The security log contains information on security events that are specified in the audit policy. To view the security log, you use the Event Viewer console. Event Viewer also allows you to find specific events within log files, filter the events shown in log files, and archive security log files.
After this lesson, you will be able to
View a log
Locate events in a log
Filter events in a log
Configure the size of audit logs
Archive security logs
Estimated lesson time: 25 minutes
Understanding Windows 2000 Logs
You use the Event Viewer console to view information contained in Windows 2000 logs. By default, there are three logs available to view in Event Viewer. These logs are described in Table 13.9.
Table 13.9 Logs Maintained by Windows 2000
| Log | Description |
|---|---|
Application log |
Contains errors, warnings, or information that programs, such as a database program or an e-mail program, generate. The program developer presets which events to record. |
Security log |
Contains information about the success or failure of audited events. The events that Windows 2000 records are a result of your audit policy. |
System log |
Contains errors, warnings, and information that Windows 2000 generates. Windows 2000 presets which events to record. |
Application and system logs can be viewed by all users. Security logs are accessible only to system administrators. By default, security logging is turned off. To enable security logging, you must use group policy at the appropriate level to set up an audit policy.
NOTE If additional services are installed, they might add their own event log. For example, the Domain Name System (DNS) Service logs events that this service generates in the DNS server log.
The security log contains information about events that are monitored by an audit policy, such as failed and successful logon attempts.
To view the security log
Click Start, point to Programs, point to Administrative Tools, then click Event Viewer.
In the console tree, select Security Log.
In the details pane, Event Viewer displays a list of log entries and summary information for each item, as shown in Figure 13.8.
Successful events appear with a key icon and unsuccessful events appear with a lock icon. Other important information includes the date and time that the event occurred, the category of the event, and the user who generated the event.
The category indicates the event category, such as object access, account management, directory service access, or logon events.
Figure 13.8 Event Viewer displaying a sample security log
To view additional information for any event, double-click the event.
Windows 2000 records events in the security log on the computer at which the event occurred. You can view these events from any computer as long as you have administrative privileges for the computer where the events occurred.
To view the security log on a remote computer
Ensure that security auditing has been enabled on a remote machine. (Refer to Lesson 2 for details.)
Click Start, point to Programs, point to Administrative Tools, then click Event Viewer.
Right-click the Event Viewer (Local) node and select Connect To Another Computer.
In the Select Computer dialog box, click Another Computer and type the network name, IP address, or DNS address for the computer for which Event Viewer will display a security log. You can also browse for the computer name.
Click OK.
When you first start Event Viewer, it automatically displays all events that are recorded in the security log. You can search for specific events by using the Find command.
To find events
Start Event Viewer, click the security log, then click Find on the View menu.
On the Find In dialog box for the security log, configure the options shown in Figure 13.9 and described in Table 13.10.
Table 13.10 Options on the Find In Dialog Box
| Option | Description |
|---|---|
Event Types |
Check boxes that indicate the types of events to find. In the security log you can only find audit events, because others are not recorded. |
Event Source |
A list that indicates the software or component driver that logged the event. |
Category |
A list that indicates the event category, such as a logon or logoff attempt or a system event. |
Event ID |
An event number to identify the event. This number helps product support representatives track events. |
User |
A user logon name. |
Computer |
A computer name. |
Description |
Text that is in the description of the event. |
Search Direction |
The direction in which to search the log (up or down). |
Find Next |
Finds and selects the next occurrence defined by the Find settings. |
Figure 13.9 The Find In dialog box for a security log
To show specific events that appear in the security log—for example, attempting to write to a text file without the necessary permissions—you can narrow down the events to display by using the Filter command.
To filter events
Start Event Viewer, click the security log, then click Filter on the View menu.
In the Security Log Properties dialog box, in the Filter tab, configure the options shown in Figure 13.10 and described in Table 13.11.
Table 13.11 Options on the Filter Tab of the Security Log Properties Dialog Box
| Option | Description |
|---|---|
Event Types |
Check boxes that indicate the types of events to filter. In the security log you can only filter using audit events, because others are not recorded. |
Event Source |
A list that indicates the software or component driver that logged the event. |
Category |
A list that indicates the type of event, such as a logon or logoff attempt or a system event. |
Event ID |
An event number to identify the event. This number helps product support representatives track events. |
User |
A user logon name. |
Computer |
A computer name. |
From |
The beginning of the range of events that you want to filter. In the list under From, select First Event to see events starting with the first event in the log. Select Events On to see events that occurred starting at a specific time and date. |
To |
The end of the range of events that you want to filter. In the list under To, select Last Event to see events ending with the last event in the log. Select Events On to see events that occurred ending at a specific time and date. |
Figure 13.10 The Filter tab of the Security Log Properties dialog box
Security logging begins when you set an audit policy for the domain controller or local computer. Logging stops when the security log becomes full and cannot overwrite itself, either because it has been set for manual clearing or because the first event in the log is not old enough. When security logging stops, an error may be written to the application log. You can avoid a full security log by logging only key events. You can configure the properties of each individual audit log.
To configure the settings for security logs
Open Event Viewer.
Right-click the security log in the console tree, then click Properties.
In the Security Log Properties dialog box, in the General tab, configure the options shown in Figure 13.11 and described in Table 13.12.
