Lesson 3: Using Security Logs

Previous page
Table of content
Next page

The security log contains information on security events that are specified in the audit policy. To view the security log, you use the Event Viewer console. Event Viewer also allows you to find specific events within log files, filter the events shown in log files, and archive security log files.

After this lesson, you will be able to

  • View a log
  • Locate events in a log
  • Filter events in a log
  • Configure the size of audit logs
  • Archive security logs

Estimated lesson time: 25 minutes

Understanding Windows 2000 Logs

You use the Event Viewer console to view information contained in Windows 2000 logs. By default, there are three logs available to view in Event Viewer. These logs are described in Table 21.9.

Table 21.9 Logs Maintained by Windows 2000

Log Description
Application log Contains errors, warnings, or information generated by programs such as a database program or an e-mail program. The program developer presets which events to record.
Security log Contains information about the success or failure of audited events. The events that Windows 2000 records are a result of your audit policy.
System log Contains errors, warnings, and information generated by Windows 2000. Windows 2000 presets which events to record.

Application and system logs can be viewed by all users. Security logs are accessible only to system administrators. By default, security logging is turned off. To enable security logging, you must use group policy at the appropriate level to set up an audit policy.

NOTE

If additional services are installed, they might add their own event log. For example, the Domain Name System (DNS) Service logs events that this service generates in the DNS server log.

Viewing Security Logs

The security log contains information about events that are monitored by an audit policy, such as failed and successful logon attempts.

Follow these steps to view the security log:

  1. Click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.
  2. In the console tree, select Security Log.

    In the details pane, Event Viewer displays a list of log entries and summary information for each item, as shown in Figure 21.8.

    Successful events appear with a key icon and unsuccessful events appear with a lock icon. Other important information includes the date and time that the event occurred, the category of the event, and the user who generated the event.

    The category indicates the event category, such as object access, account management, directory service access, or logon events.

Figure 21.8 Event Viewer displaying a sample security log

  1. To view additional information for any event, double-click the event.

Windows 2000 records events in the security log on the computer at which the event occurred. You can view these events from any computer as long as you have administrative privileges for the computer where the events occurred.

Follow these steps to view the security log on a remote computer:

  1. Ensure that security auditing has been enabled on a remote machine. (See Lesson 2, "Auditing," for details.)
  2. Click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.
  3. Right-click the Event Viewer (Local) node and select Connect To Another Computer.
  4. In the Select Computer dialog box, click Another Computer and type the network name, IP address, or DNS address for the computer for which Event Viewer will display a security log. You can also browse for the computer name.
  5. Click OK.

Locating Events

When you first start Event Viewer, it automatically displays all events that are recorded in the security log. You can search for specific events by using the Find command.

Follow these steps to find events:

  1. Start Event Viewer, click the security log, and then click Find on the View menu.
  2. On the Find In dialog box for the security log, configure the options shown in Figure 21.9 and described in Table 21.10.

Table 21.10 Options on the Find In Dialog Box

Option Description
Event Types Check boxes that indicate the types of events to find. In the security log you can only find audit events, because others are not recorded.
Event Source A list that indicates the software or component driver that logged the event.
Category A list that indicates the event category, such as a logon or logoff attempt or a system event.
Event ID An event number to identify the event. This number helps product support representatives track events.
User A user logon name.
Computer A computer name.
Description Text that is in the description of the event.
Search Direction The direction in which to search the log (up or down).
Find Next Finds and selects the next occurrence defined by the Find settings.

Figure 21.9 The Find In dialog box for a security log

Filtering Events

An event log can contain a lot of information that may not be of use in specific circumstances. For example if you want to see an attempt to write to a text file without the necessary permissions, you might have to dig through hundreds of non-related events before finding what you want. To show specific events that appear in the security log you can reduce the number of events to display by using the Filter command.

Follow these steps to filter events:

  1. Start Event Viewer, click the security log, and then click Filter on the View menu.
  2. In the Security Log Properties dialog box, in the Filter tab, configure the options shown in Figure 21.10 and described in Table 21.11.

Table 21.11 Options on the Filter Tab of the Security Log Properties Dialog Box

Option Description
Event Types Check boxes that indicate the types of events to filter. In the security log you can only filter using audit events, because others are not recorded.
Event Source A list that indicates the software or component driver that logged the event.
Category A list that indicates the type of event, such as a logon or logoff attempt or a system event.
Event ID An event number to identify the event. This number helps product support representatives track events.
User A user logon name.
Computer A computer name.
From The beginning of the range of events that you want to filter. In the list under From, select First Event to see events starting with the first event in the log. Select Events On to see events that occurred starting at a specific time and date.
To The end of the range of events that you want to filter. In the list under To, select Last Event to see events ending with the last event in the log. Select Events On to see events that occurred ending at a specific time and date.

Figure 21.10 The Filter tab of the Security Log Properties dialog box

Configuring Security Logs

Security logging begins when you set an audit policy for the domain controller or local computer. Logging stops when the security log becomes full and cannot overwrite itself, either because it has been set for manual clearing or because the first event in the log is not old enough. When security logging stops, an error may be written to the application log. You can avoid a full security log by logging only key events. You can configure the properties of each individual audit log.

Follow these steps to configure the settings for security logs:

  1. Open Event Viewer.
  2. Right-click the security log in the console tree, and then click Properties.
  3. In the Security Log Properties dialog box, in the General tab, configure the options shown in Figure 21.11 and described in Table 21.12.

