conditions occur (if it should become a warning should be left to the configuration options done by the administrator):

  • missing start event id 592
  • missing end event id 593

How to correlate: 

We need to go through all events in sequence of occurence. For each 592 event, we need to track the id of the newly created process (in event log parameter 1). We need to save the status of all active programs in a cache. When we see a 593 event, we need to look up the matching 592 event via its process id (specified as parameter 1 in the 593 event). Any interim changes of the access token (event 600) need to update the associated user ids.

Obviously, the correlation must take place not only on a per-process id basis but the process id is also related to a specific machine. Multiple machines will have different processes tracked by the same id.

Please note that some processes can be very long-running (e.g. explorer.exe on left open terminal server session). For the analysis program, it may be a good idea to save session state between runs. So the analysis can continue from where it left.

Other things to track:

The local time on the server may have changed between events. As such, the sequence can not be properly indicated from local time. One approach would be to use the message receive time, instead. An other approach would be to keep track of "time changed" events.

Would you like to discuss this object? Have a look at our Windows event forum or post a question there!

Analysis, monitoring, near-real-time alerting of the Windows event log can be done with by MonitorWare Agent.

All information in this section is to the best of our knowledge but without warrenty of any kind. This is free information - use it at your sole risk.

[Back to the Security Reference]

 The Products
MonitorWare Products
Product Comparison
Which one to Purchase?
Order and Pricing
Upgrade Insurance Info
News Releases
Version History
MonitorWare Tools
 Event Repository
 Reference library
General Information
Step-by-step guides
 - All
 - Installation and Configuration
 - Services related
 - Actions related
 - Central Monitoring
Common Uses
Syslog configuration
Syslog Log Samples
Security Reference
 - All
 - General questions
 - Configurations related
 - Monitorware Agent
 - Monitorware Console
Seminars Online
 - All
 - General
 - MonitorWare Console
 - MonitorWare Agent
 - WinSyslog related
 - EventReporter
 Order & pricing
Order now
Product Comparison
Pricing Information
Upgrade Insurance Info
Local Reseller
 Contact Us
 Data privacy policy

Printer Version Send this page to a friend

Copyright © 1988-2005 Adiscon GmbH All rights reserved.
Contact us via Secure Web Response | Privacy Policy
Topic Links: syslog | Free Weblinks Directory