pathtofile
No events for Microsoft-Windows-Security-Auditing
I'm curious to see if you have any ideas why this provider Microsoft-Windows-Security-Auditing aka EventLog-Security aka Security log won't work with sealighter. I don't see any events when running this config
{
"session_properties": {
"session_name": "My-Process-Trace",
"output_format": "event_log",
"buffering_timout_seconds": 10
},
"user_traces": [
{
"trace_name": "mystuff",
"provider_name": "Microsoft-Windows-Security-Auditing"
}
],
"kernel_traces": [ ]
}
I've tried, Microsoft-Windows-Security-Auditing, EventLog-Security, Security and {54849625-5478-4994-a5ba-3e3b0328c30d} none produces events. Suppling EventLog-Security or Security in the provider name just produces a "name provider error in the configuration" message. I'm running sealighter as system and I see the events i'm after fire in the security log, but my sealighter produces zip.
This little example works: https://github.com/microsoft/krabsetw/blob/master/examples/ManagedExamples/UserTrace005.cs
Anyhow, I know this project isn't active, but I have found your creation very interesting in some of my research. I'm digging in trying to understand how you built sealighter and I just have to say thank you for the work you've done.
