2
Log Name: System
Source: LsaSrv
Date: <date> <time>
Event ID: 45058
Task Category: Logon Cache
Level: Information
Keywords: Classic
User: N/A
Computer: computername.contoso.com
Description:
A logon cache entry for user USERNAME@EXAMPLE.COM was the oldest entry and was removed. The timestamp of this entry was **MM/DD/YYYY HH:MM:SS**

Given the above example evtx log, is the timestamp time zone in the description UTC? My understanding is the Date/Time of the actual event log is in UTC, I just want to confirm the date and time provided in the description is in UTC as well. This is a win2k8 OS. Thanks

Kate
  • 652
  • 5
  • 18
5k1zk17
  • 21
  • 1
  • 2

1 Answers1

2

The Date line records the event timestamp in UTC. When you view the event log, the viewer adjusts the timestamp to the current local time zone for display.

The message of the event is just a string. If the logging application/service puts a timestamp in there, that's specific to that application. It's going to reflect whatever that application is designed to report.

Matt Johnson-Pint
  • 439
  • 1
  • 3
  • 12
  • I'm not seeing this to be the case. I'm not describing the event entry timestamp but the timestamp reported in the description/message of the event. That seems to be "hard coded" in the message unlike the event entry timestamp thats associated with a UTC offset. – 5k1zk17 Sep 20 '14 at 17:10
  • The description of the event you posted in your question does not contain a time stamp. Anything in the description would be hard-coded (and embedded with the event), since that is created by the software which logs the event. Only the software which logs the event could change that to be UTC. – Lucky Luke Sep 22 '14 at 16:07
  • Sorry, I missed that part. I was referring to the timestamp in the `Date` field. As Lucky Luke said, the description is entirely up to the logging application. Is your question with specific regard to this LsaSrv event message? – Matt Johnson-Pint Sep 22 '14 at 16:38