The security log contains information on security events that are specified in the audit policy. To view the security log, you use the Event Viewer console. Event Viewer also allows you to find specific events within log files, filter the events shown in log files, and archive security log files.
After this lesson, you will be able to
Estimated lesson time: 25 minutes
You use the Event Viewer console to view information contained in Windows 2000 logs. By default, there are three logs available to view in Event Viewer. These logs are described in Table 21.9.
Table 21.9 Logs Maintained by Windows 2000
Log | Description |
---|---|
Application log | Contains errors, warnings, or information generated by programs such as a database program or an e-mail program. The program developer presets which events to record. |
Security log | Contains information about the success or failure of audited events. The events that Windows 2000 records are a result of your audit policy. |
System log | Contains errors, warnings, and information generated by Windows 2000. Windows 2000 presets which events to record. |
Application and system logs can be viewed by all users. Security logs are accessible only to system administrators. By default, security logging is turned off. To enable security logging, you must use group policy at the appropriate level to set up an audit policy.
NOTE
If additional services are installed, they might add their own event log. For example, the Domain Name System (DNS) Service logs events that this service generates in the DNS server log.
The security log contains information about events that are monitored by an audit policy, such as failed and successful logon attempts.
Follow these steps to view the security log:
In the details pane, Event Viewer displays a list of log entries and summary information for each item, as shown in Figure 21.8.
Successful events appear with a key icon and unsuccessful events appear with a lock icon. Other important information includes the date and time that the event occurred, the category of the event, and the user who generated the event.
The category indicates the event category, such as object access, account management, directory service access, or logon events.
Figure 21.8 Event Viewer displaying a sample security log
Windows 2000 records events in the security log on the computer at which the event occurred. You can view these events from any computer as long as you have administrative privileges for the computer where the events occurred.
Follow these steps to view the security log on a remote computer:
When you first start Event Viewer, it automatically displays all events that are recorded in the security log. You can search for specific events by using the Find command.
Follow these steps to find events:
Table 21.10 Options on the Find In Dialog Box
Option | Description |
---|---|
Event Types | Check boxes that indicate the types of events to find. In the security log you can only find audit events, because others are not recorded. |
Event Source | A list that indicates the software or component driver that logged the event. |
Category | A list that indicates the event category, such as a logon or logoff attempt or a system event. |
Event ID | An event number to identify the event. This number helps product support representatives track events. |
User | A user logon name. |
Computer | A computer name. |
Description | Text that is in the description of the event. |
Search Direction | The direction in which to search the log (up or down). |
Find Next | Finds and selects the next occurrence defined by the Find settings. |
Figure 21.9 The Find In dialog box for a security log
An event log can contain a lot of information that may not be of use in specific circumstances. For example if you want to see an attempt to write to a text file without the necessary permissions, you might have to dig through hundreds of non-related events before finding what you want. To show specific events that appear in the security log you can reduce the number of events to display by using the Filter command.
Follow these steps to filter events:
Table 21.11 Options on the Filter Tab of the Security Log Properties Dialog Box
Option | Description |
---|---|
Event Types | Check boxes that indicate the types of events to filter. In the security log you can only filter using audit events, because others are not recorded. |
Event Source | A list that indicates the software or component driver that logged the event. |
Category | A list that indicates the type of event, such as a logon or logoff attempt or a system event. |
Event ID | An event number to identify the event. This number helps product support representatives track events. |
User | A user logon name. |
Computer | A computer name. |
From | The beginning of the range of events that you want to filter. In the list under From, select First Event to see events starting with the first event in the log. Select Events On to see events that occurred starting at a specific time and date. |
To | The end of the range of events that you want to filter. In the list under To, select Last Event to see events ending with the last event in the log. Select Events On to see events that occurred ending at a specific time and date. |
Figure 21.10 The Filter tab of the Security Log Properties dialog box
Security logging begins when you set an audit policy for the domain controller or local computer. Logging stops when the security log becomes full and cannot overwrite itself, either because it has been set for manual clearing or because the first event in the log is not old enough. When security logging stops, an error may be written to the application log. You can avoid a full security log by logging only key events. You can configure the properties of each individual audit log.
Follow these steps to configure the settings for security logs:
Table 21.12 Options on the General Tab of the Security Log Properties Dialog Box
Option | Description |
---|---|
Display Name | The name of the log view. You can change the name to distinguish different views of the same log on one computer or to distinguish logs on different computers. |
Log Name | The name and location of the log file. |
Maximum Log Size | The size of each log, which can be from 64 KB to 4,194,240 KB (4 GB). The default size is 512 KB. |
Overwrite Events As Needed | Specifies whether all new events will be written to the log, even when the log is full. When the log is full, each new event replaces the oldest event. Use this option with caution; it can be used to hide undesirable events. |
Overwrite Events Older Than X Days | Specifies the number of days (1 to 365) that a log file is retained before it is overwritten. New events will not be added if the maximum log size is reached and there are no events older than this period. |
Do Not Overwrite Events (Clear Log Manually) | Specifies whether existing events will be retained when the log is full. If the maximum log size is reached, new events are discarded. This option requires you to manually clear the log. |
Using A Low Speed Connection | Specifies whether the log file is located on another computer, and whether your computer is connected to it by a low-speed device, such as a modem. |
Figure 21.11 The General tab of the Security Log Properties dialog box
When the log is full and no more events can be logged, you can free the log by manually clearing it. Clearing the log erases all events permanently. Reducing the amount of time you keep an event also frees the log if it allows the next record to be overwritten.
Follow these steps to manually clear the security log:
Archiving security logs allows you to maintain a history of security-related events. Many organizations have policies on keeping archive logs for a specified period to track security-related information over time. When you archive a log file, the entire log is saved, regardless of filtering options.
Follow these steps to archive a security log:
If you archive a log in log-file format you can reopen it in Event Viewer. Logs saved as event log files (*.evt) retain the binary data for each event recorded. If you archive a log in text or comma-delimited format (*.txt and *.csv, respectively), you can reopen the log in other programs such as word processing or spreadsheet programs. Logs saved in text or comma-delimited format do not retain the binary data.
Follow these steps to view an archived security log:
To remove an archived log file from your system, delete the file in Windows Explorer.
In this practice you view the security log file and configure Event Viewer to overwrite events when the log file is filled. You then clear and archive a security log file.
IMPORTANT
Before attempting the exercises in this practice, you must first complete all exercises in Lesson 2.
In this exercise you view the security log for your computer. Then, you use Event Viewer to filter events and to search for potential security breaches.
To view the security log for your computer
In this exercise you configure Event Viewer to overwrite events when the log file gets full.
To configure the size and contents of the security log file
Windows 2000 now allows the log to grow to 2048 KB and will overwrite older events with new events as necessary.
In this exercise you clear the security log, archive a security log, and view the archived security log.
To clear and archive the security log
The Saved Security Log appears in Event Viewer. You cannot click Refresh or Clear All Events to update the display or to clear an archived log.
In this lesson you learned about the Windows 2000 security log. You learned how to use Event Viewer to view the contents of the Windows 2000 security logs, to locate and display specific events in security logs, to configure log size, and to archive security logs.
In the practice portion of this lesson you viewed the security log file and configured Event Viewer to overwrite events when the log file is filled. You then cleared and archived a security log file.