Table 21.12 Options on the General Tab of the Security Log Properties Dialog Box

Option Description
Display Name The name of the log view. You can change the name to distinguish different views of the same log on one computer or to distinguish logs on different computers.
Log Name The name and location of the log file.
Maximum Log Size The size of each log, which can be from 64 KB to 4,194,240 KB (4 GB). The default size is 512 KB.
Overwrite Events As Needed Specifies whether all new events will be written to the log, even when the log is full. When the log is full, each new event replaces the oldest event. Use this option with caution; it can be used to hide undesirable events.
Overwrite Events Older Than X Days Specifies the number of days (1 to 365) that a log file is retained before it is overwritten. New events will not be added if the maximum log size is reached and there are no events older than this period.
Do Not Overwrite Events (Clear Log Manually) Specifies whether existing events will be retained when the log is full. If the maximum log size is reached, new events are discarded. This option requires you to manually clear the log.
Using A Low Speed Connection Specifies whether the log file is located on another computer, and whether your computer is connected to it by a low-speed device, such as a modem.

Figure 21.11 The General tab of the Security Log Properties dialog box

When the log is full and no more events can be logged, you can free the log by manually clearing it. Clearing the log erases all events permanently. Reducing the amount of time you keep an event also frees the log if it allows the next record to be overwritten.

Follow these steps to manually clear the security log:

  1. Open Event Viewer.
  2. Right-click the security log in the console tree, and then click Clear All Events.
  3. On the Event Viewer message box
    • Click Yes to archive the log before clearing
    • Click No to permanently discard the current event records and start recording new events
  4. If you clicked Yes, in the Save As dialog box, in the File Name list, type a name to use for the log file to be archived.
  5. In the Save As Type list, click a file format, and then click Save.

Archiving Security Logs

Archiving security logs allows you to maintain a history of security-related events. Many organizations have policies on keeping archive logs for a specified period to track security-related information over time. When you archive a log file, the entire log is saved, regardless of filtering options.

Follow these steps to archive a security log:

  1. Open Event Viewer.
  2. Right-click the security log in the console tree, and then click Save Log File As.
  3. In the Save As dialog box, in the File Name list, type a name to use for the log file to be archived.
  4. In the Save As Type list, click a file format, and then click Save.

If you archive a log in log-file format you can reopen it in Event Viewer. Logs saved as event log files (*.evt) retain the binary data for each event recorded. If you archive a log in text or comma-delimited format (*.txt and *.csv, respectively), you can reopen the log in other programs such as word processing or spreadsheet programs. Logs saved in text or comma-delimited format do not retain the binary data.

Follow these steps to view an archived security log:

  1. Open Event Viewer.
  2. Right-click the security log in the console tree, and then click Open Log File.
  3. In the Open dialog box, click the file you want to open. You may need to search for the drive or folder that contains the document.
  4. In the Log Type list, select Security for the type of log to be opened.
  5. In the Display Name box, enter the name of the file as you want it to appear in the console tree, and then click Open.

To remove an archived log file from your system, delete the file in Windows Explorer.

Practice: Using the Security Log

In this practice you view the security log file and configure Event Viewer to overwrite events when the log file is filled. You then clear and archive a security log file.

IMPORTANT

Before attempting the exercises in this practice, you must first complete all exercises in Lesson 2.

Exercise 1: Viewing the Security Log

In this exercise you view the security log for your computer. Then, you use Event Viewer to filter events and to search for potential security breaches.

To view the security log for your computer

  1. Click Start, click Programs, click Administrative Tools, and then click Event Viewer.
  2. In the console tree, click the security log and view the contents. As you scroll through the log, double-click a couple of events to view a description.

Exercise 2: Managing the Security Log

In this exercise you configure Event Viewer to overwrite events when the log file gets full.

To configure the size and contents of the security log file

  1. Right-click the security log in the console tree, and then click Properties.
  2. In the Security Log Properties dialog box, click Overwrite Events As Needed.
  3. In the Maximum Log Size box, change the maximum log size to 2048 KB, and then click OK.

    Windows 2000 now allows the log to grow to 2048 KB and will overwrite older events with new events as necessary.

Exercise 3: Clearing and Archiving the Security Log

In this exercise you clear the security log, archive a security log, and view the archived security log.

To clear and archive the security log

  1. Open Event Viewer.
  2. Right-click the security log in the console tree, and then click Clear All Events.
  3. In the Event Viewer message box, click Yes to archive the log before clearing.
  4. In the Save As dialog box, in the File Name list, type archive to name the log file to be archived.
  5. In the Save As Type list, ensure that the Event Log (*.evt) file type is selected, and then click Save.
  6. To view the archived security log, right-click the security log in the console tree, and then click Open Log File.
  7. On the Open dialog box, click the ARCHIVE.EVT file (or the name of the file you archived).
  8. In the Log Type list, select Security for the type of log to be opened.
  9. In the Display Name box, ensure that Saved Security Log appears, and then click Open.

    The Saved Security Log appears in Event Viewer. You cannot click Refresh or Clear All Events to update the display or to clear an archived log.

  10. Close Event Viewer.

Lesson Summary

In this lesson you learned about the Windows 2000 security log. You learned how to use Event Viewer to view the contents of the Windows 2000 security logs, to locate and display specific events in security logs, to configure log size, and to archive security logs.

In the practice portion of this lesson you viewed the security log file and configured Event Viewer to overwrite events when the log file is filled. You then cleared and archived a security log file.


Previous page
Table of content
Next page
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244
BUY ON AMAZON
Adobe After Effects 7.0 Studio Techniques
C++ How to Program (5th Edition)
Introduction to 80x86 Assembly Language and Computer Architecture
802.11 Wireless Networks: The Definitive Guide, Second Edition
Python Standard Library (Nutshell Handbooks) with
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy