لطفا منتظر باشید ...
Lesson 4: Using Event Viewer
You use Event Viewer to perform a variety of tasks, including viewing the audit logs that are generated as a result of setting the audit policy and auditing events. You can also use Event Viewer to view the contents of security log files and find specific events within log files.
After this lesson, you will be able to
View a log.Locate events in a log.Archive security logs.Configure the size of audit logs.
Estimated lesson time: 45 minutes
Understanding Windows 2000 Logs
You use Event Viewer to view information contained in Windows 2000 logs. By default, Event Viewer has three logs available to view. These logs are described in Table 16.5.Table 16.5 Logs Maintained by Windows 2000
| Log | Description |
|---|---|
| Application log | Contains errors, warnings, or information that programs, such as a database program or an e-mail program, generate. The program developer presets which events to record. |
| Security log | Contains information about the success or failure of audited events. The events that Windows 2000 records are a result of your audit policy. |
| System log | Contains errors, warnings, and information that Windows 2000 generates. Windows 2000 presets which events to record. |
Viewing Security Logs
The security log contains information about events that are monitored by an audit policy, such as failed and successful logon attempts. You can view the security log, as follows:
Click the Start button, point to Programs, point to Administrative Tools, and then click Event Viewer.In the console tree, select Security Log.In the details pane, Event Viewer displays a list of log entries and summary information for each item, as shown in Figure 16.5.Successful events appear with a key icon, and unsuccessful events appear with a lock icon. Other important information includes the date and time that the event occurred, the category of the event, and the user who generated the event.The category indicates the type of event, such as object access, account management, directory service access, or logon events.To view additional information for any event, select the event, and then click Properties on the Action menu.
Windows 2000 records events in the security log on the computer at which the event occurred. You can view these events from any computer as long as you have administrative privileges for the computer where the events occurred. To view the security log on a remote computer, start the MMC and create a custom console; point Event Viewer to a remote computer when you add this snap-in
to a console.
Figure 16.5 Event Viewer displaying a sample security log
Locating Events
When you first start Event Viewer, it automatically displays all events that are recorded in the selected log. To change what appears in the log, you can locate selected events by using the Filter command. You can also search for specific events by using the Find command.To filter or find events, start Event Viewer, and then click Filter or click Find on the View menu. (See Figure 16.6.)
Figure 16.6 Using Event Viewer to filter or find events in a log
Table 16.6 describes the options for filtering and finding events.Table 16.6 Options for Filtering and Finding Events
| Option | Description |
|---|---|
| From and To | The date range for which to view events (Filter tab only). |
| Event Types | The types of events to view. |
| Event Source | The software or component driver that logged the event. |
| Category | The type of event, such as a logon or logoff attempt or a system event. |
| Event ID | An event number to identify the event. This number helps product support representatives track events. |
| Computer | A computer name. |
| User | A user logon name. |
| Description | The text that is in the description of the event (Find dialog box only). |
| Search Direction | The direction (up or down) in which to search the log (Find dialog box only). |
Managing Audit Logs
You can track trends in Windows 2000 by archiving event logs and comparing logs from different periods. Viewing trends helps you determine resource use and plan for growth. You can also use logs to determine a pattern if unauthorized use of resources is a concern. Windows 2000 allows you to control the size of the logs and to specify the action that Windows 2000 takes when a log becomes full.You can configure the properties of each individual audit log. To configure the settings for logs, select the log in Event Viewer, and then display the Properties dialog box for the log.Use the Properties dialog box for each type of audit log to control the following:
The size of each log, which can be from 64 KB to 4,194,240 KB (4 GB). The default size is 512 KB.The action that Windows 2000 takes when the log fills up, by clicking one of the options described in Table 16.7.
Table 16.7 Options for Handling Full Audit Log Files
| Option | Description |
|---|---|
| Overwrite Events As Needed | You might lose information if the log becomes full before you archive it. However, this setting requires no maintenance. |
| Overwrite Events Older Than X Days | You might lose information if the log becomes full before you archive it, but Windows 2000 will only lose information that is at least x days old. Enter the number of days for this option. |
| Do Not Overwrite Events (Clear Log Manually) | This option requires you to clear the log manually. When the log becomes full, Windows 2000 will stop. However, no security log entries are overwritten. |
Archiving Logs
Archiving security logs allows you to maintain a history of security-related events. Many companies have policies on keeping archive logs for a specified period to track security-related information over time.If you want to archive, clear, or view an archived log, select the log you want
to configure in Event Viewer, click the Action menu, and then click one of the options described in Table 16.8.Table 16.8 Options to Archive, Clear, or View a Log File
| To | Do this |
|---|---|
| Archive the log | Click Save Log File As, and then type a filename. |
| Clear the log | Click Clear All Events to clear the log. Windows 2000 creates a security log entry, stating that the log was cleared. |
| View an archived log | Click New Log View to add another view of the selected log. |
Practice: Auditing Resources and Events
In this practice, you will plan an audit policy for your computer. Then you will set up an audit policy by enabling auditing on certain events. You will also set up auditing of a file and a printer. Then you will view the security log file and configure Event Viewer to overwrite events when the log file is filled.
