Centrify Privilege Elevation Service - Windows audit events
| Centrify Event ID | Description | Parameters |
|
6001-Deprecated |
Console login success This event has been deprecated. Use Centrify Event Id 6031 introduced in release 2017.2 instead. |
Role: role DesktopGuid: desktop GUID |
|
6002-Deprecated
|
Console login failure This event has been deprecated. Use Centrify Event Id 6032 introduced in release 2017.2 instead. |
|
|
6003-Deprecated
|
Remote login success This event has been deprecated. Use Centrify Event Id 6033 introduced in release 2017.2 instead. |
Role: role DesktopGuid: desktop GUID |
|
6004-Deprecated
|
Remote login failure This event has been deprecated. Use Centrify Event Id 6034 introduced in release 2017.2 instead. |
|
|
6005-Deprecated
|
Run with privilege success This event has been deprecated. Use Centrify Event Id 6029 introduced in release 2017.2 instead. |
Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID Command: command |
|
6006-Deprecated |
Run with privilege failure This event has been deprecated. Use Centrify Event Id 6030 introduced in release 2017.2 instead. |
Role: local role DesktopGuid: desktop GUID Command: command |
|
6007-Deprecated |
Create desktop success This event has been deprecated. Use Centrify Event Id 6035 introduced in release 2017.2 instead. |
Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID |
|
6008-Deprecated |
Create desktop failure This event has been deprecated. Use Centrify Event Id 6036 introduced in release 2017.2 instead. |
Role: local role |
|
6009-Deprecated |
Network access success This event has been deprecated. Use Centrify Event Id 6039 introduced in release 2017.2 instead. |
Role: role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID |
|
6010-Deprecated |
Console logon failure This event has been deprecated. Use Centrify Event Id 6032 introduced in release 2017.3 instead. |
Reason: reason |
|
6011-Deprecated |
Remote login failure This event has been deprecated. Use Centrify Event Id 6034 introduced in release 2017.2 instead. |
Reason: reason |
|
6012-Deprecated |
Run with privilege success This event has been deprecated. Use Centrify Event Id 6029 introduced in release 2017.2 instead. |
Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID Command: command PasswordPrompted: whether user was required to re-enter their password DesktopName: desktop name NetworkRoles: network roles |
|
6013-Deprecated |
Run with privilege failure This event has been deprecated. Use Centrify Event Id 6030 introduced in release 2017.2 instead. |
Role: local role DesktopGuid: desktop GUID Command: command Reason: reason DesktopName: desktop name NetworkRoles: network roles |
|
6014-Deprecated |
Create desktop success This event has been deprecated. Use Centrify Event Id 6035 introduced in release 2017.2 instead. |
Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID PasswordPrompted: whether user was required to re-enter their password DesktopName: desktop name NetworkRoles: network roles |
|
6015-Deprecated |
Create desktop failure This event has been deprecated. Use Centrify Event Id 6036 introduced in release 2017.2 instead. |
Role: local role Reason: reason NetworkRoles: network roles |
|
6016-Deprecated |
Switch desktop success This event has been deprecated. Use Centrify Event Id 6037 introduced in release 2017.2 instead. |
DesktopName: desktop name DesktopGuid: desktop GUID PasswordPrompted: whether user was required to re-enter their password Role: local role NetworkRoles: network roles |
|
6017-Deprecated |
Switch desktop failure This event has been deprecated. Use Centrify Event Id 6038 introduced in release 2017.2 instead. |
DesktopName: desktop name Reason: reason |
|
6018-Deprecated |
Run with privilege failure This event has been deprecated. Use Centrify Event Id 6030 introduced in release 2017.2 instead. |
Role: local role DesktopGuid: desktop GUID Command: command Reason: reason DesktopName: desktop name NetworkRoles: network roles PasswordPrompted: whether user was required to re-enter their password |
|
6019-Deprecated |
Create desktop failure This event has been deprecated. Use Centrify Event Id 6036 introduced in release 2017.2 instead. |
Role: local role Reason: reason NetworkRoles: network roles PasswordPrompted: whether user was required to re-enter their password |
|
6020-Deprecated |
Switch desktop failure This event has been deprecated. Use Centrify Event Id 6038 introduced in release 2017.2 instead. |
DesktopName: desktop name Reason: reason PasswordPrompted: whether user was required to re-enter their password |
|
6021 |
Join to zone success |
zone: zone name ZoneDomainName: zone domain name ComputerName: computer name ComputerDomainName: computer domain name LogonUser: logon user LogonUserSid: logon user SID AlternateUser: whether alternate user is used to perform the operation |
|
6022 |
Join to zone failure |
zone: zone name ZoneDomainName: zone domain name ComputerName: computer name ComputerDomainName: computer domain name Reason: reason LogonUser: logon user LogonUserSid: logon user SID AlternateUser: whether alternate user is used to perform the operation |
|
6023 |
Leave from zone success |
zone: zone name ZoneDomainName: zone domain name ComputerName: computer name ComputerDomainName: computer domain name LogonUser: logon user LogonUserSid: logon user SID AlternateUser: whether alternate user is used to perform the operation |
|
6024 |
Leave from zone failure |
zone: zone name ZoneDomainName: zone domain name ComputerName: computer name ComputerDomainName: computer domain name Reason: reason LogonUser: logon user LogonUserSid: logon user SID AlternateUser: whether alternate user is used to perform the operation |