Table 13.12 Options on the General Tab of the Security Log Properties Dialog Box
| Option | Description |
|---|---|
Display Name |
The name of the log view. You can change the name to distinguish different views of the same log on one computer or to distinguish logs on different computers. |
Log Name |
The name and location of the log file. |
Maximum Log Size |
The size of each log, which can be from 64 KB to 4,194,240 KB (4 GB). The default size is 512 KB. |
Overwrite Events As Needed |
Specifies whether all new events will be written to the log, even when the log is full. When the log is full, each new event replaces the oldest event. Use this option with caution; it can be used to hide undesirable events. |
Overwrite Events Older Than X Days |
Specifies the number of days (1-365) a log file will be retained before writing over it. New events will not be added if the maximum log size is reached and there are no events older than this period. |
Do Not Overwrite Events (Clear Log Manually) |
Specifies whether existing events will be retained when the log is full. If the maximum log size is reached, new events are discarded. This option requires you to manually clear the log. |
Using A Low Speed Connection |
Specifies whether the log file is located on another computer, and whether your computer is connected to it by a low speed device, such as a modem. |
Figure 13.11 The General tab of the Security Log Properties dialog box
When the log is full and no more events can be logged, you can free the log by manually clearing it. Clearing the log erases all events permanently. Reducing the amount of time you keep an event also frees the log if it allows the next record to be overwritten.
To manually clear the security log
Open Event Viewer.
Right-click the security log in the console tree, then click Clear All Events.
On the Event Viewer message box
Click Yes to archive the log before clearing
Click No to permanently discard the current event records and start recording new events
If you clicked Yes, in the Save As dialog box, in the File Name list, enter a name for the log file to be archived.
In the Save As Type list, click a file format, then click Save.
Archiving security logs allows you to maintain a history of security-related events. Many organizations have policies on keeping archive logs for a specified period to track security-related information over time. When you archive a log file, the entire log is saved, regardless of filtering options.
To archive a security log
Open Event Viewer.
Right-click the security log in the console tree, then click Save Log File As.
In the Save As dialog box, in the File Name list, enter a name for the log file to be archived.
In the Save As Type list, click a file format, then click Save.
If you archive a log in log-file format you can reopen it in Event Viewer. Logs saved as event log files (*.evt) retain the binary data for each event recorded. If you archive a log in text or comma-delimited format (*.txt and *.csv, respectively), you can reopen the log in other programs such as word processing or spreadsheet programs. Logs saved in text or comma-delimited format do not retain the binary data.
To view an archived security log
Open Event Viewer.
Right-click the security log in the console tree, then click Open Log File.
In the Open dialog box, click the file you want to open. You may need to search for the drive or folder that contains the document.
In the Log Type list, select Security for the type of log to be opened.
In the Display Name box, enter the name of the file as you want it to appear in the console tree, then click Open.
To remove an archived log file from your system, delete the file in Windows Explorer.
Practice: Using the Security Log
In this practice you view the security log file and configure Event Viewer to overwrite events when the log file is filled. Then you clear and archive a security log file.
IMPORTANT Before attempting the exercises in this practice, you must first complete all exercises in Lesson 2.
Exercise 1: Viewing the Security Log
In this exercise you view the security log for your computer. Then, you use Event Viewer to filter events and to search for potential security breaches.
To view the security log for your computer
Click Start, click Programs, click Administrative Tools, then click Event Viewer.
In the console tree, click the security log and view the contents. As you scroll through the log, double-click a couple of events to view a description.
Exercise 2: Managing the Security Log
In this exercise you configure Event Viewer to overwrite events when the log file gets full.
To configure the size and contents of the security log file
Right-click the security log in the console tree, then click Properties.
In the Security Log Properties dialog box, click Overwrite Events As Needed.
In the Maximum Log Size box, change the maximum log size to 2048 KB, then click OK.
Windows 2000 will now allow the log to grow to 2048 KB, and will then overwrite older events with new events as necessary.
Exercise 3: Clearing and Archiving the Security Log
In this exercise you clear the security log, archive a security log, and view the archived security log.
To clear and archive the security log
Open Event Viewer.
Right-click the security log in the console tree, then click Clear All Events.
In the Event Viewer message box, click Yes to archive the log before clearing.
In the Save As dialog box, in the File Name list, type archive to name the log file to be archived.
In the Save As Type list, ensure that the Event Log (*.evt) file type is selected, then click Save.
To view the archived security log
Right-click the security log in the console tree, then click Open Log File.
On the Open dialog box, click the ARCHIVE.EVT file (or the name of the file you archived).
In the Log Type list, select Security for the type of log to be opened.
In the Display Name box, ensure that Saved Security Log appears, then click Open.
The Saved Security Log appears in Event Viewer. You cannot click Refresh or Clear All Events to update the display or to clear an archived log.
Close Event Viewer.
In this lesson you learned about the Windows 2000 security log. You learned how to use Event Viewer to view the contents of the Windows 2000 security logs, to locate and display specific events in security logs, to configure log size, and to archive security logs.
In the practice portion of this lesson you viewed the security log file and configured Event Viewer to overwrite events when the log file is filled. Then you cleared and archived a security log file.