Monitoring Audited Events

Monitoring Audited Events

A number of methods exist for monitoring events written to the security event log. These methods range from reading the events manually by using the Event Viewer to using powerful automated event-consolidating and event-monitoring software such as Microsoft Operations Manager. Each method serves a specific purpose; you will need to select a method that is most appropriate for your environment and particular situation. These are the four primary methods for monitoring events:

  • Event Viewer

  • Custom scripts

  • Event Comb

  • Fully automated tools, such as Microsoft Operations Manager

The discussion of fully automated event monitoring tools is outside the scope of this book. This section will cover the other three methods.

Using the Event Viewer

The simplest method for monitoring the OS for security events is to use the Event Viewer. The Event Viewer allows you perform the following:

  • View event details

  • Sort events by type, audit policy, and time

  • Search for events by using common fields

  • Filter events by common fields

  • Export event logs to an .evt, .csv, or .txt format

  • Connect to remote computers to view and manage the event log

The Event Viewer does not allow for the consolidation of events. Thus, it might be difficult to monitor events that are recorded on many servers, such as account logon events, which are recorded on the authenticating domain control for domain accounts. The Event Viewer also does not allow for the searching of event details. By exporting the events to a file, you can import them into a database or run custom scripts on the exported files from many computers.

Using Custom Scripts

Several scripts are available for managing events. A few of them are:

  • Dumpel.exe

    Also known as the Dump Event Log, this script is a command-line tool that will dump an event log for a local or remote system into a tab-separated text file. This file can then be imported into a spreadsheet or database for further investigation. Dumpel.exe can also be used to filter for or filter out certain event types. (Dumpel.exe is located in the Tools folder on the CD included with this book.)

  • Eventlog.pl

    This Perl script clears and copies log files, and it displays and changes the properties of log files on local and remote computers that are running Windows 2000. You can use this script tool to perform the following event log management tasks:

    • Change the properties of event logs

    • Back up (save) event logs

    • Export event lists to text files

    • Clear (delete) all events from event logs

    • Query the properties of event logs

  • Eventquery.pl

    This Perl script displays events from the Event Viewer logs on local and remote computers running Windows 2000 and offers a wide range of filters to help you find specific events.

    Eventlog.pl and Eventquery.pl are included on the Microsoft Windows 2000 Server Resource Kit, Supplement One (Microsoft Press, 2000).

Using Event Comb

Event Comb parses event logs from many servers at the same time, spawning a separate thread of execution for each server that is included in the search criteria. With Event Comb, you can collect events from many computers running Windows NT 4.0, Windows 2000, and Windows XP. You can also search for occurrences of events by any field in the event record in the collected log files. Event Comb can also search archived log files.

Event Comb (EventcombMT.exe) is located in the Tools\ EventComb folder on the CD included with this book.

Event Comb enables you to do the following:

  • Define either a single event ID or multiple event IDs to search for.

    You can include a single event ID, or multiple event IDs separated by spaces.

  • Define a range of event IDs to search for.

    The endpoints are inclusive. For example, if you want to search for all events from event ID 528 through event ID 540, you would define the range as 528 < ID < 540. This feature is useful because most applications that write to the event log use a sequential range of events.

  • Limit the search to specific event logs.

    You can choose to search the system, application, and security logs. If executed locally at a domain controller, you can also choose to search the file replication service (FRS), Domain Name System (DNS), and Active Directory event logs in addition to the application, security, and system logs.

  • Limit the search to specific event message types.

    You can choose to limit the search to error, informational, warning, success audit, failure audit, or success events.

  • Limit the search to specific event sources.

    Choosing to limit the search to events from specific event sources to increase the speed of the search.

  • Search for specific text within an event description.

    With each event, you can search for specific text. This is useful if you are trying to track specific users or groups.

  • Define specific time intervals to scan back from the current date and time.

    This allows you to limit your search to events in the past day, week, or month.

The first thing you must do when using Event Comb is select the computers you want to search for events. To add computers to the search list in Event Comb, follow these steps:

  1. In the Event Comb utility, ensure that the correct domain is autodetected in the Domain box. If you want to search event logs in a different domain, manually type the new domain name in the Domain box.

  2. To add computers to the search list, right-click the box below Select To Search/Right Click To Add. The following options are available:

    • Get DCs In DomainAdds all domain controllers for the current domain to the listing.

    • Add Single ServerAllows you to add a server or workstation by name to the listing.

    • Add All GCs In This DomainAllows you to add all domain controllers in the selected domain that are configured to be Global Catalog servers.

    • Get All ServersAdds all servers found in the domain using the browser service. The servers exclude all domain controllers.

    • Get Servers From FileAllows you to import a file that lists all servers to be included in the search scope. Each server should be entered on a separate line in the text file.

  3. Once the servers are added to the list, you must select which servers to perform the search against. When selected, the server will appear highlighted in the list. You can choose multiple servers by holding down the Ctrl key and clicking each server to select it.

Once you have selected the servers to be included in your event log search, you can narrow the scope of the search by selecting the event logs and event types to include. You can select the event log, the type of event, and other important search criteria. Event Comb also enables you to save your searches and reload them later. This can be useful if you frequently use Event Comb to search for the same event. Search criteria are saved in the registry under HKLM\Software\Microsoft\EventCombMT.

The results of the search are saved to the C:\Temp folder by default. Because the permissions on many computers allow users to read files from this folder to support legacy applications, you should consider changing this path. The results include a summary file named EventCombMT.txt. For each computer included in the event log search, a separate text file named ComputerName-EventLogName_LOG.txt is generated. These individual text files contain all the events extracted from the event logs that match your search criteria.

You can use Event Comb to search for events that are recorded in a distributed fashion, such as account logons. To do so, follow these steps:

  1. In the Event Comb tool, ensure that the domain is configured to the correct domain name.

  2. In the Select To Search/Right Click To Add box below the domain name, right-click the box and then click Get DCs In Domain.

    When searching for events such as account logon and account management, ensure that you search all domain controllers. Because Windows 2000 uses a multiple master model for account management, an account can be added, modified, or deleted at any domain controller in the domain. Likewise, authentication can be validated by any domain controller in the domain. Because of this, you cannot be sure where the specific update or authentication attempt takes place.

After you have retrieved the events from all the computers you want to search, you can specify the type of event you want to see displayed. For example, you might want to search for all account logon failures for domain accounts (event ID 681), as shown in Figure 12-5. The following procedure shows how to search all servers from which events have been collected for 681 events:

  1. From the File menu, select Open Log Directory.

  2. Right-click the Select To Search/Right Click To Add box, and then click Select All Servers In List.

  3. Select Security under Choose Log Files To Search.

  4. Select Success Audit and Failure Audit under Event Types.

  5. In the Event IDs box, type the following event ID: 681.

    figure 12-5 searching for event id 681 on all domain controllers

    Figure 12-5. Searching for event ID 681 on all domain controllers

When the search is complete, the results can be viewed in the log directory, which should open automatically. In the C:\Temp folder, double-click the output file for a domain controller to view the specific events logged by the Event Comb tool.



Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net