|
6025 |
Add role success |
zone: zone name ZoneDomainName: zone domain name RoleName: role name LogonUser: logon user LogonUserSid: logon user SID AlternateUser: whether alternate user is used to perform the operation |
|
6026 |
Add role failure |
zone: zone name ZoneDomainName: zone domain name RoleName: role name Reason: reason LogonUser: logon user LogonUserSid: logon user SID AlternateUser: whether alternate user is used to perform the operation |
|
6027 |
Add role assignment success |
zone: zone name ZoneDomainName: zone domain name RoleName: role name Assignee: assignee LogonUser: logon user LogonUserSid: logon user SID AlternateUser: whether alternate user is used to perform the operation |
|
6028 |
Add role assignment failure |
zone: zone name ZoneDomainName: zone domain name RoleName: role name Assignee: assignee Reason: reason LogonUser: logon user LogonUserSid: logon user SID AlternateUser: whether alternate user is used to perform the operation |
|
6029 |
Run with privilege success |
Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID Command: command PasswordPrompted: whether user was required to re-enter their password DesktopName: desktop name NetworkRoles: network roles EntityName: Entity Name MFARequired: whether user was required to do MFA |
|
6030 |
Run with privilege failure |
Role: local role DesktopGuid: desktop GUID Command: command Reason: reason DesktopName: desktop name NetworkRoles: network roles PasswordPrompted: whether user was required to re-enter their password EntityName: Entity Name MFARequired: whether user was required to do MFA |
|
6031 |
Console login success |
Role: role DesktopGuid: desktop GUID EntityName: Entity Name MFARequired: whether user was required to do MFA |
|
6032 |
Console logon failure |
Reason: reason EntityName: Entity Name MFARequired: whether user was required to do MFA |
|
6033 |
Remote login success |
Role: role DesktopGuid: desktop GUID EntityName: Entity Name MFARequired: whether user was required to do MFA |
|
6034 |
Remote login failure |
Reason: reason EntityName: Entity Name MFARequired: whether user was required to do MFA |
|
6035 |
Create desktop success |
Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID PasswordPrompted: whether user was required to re-enter their password DesktopName: desktop name NetworkRoles: network roles EntityName: Entity Name MFARequired: whether user was required to do MFA |
|
6036 |
Create desktop failure |
Role: local role Reason: reason NetworkRoles: network roles PasswordPrompted: whether user was required to re-enter their password EntityName: Entity Name MFARequired: whether user was required to do MFA |
|
6037 |
Switch desktop success |
DesktopName: desktop name DesktopGuid: desktop GUID PasswordPrompted: whether user was required to re-enter their password Role: local role NetworkRoles: network roles EntityName: Entity Name MFARequired: whether user was required to do MFA |
|
6038 |
Switch desktop failure |
DesktopName: desktop name Reason: reason PasswordPrompted: whether user was required to re-enter their password EntityName: Entity Name MFARequired: whether user was required to do MFA |
|
6039 |
Network access success |
Role: role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID EntityName: Entity Name MFARequired: whether user was required to do MFA |
|
6040 |
Self-service password reset success added in release 2017.3 |
Username: username |
|
6041 |
Self-service password reset failure added in release 2017.3 |
Username: username Reason: failure reason
|
|
6042 |
Self-service account unlock success added in release 2017.3 |
Username: username |
|
6043 |
Self-service account unlock failure added in release 2017.3 |
Username: username Reason: failure reason
|
|
6044 |
Enable Centrify Identity Services Platform succeeded added in release 2017.3 |
PlatformInstance: Platform Instance |
|
6045 |
Disable Centrify Identity Services Platform succeeded added in release 2017.3 |
PlatformInstance: Platform Instance |
|
6046 |
Enable Centrify Identity Services Platform failed added in release 2017.3 |
PlatformInstance: Platform Instance Reason: Reason for failure
|
|
6047 |
Disable Centrify Identity Services Platform failed added in release 2017.3 |
PlatformInstance: Platform Instance Reason: Reason for failure
|
|
6048 |
PowerShell remote connection success added in release 18.8 |
User: user Role: role |
|
6049 |
PowerShell remote connection failure added in release 18.8 |
User: user Reason: reason |
|
6050 |
Trouble ticket entered added in release 18.11 |
ticket: ticket reason: reason for privilege elevation comment: additional comment |
|
6051 |
Run with privilege as an alternate user success added in release 18.11 |
Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID Command: command PasswordPrompted: whether user was required to re-enter their password DesktopName: desktop name NetworkRoles: network roles EntityName: Entity Name MfaRequired: whether user was required to do MFA AlternateUsername: An alternate username AlternateUserSid: An alternate user's SID |
|
6052 |
Run with privilege as an alternate user failure added in release 18.11 |
Role: local role DesktopGuid: desktop GUID Command: command Reason: reason DesktopName: desktop name NetworkRoles: network roles PasswordPrompted: whether user was required to re-enter their password EntityName: Entity Name MfaRequired: whether user was required to do MFA AlternateUsername: An alternate username AlternateUserSid: An alternate user's SID |
|
6053 |