Exercise 1: Planning an Audit Policy
In this exercise, you will plan an audit policy for your computer. You need to determine the following:
Which types of events to auditWhether to audit the success or failure of an event, or both
Use the following criteria to make your decisions:
Record unsuccessful attempts to gain access to the computer.Record unauthorized access to the files that make up the Customer database.For billing purposes, track color printer use.Track whenever someone tries to tamper with the computer's hardware.Keep a record of actions that an administrator performs to track unauthorized changes.Track backup procedures to prevent data theft.Track unauthorized access to sensitive Active Directory objects.
Record your decisions to audit successful events, failed events, or both for the actions listed in the following table:
| Action to audit | Successful | Failed |
|---|---|---|
| Account Logon Events | ||
| Account Management | ||
| Directory Service Access | ||
| Logon Events | ||
| Object Access | ||
| Policy Change | ||
| Privilege Use | ||
| Process Tracking | ||
| System Events |
Exercise 2: Setting Up an Audit Policy
In this exercise, you will enable auditing for selected events.To set up an audit policy
Log on to your computer as Administrator.Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.In the Local Security Settings window's console tree, double-click Local Policies, and then click Audit Policy.To set the audit policy, in the details pane, double-click each type of event, and then select either the Success check box or the Failure check box for the Audit These Attempts setting, as listed in the following table.
| Event | Audit Successful Attempts | Audit Failed Attempts |
|---|---|---|
| Account Logon Events | ||
| Account Management | ||
| Directory Service Access | ||
| Logon Events | X | |
| Object Access | X | X |
| Policy Change | ||
| Privilege Use | X | |
| Process Tracking | ||
| System Events | X | X |
Exercise 3: Setting Up Auditing of Files
In this exercise, you will set up auditing for a file.To set up auditing of files
Log on as Administrator.In Windows Explorer, create a text file named Audit in the root folder of your system disk (for example, C:\Audit).Right-click the Audit.txt file, and then click Properties.In the Properties dialog box, click the Security tab, and then click Advanced.In the Access Control Settings dialog box, click the Auditing tab.Click Add.In the Select User, Computer, Or Group dialog box, double-click Everyone in the list of user accounts and groups.In the Audit Entry For Audit dialog box, select the Successful check box and the Failed check box for each of the following events:
Create Files/Write DataDeleteChange PermissionsTake Ownership
Click OK.Windows 2000 displays the Everyone group in the Access Control Settings For Audit dialog box.Click OK to apply your changes.
To change file permissions
In the Properties dialog box, change the NTFS permissions for the file to only the Read permission for Everyone. Remove any other permissions and prevent inheritable permissions to propagate from the parent.Click OK to close the Properties dialog box, and then close Windows Explorer.
Exercise 4: Setting Up Auditing of a Printer
In this exercise, you will set up auditing of a printer.To set up auditing of a printer
Click the Start button, point to Settings, and then click Printers.In the Printers window, right-click HP LaserJet 5Si (the procedures for installing this printer are in Chapter 12, "Setting Up and Configuring Network Printers"), and then click Properties.Click the Security tab, and then click Advanced.In the Access Control Settings For HP LaserJet 5Si dialog box, click the Auditing tab, and then click Add.In the Select User, Computer, Or Group dialog box, double-click Everyone in the list box.In the Audit Entry For HP LaserJet 5Si dialog box, select the Successful check box for all types of access.Click OK.Windows 2000 displays the Everyone group in the Access Control Settings For HP LaserJet 5Si dialog box.Click OK to apply your changes.Click OK to close the HP LaserJet 5Si Properties dialog box.Close the Printers window.
Exercise 5: Viewing the Security Log
In this exercise, you will view the security log for your computer. Then you will use Event Viewer to filter events and to search for potential security breaches.To view the security log for your computer
Click the Start menu, click Programs, click Administrative Tools, and then click Event Viewer.In the console tree, click each of the three logs and view the contents. As you scroll through the logs, double-click a couple of events to view a description.
Exercise 6: Managing the Security Log
In this exercise, you will configure Event Viewer to overwrite events when
the Security log gets full. You will also increase the size of the Security log
to 2048 KB.To control the size and contents of a log file
Verify that in the console tree, Security Log is selected.On the Action menu, click Properties.In the Security Log Properties dialog box, click Overwrite Events As Needed.In the Maximum Log Size box, change the maximum log size to 2048 (KB), and click OK.Windows 2000 will now allow the log to grow to 2048 KB and will then overwrite older events with new events as necessary.Close Event Viewer.
Lesson Summary
In this lesson, you learned that Windows 2000 Professional has the following three logs by default: the Application log, the Security log, and the System log. You use Event Viewer to view the contents of the Windows 2000 logs. You can use the Filter and Find commands in Event Viewer to easily locate specific
events or types of events. You can manage the Windows 2000 logs by archiving them to allow you to track trends over time and by controlling the size of the log files. The practice portion of this exercise gave you hands-on experience with these tasks.
