I see there are few windows SIDs that are redundant. They have different SID but for same Windows event. I understand that these are due to the differences in the way Win 2003 and Win 2008 logs the events. But I still see certain SIDs that I cannot map to a Win event ID.
Eg: For Account Lockout there are 3 SIDs.
The 1st one is for Win 2003 (event id 664) and the 2nd one is for Win 2008 (event id 4740). What does the 3rd SID map to?
I believe it is for some older versions of Windows, but i am not able to find and relate such SIDs with event ids.
Like the simple logic - In a SID the last 3 or 4 digits (excluding the last digit) is the actual Win event ID. In the example should I be looking for Eveny ID 87? I did that, but it doesnt map to Account lockout.
One can also use this thread to explain the first 3 digits of the SID too. i.e 211 for Win 2003, 263 for Win 2008, like this what are the other codes?