Windows authentication is skipped added in release 18.11 |
service: service reason: Reason message for skip |
|
6054 |
Run with alternate account success added in Release 2020 |
Command: command AlternateUsername: alternate username tenant: tenant URL PasswordPrompted: whether user was required to re-enter their password |
|
6055 |
Run with alternate account failure added in Release 2020 |
Command: command AlternateUsername: alternate username tenant: tenant URL Reason: reason PasswordPrompted: whether user was required to re-enter their password |
|
6300 |
Add roles and features success added in release 2018 |
PID: process id user: username@domain status: succeeded feature: feature name computer: computer name |
|
6301 |
Add roles and features failure added in release 2018
|
PID: process id user: username@domain status: failed feature: feature name computer: computer name reason: reason for failure |
|
6302 |
Remove roles and features success added in release 2018
|
PID: process id user: username@domain status: succeeded feature: feature name computer: computer name |
|
6303 |
Remove roles and features failure added in release 2018
|
PID: process id user: username@domain status: failed feature: feature name computer: computer name reason: reason for failure |
|
6350 |
Uninstall program success added in release 2018
|
PID: process id user: username@domain status: succeeded program: program name computer: computer name |
|
6351 |
Uninstall program failure added in release 2018
|
PID: process id user: username@domain status: failed program: program name computer: computer name reason: reason for failure |
|
6352 |
Change program success added in release 2018 |
PID: process id user: username@domain status: succeeded program: program name computer: computer name |
|
6353 |
Change program failure added in release 2018
|
PID: process id user: username@domain status: failed program: program name computer: computer name reason: reason for failure |
|
6354 |
Repair program success added in release 2018
|
PID: process id user: username@domain status: succeeded program: program name computer: computer name |
|
6355 |
Repair program failure added in release 2018
|
PID: process id user: username@domain status: failed program: program name computer: computer name reason: reason for failure |
|
6400 |
Enable network adapter success added in release 2018
|
PID: process id user: username@domain status: succeeded adapter: adapter name computer: computer name |
|
6401 |
Enable network adapter failure added in release 2018 |
PID: process id user: username@domain status: failed adapter: adapter name computer: computer name reason: reason for failure |
|
6402 |
Disable network adapter success added in release 2018 |
PID: process id user: username@domain status: succeeded adapter: adapter name computer: computer name |
|
6403 |
Disable network adapter failure added in release 2018 |
PID: process id user: username@domain status: failed adapter: adapter name computer: computer name reason: reason for failure |
|
6404 |
Rename network adapter success added in release 2018 |
PID: process id user: username@domain status: succeeded adapter: adapter name computer: computer name |
|
6405 |
Rename network adapter failure added in release 2018 |
PID: process id user: username@domain status: failed adapter: adapter name computer: computer name reason: reason for failure |
|
6406 |
Update IPv4 settings success added in release 2018 |
PID: process id user: username@domain status: succeeded adapter: adapter name computer: computer name |
|
6407 |
Update IPv4 settings failure added in release 2018 |
PID: process id user: username@domain status: failed adapter: adapter name computer: computer name reason: reason for failure |
|
6408 |
Update IPv6 settings success added in release 2018
|
PID: process id user: username@domain status: succeeded adapter: adapter name computer: computer name |
|
6409 |
Update IPv6 settings failure added in release 2018 |
PID: process id user: username@domain status: failed adapter: adapter name computer: computer name reason: reason for failure |
|
6500 |
Auto-enroll as corporate owned device success added in release 2018 |
computer: computer name tenant: tenant URL |
|
6501 |
Auto-enroll as corporate owned device failure added in release 2018 |
computer: computer name tenant: tenant URL reason: reason for failure |
|
6502 |
Unenroll device success added in release 2018 |
user: user name computer: computer name |
|
6503 |
Unenroll device failure added in release 2018 |
user: user name computer: computer name reason: reason for failure |
|
6504 |
Enroll as corporate owned device success added in release 2018 |
user: user name computer: computer name tenant: tenant URL
|
|
6505 |
Enroll as corporate owned device failure added in release 2018 |
user: user name computer: computer name tenant: tenant URL reason: reason for failure |
|
6506 |
Enroll device success added in release 2018 |
user: user name computer: computer name tenant: tenant URL |
|
6507 |
Enroll device failure added in release 2018 |
user: user name computer: computer name tenant: tenant URL reason: reason for failure |
|
6508 |
Auto-unenroll success added in release 18.8 |
computer: computer name |
|
6509 |
Auto-unenroll failure added in release 18.8 |
computer: computer name reason: reason for failure |
|
6510 |
PowerShell remote command execution added in release 2020.1 |
userSid: User SID userName: User name authMechanism: Authentication mechanism url: HTTP URL of inbound request command: PowerShell remote command isScript: Command is a remote script |
Doc Feedback