|
|
In this section of the chapter we look at some of the auditing tools that are not included with Windows 2000 but that you can find online (at www.microsoft.com) and in the Windows 2000 Resource Kit (supplement one). More important, you will be tested on them on the exam. In particular, with auditing in mind, you need to know how to use the Dump Event Log command-line too. (Dumpel.exe) and the EventCombMT GUI-based utility. We discuss both these tools here.
Exam Warning | Make sure that you know exactly how to use Dumpel for the exam. You will be expected to know how to use the utility to dump Event Logs. |
The Windows 2000 Server Resource Kit has a tool called the Dump Event Log, or Dumpel for short. Dumpel is a command-line tool that's used to dump an Event Log into a tab-separated text file. This file can then be imported into an Excel spreadsheet (because it is tab separated) and/or a database such as Access for storage or future analysis. The tool can also be used for filtering certain event types. Table 10.4 lists the command-line switches you can use with this tool. This table highlights all the functionality that you can perform via the command line.
The dumpel.exe tool uses the following syntax:
dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3...] [-r] [-t] [-d x]
Switch | Details |
---|---|
-f file | Specifies the filename for the output file. There is no default for -f, so you must specify the file. |
-s server | Specifies the server for which you want to dump the Event Log. Leading backslashes on the server name are optional. |
-l log | Specifies the log (system, application, security) to dump. If an invalid log name is specified, the application log is dumped. |
-m source | Specifies in which source (such as redirector [rdr], serial, and so on) to dump records. Only one source can be supplied. If this switch is not used, all events are dumped. If a source is used that is not registered in the Registry, the Application Log is searched for records of this type. |
-e n1 n2 n3 | Filters for event ID nn (up to 10 IDs can be specified). If the -r switch is not used, only records of these types are dumped; if -r is used, all records except records of these types are dumped. If this switch is not used, all events from the specified source name are selected. Note: You cannot use this switch without the -m switch |
-r | Specifies whether to filter for specific sources or records, or to filter them out. |
-t | Specifies that tabs separate individual strings. If -t is not used, strings are separated by spaces. |
-d n | Dumps events for the past n days. |
Test Day Tip | Dumpel can only retrieve content from the System, Application, and Security Log files. This is important because you could have more logs on domain controllers with Active Directory installed. For instance, you will have a File Replication Service, DNS, or Directory Service Logs, and Dumpel will not query content from them. For the exam, you must know what Dumpel can and cannot do. |
If you want a nice GUI-based Event Viewer log manipulation tool for parsing Event Logs, EventCombMT is your tool. What's nice is that you can get this tool online at Microsoft.com. Run a search for it and you will be guided to the tool on Microsoft's site. EventCombMT is a tool that allows you to manage the parsing of many Event Logs from your systems that will be dumped to a text-based file for analysis. This tool allows you to specifically search for event IDs by ID number, or you could search based on many other criteria, such as types of events (warning, informational). Also helpful is the fact that it picks up where Dumpel left off and searches through the logs that Dumpel will not search, such as DNS and Active Directory. EventCombMT also allows you to search within specific time intervals so you can search within specific parameters such as date or by specific month or week. Let's now look at an exercise of using the EventCombMT tool.
Exam Warning | Make sure that you are very familiar with the EventCombMT utility. You will find that a great many exam questions revolve around its use as well as how it is inherently different from the Dumpel utility. |
Exercise 10.03: Using EventCombMT
After you have downloaded the EventCombMT tool from Microsoft.com, you can run the executable without installing it. Since it is self-contained, you could even transport it on a diskette if needed. Put the tool on your local system to prepare to run it.
Double-click the executable you downloaded and it will open, as shown in Figure 10.24. As you can see on the dialog box, you can learn a great deal about the proper use of the tool and setup from it. Read this information carefully to see what you need to do to configure the EventCombMT tool.
Figure 10.24: Viewing the EventCombMT Instructions
Once you click OK, you will see the screen shown in Figure 10.25. This is where you can configure your systems to be parsed by EventCombMT.
Figure 10.25: Using the EventCombMT GUI
In the Domain field, enter the domain name that you want the systems to be parsed from. You can click the Search button or right-click the left side of the utility (in the blank space) to get a menu. When you see the menu, you will be able to select the Add servers option.
Add the servers or workstation you want to parse. In Figure 10.25, we added an XP Professional Workstation to be parsed by EventCombMT.
After you have added a workstation or server, you can select the search criteria. From the dialog box shown in Figure 10.24, you can see that you can pick from event types or log files to search as well as quite a few other options, such as specific event IDs or source. We selected a full parse from the XP1 workstation.
Once you have finished, you can run the tool (via the Search button) and your system will be parsed. Next, you need to navigate to the file to which the data has been consolidated. The file will show up automatically once it is finished, but the path to it will be from the temp directory on your local drive (wherever the Temp path statement is set). Here it is found on C:\Temp.
Once you open the file, you will see the code listed in Figure 10.26.
Figure 10.26: Viewing the Temp File Contents
That's it! You have parsed the Event Viewer Log based on your search criteria. Now you can save the log or analyze it further.
|
|