Exam 70-124: Objective 6.1.2: Windows Auditing Tools

Previous page
Table of content
Next page

In this section of the chapter we look at some of the auditing tools that are not included with Windows 2000 but that you can find online (at www.microsoft.com) and in the Windows 2000 Resource Kit (supplement one). More important, you will be tested on them on the exam. In particular, with auditing in mind, you need to know how to use the Dump Event Log command-line too. (Dumpel.exe) and the EventCombMT GUI-based utility. We discuss both these tools here.

Exam Warning  

Make sure that you know exactly how to use Dumpel for the exam. You will be expected to know how to use the utility to dump Event Logs.

The Dump Event Log

The Windows 2000 Server Resource Kit has a tool called the Dump Event Log, or Dumpel for short. Dumpel is a command-line tool that's used to dump an Event Log into a tab-separated text file. This file can then be imported into an Excel spreadsheet (because it is tab separated) and/or a database such as Access for storage or future analysis. The tool can also be used for filtering certain event types. Table 10.4 lists the command-line switches you can use with this tool. This table highlights all the functionality that you can perform via the command line.

The dumpel.exe tool uses the following syntax:

dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3...] [-r]      [-t] [-d x]

Table 10.4: Dumpel Tool Switches

Switch

Details

-f file

Specifies the filename for the output file. There is no default for -f, so you must specify the file.

-s server

Specifies the server for which you want to dump the Event Log. Leading backslashes on the server name are optional.

-l log

Specifies the log (system, application, security) to dump. If an invalid log name is specified, the application log is dumped.

-m source

Specifies in which source (such as redirector [rdr], serial, and so on) to dump records. Only one source can be supplied. If this switch is not used, all events are dumped. If a source is used that is not registered in the Registry, the Application Log is searched for records of this type.

-e n1 n2 n3

Filters for event ID nn (up to 10 IDs can be specified). If the -r switch is not used, only records of these types are dumped; if -r is used, all records except records of these types are dumped. If this switch is not used, all events from the specified source name are selected. Note: You cannot use this switch without the -m switch

-r

Specifies whether to filter for specific sources or records, or to filter them out.

-t

Specifies that tabs separate individual strings. If -t is not used, strings are separated by spaces.

-d n

Dumps events for the past n days.
Test Day Tip 

Dumpel can only retrieve content from the System, Application, and Security Log files. This is important because you could have more logs on domain controllers with Active Directory installed. For instance, you will have a File Replication Service, DNS, or Directory Service Logs, and Dumpel will not query content from them. For the exam, you must know what Dumpel can and cannot do.

EventCombMT

If you want a nice GUI-based Event Viewer log manipulation tool for parsing Event Logs, EventCombMT is your tool. What's nice is that you can get this tool online at Microsoft.com. Run a search for it and you will be guided to the tool on Microsoft's site. EventCombMT is a tool that allows you to manage the parsing of many Event Logs from your systems that will be dumped to a text-based file for analysis. This tool allows you to specifically search for event IDs by ID number, or you could search based on many other criteria, such as types of events (warning, informational). Also helpful is the fact that it picks up where Dumpel left off and searches through the logs that Dumpel will not search, such as DNS and Active Directory. EventCombMT also allows you to search within specific time intervals so you can search within specific parameters such as date or by specific month or week. Let's now look at an exercise of using the EventCombMT tool.

Exam Warning  

Make sure that you are very familiar with the EventCombMT utility. You will find that a great many exam questions revolve around its use as well as how it is inherently different from the Dumpel utility.

Exercise 10.03: Using EventCombMT

start example

  1. After you have downloaded the EventCombMT tool from Microsoft.com, you can run the executable without installing it. Since it is self-contained, you could even transport it on a diskette if needed. Put the tool on your local system to prepare to run it.

  2. Double-click the executable you downloaded and it will open, as shown in Figure 10.24. As you can see on the dialog box, you can learn a great deal about the proper use of the tool and setup from it. Read this information carefully to see what you need to do to configure the EventCombMT tool.

    click to expand
    Figure 10.24: Viewing the EventCombMT Instructions

  3. Once you click OK, you will see the screen shown in Figure 10.25. This is where you can configure your systems to be parsed by EventCombMT.

    click to expand
    Figure 10.25: Using the EventCombMT GUI

  4. In the Domain field, enter the domain name that you want the systems to be parsed from. You can click the Search button or right-click the left side of the utility (in the blank space) to get a menu. When you see the menu, you will be able to select the Add servers option.

  5. Add the servers or workstation you want to parse. In Figure 10.25, we added an XP Professional Workstation to be parsed by EventCombMT.

  6. After you have added a workstation or server, you can select the search criteria. From the dialog box shown in Figure 10.24, you can see that you can pick from event types or log files to search as well as quite a few other options, such as specific event IDs or source. We selected a full parse from the XP1 workstation.

  7. Once you have finished, you can run the tool (via the Search button) and your system will be parsed. Next, you need to navigate to the file to which the data has been consolidated. The file will show up automatically once it is finished, but the path to it will be from the temp directory on your local drive (wherever the Temp path statement is set). Here it is found on C:\Temp.

  8. Once you open the file, you will see the code listed in Figure 10.26.

    click to expand
    Figure 10.26: Viewing the Temp File Contents

  9. That's it! You have parsed the Event Viewer Log based on your search criteria. Now you can save the log or analyze it further.

end example


Previous page
Table of content
Next page
MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162
Authors: Will Schmied, Thomas W. Shinder
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
The Complete Cisco VPN Configuration Guide
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
Understanding Digital Signal Processing (2nd Edition)
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy