Upload
luca-toni
View
219
Download
0
Embed Size (px)
Citation preview
7/31/2019 Windows Server 2003 Logs
1/12
Understanding Windows Server 2003 Logs
You use the Event Viewer console to view information contained in Windows Server2003 logs. By default, there are three logs available to view in the Event Viewer console.
These logs are described in Table 13-7.
Table 13-7. Logs Maintained by Windows Server 2003
Log Description
Applicationlog
Contains errors, warnings, or information that programs, such as adatabase program or an e-mail program, generate. The program developer
presets the events to record.
Security log Contains information about the success or failure of audited events. The
events that Windows Server 2003 records are a result of your audit policy.
System log Contains errors, warnings, and information that Windows Server 2003
generates. Windows Server 2003 presets the events to record.Application and system logs can be viewed by all users. The security log is accessibleonly to system administrators.
Viewing the Security Log
The security log contains information about events that are monitored by an audit policy,such as failed and successful logon attempts. Review the security log frequently. Set a
schedule and regularly review the security log because configuring auditing alone doesnot alert you to security breaches.
To view the security log, complete the following steps:
1. Click Start, point to Administrative Tools, and then click Event Viewer.
2. In the console tree, select Security. In the details pane, the Event Viewer console
displays a list of log entries and summary information for each item, as shown inFigure 13-12.
Figure 13-12. Event Viewer console displaying a sample security log
7/31/2019 Windows Server 2003 Logs
2/12
3.To view the properties for any event, double-click the event. The properties for a
logon/logoff event are shown in Figure 13-13.
Figure 13-13. The Event Properties dialog box showing properties for a logon/logoff event
7/31/2019 Windows Server 2003 Logs
3/12
Viewing the Security Log on a Remote Computer
Windows Server 2003 records events in the security log on the computer at which theevent occurred. You can view these events from any computer as long as you have
administrative privileges for the computer where the events occurred.
To view the security log on a remote computer, complete the following steps:
1. Ensure that security auditing has been enabled on a remote machine.
2. Click Start, point to Administrative Tools, and then click Event Viewer.
3. Right-click the Event Viewer (Local) node and select Connect To Another
Computer.
4. In the Select Computer dialog box, click Another Computer and type the network
name, IP address, or DNS address for the computer for which you want to display asecurity log. You can also browse for the computer name.
5. Click OK.
7/31/2019 Windows Server 2003 Logs
4/12
Finding Events in the Security Log
When you first start the Event Viewer console, it automatically displays all events thatare recorded in the security log. You can search for specific events in the security log by
using the Find option.
To find events in the security log, complete the following steps:
1. Start Event Viewer, view the security log, and then click Find on the View menu.
2. In the Find In dialog box for the security log, shown in Figure 13-14, indicate yourchoices of the available search criteria.
Select the types of events you want to locate in the Event Types area. Select the software or component driver that logged the event in the Event
Source list.
Select the event category in the Category list. Indicate the event number that identifies the event in the Event ID box. Indicate the user logon name in the User box. Indicate the computer name in the Computer box. Indicate the description of the event in the Description box. Select the direction in which to search the log (up or down) in the Search
Direction area.
Figure 13-14. The Find In dialog box
7/31/2019 Windows Server 2003 Logs
5/12
3. Click Find Next. If an event matching the criteria you specified is found, it is
highlighted in the security log.
4. Click Find Next to find the next matching event, or click Close to end your search.
Filtering Events in the Security Log
To display only specific events that appear in the security logfor example, attempting towrite to a text file without the necessary permissionsyou can narrow down the events to
display by using the Filter option.
To filter events in the security log, complete the following steps:
1. Start the Event Viewer console, view the security log, and then click Filter on theView menu.
2. In the Filter tab in the Security Properties dialog box, shown in Figure 13-15,
indicate your choices of the available filtering criteria.
7/31/2019 Windows Server 2003 Logs
6/12
Figure 13-15. The Filter tab of the Security Properties dialog box
Select the types of events you want to display in the Event Types area. Select the software or component driver that logged the event in the Event
Source list.
Select the event category in the Category list. Indicate the event number that identifies the event in the Event ID box. Indicate the user logon name in the User box. Indicate the computer name in the Computer box. Indicate the beginning of the range of events that you want to filter in the
From list. Select First Event to see events starting with the first event in the
log. Select Events On to see events that occurred starting at a specific timeand date.
Indicate the end of the range of events that you want to filter in the To list.Select Last Event to see events ending with the last event in the log. Select
Events On to see events that occurred up to a specific time and date.
3. Click OK. The events you selected for your filtered display appear in the security
7/31/2019 Windows Server 2003 Logs
7/12
log.
To remove a security log filter, complete the following steps:
1. Start the Event Viewer console, view the security log, and then click Filter on theView menu.
2. In the Filter tab in the Security Properties dialog box, click Restore Defaults, andthen click OK.
Configuring the Security Log
Security logging begins when you set an audit policy for the domain controller or localcomputer. Logging stops when the security log becomes full and cannot overwrite itself,
either because it has been set for manual clearing or because the first event in the log is
not old enough. When security logging stops, an error might be written to the applicationlog. You can avoid a full security log by logging only key events and by configuring thesize of the security log.
To configure the security log size, complete the following steps:
1. Open the Event Viewer console.
2. In the console tree, right-click Security, and then click Properties.
3. In the General tab in the Security Properties dialog box, shown in Figure 13-16, typethe maximum log file size, which can be from 64 kilobytes (KB) to 4,194,240 KB (4
gigabytes). The default size is 512 KB.
Figure 13-16. The General tab of the Security Properties dialog box
7/31/2019 Windows Server 2003 Logs
8/12
4. Under When Maximum Log File Size Is Reached, select one of the following:
Overwrite Events As Needed to write all new events to the log. When the logis full, each new event replaces the oldest event. Use this option with caution;
it can be used to hide undesirable events.
Overwrite Events Older Than X Days and specify for X the number of days(1365) an event is to be retained before it is overwritten. New events are notadded if the maximum log size is reached and there are no events older than
this period.
Do Not Overwrite Events (Clear Log Manually) to specify whether existingevents are retained when the log is full. If the maximum log size is reached,new events are discarded. This option requires you to manually clear the log.
Clearing the Security Log
When the log is full and no more events can be logged, you can clear the log manually.Clearing the log erases all events permanently. Reducing the amount of time you keep an
event also frees the log if it allows the next record to be overwritten.
7/31/2019 Windows Server 2003 Logs
9/12
To manually clear the security log, complete the following steps:
1. Open the Event Viewer console.
2. Right-click Security in the console tree, and then click Clear All Events.
3. In the Event Viewer message box
Click Yes to archive the log before clearing. Click No to permanently discard the current event records and start recording
new events.
4. If you clicked Yes, in the Save As dialog box, in the File Name list, type a name for
the log file to be archived.
5. In the Save As Type list, click a file format, and then click Save.
Archiving the Security Log
Archiving security logs allows you to maintain a history of security-related events. Manyorganizations have policies on keeping archive logs for a specified period to track
security-related information over time. When you archive a log, the entire log is saved,regardless of filtering options.
To archive a security log, complete the following steps:
1. Open the Event Viewer console.
2. Right-click Security in the console tree, and then click Save Log File As.
3. In the Save As dialog box, in the File Name list, type a name for the log file to be
archived.
4. In the Save As Type list, click a file format, and then click Save.
If you archive a log in log-file format, you can reopen it in the Event Viewer console.
Logs saved as event log files (*.evt) retain the binary data for each event recorded. If youarchive a log in text or comma-delimited format (*.txt and *.csv, respectively), you can
reopen the log in other programs such as word-processing or spreadsheet programs. Logssaved in text or comma-delimited format do not retain the binary data and cannot be
reopened in the Event Viewer console.
To view an archived security log, complete the following steps:
7/31/2019 Windows Server 2003 Logs
10/12
1. Open the Event Viewer console.
2. Right-click the security log in the console tree, and then click Open Log File.
3. In the Open dialog box, click the file you want to open. You might need to search for
the drive or folder that contains the document.
4. In the Log Type list, select Security for the type of log to be opened.
5. In the Display Name box, type the name of the file as you want it to appear in theconsole tree, and then click Open.
To remove an archived log file from your system, delete the file in Windows Explorer.
Exercise 1: Viewing and Filtering the Security Log
In this exercise, you view the security log for your computer. Then, you filter the log todisplay only specific events.
To view and filter the security log
1. Use the procedure provided earlier in this lesson to view the security log. As you
scroll through the log, double-click a couple of events to view a description.
2. Use the procedure provided earlier in this lesson to filter all event types to display
those with the Event ID of 576.
3. Use the procedure provided earlier in this lesson to remove the security log filter.
Exercise 2: Configuring the Security Log
In this exercise, you configure the Event Viewer console to overwrite events when the
security log gets full.
To configure the security log
Use the procedure provided earlier in this lesson to configure the security log size.
Change the maximum log size to 2048 KB and overwrite older events with new events asnecessary.
7/31/2019 Windows Server 2003 Logs
11/12
Exercise 3: Clearing and Archiving the Security Log
In this exercise, you clear the security log, archive a security log, and view the archived
security log.
To clear and archive the security log
1. Use the procedure provided earlier in this lesson to clear and archive the security log.
Save the log in a file named Archive.evt.
2. Use the procedure provided earlier in this lesson to view the archived security log file
named Archive.evt.
Lesson Review
The following questions are intended to reinforce key information presented in this lesson.If you are unable to answer a question, review the lesson and then try the question again.
Answers to the questions can be found in the "Questions and Answers" section at the endof this chapter.
1. What information is logged in the security log?
____________________________________________________________
____________________________________________________________
2. What is the default size of the security log?
____________________________________________________________
____________________________________________________________
3. In which of the following file formats can you archive a security log? Choose
three.
a. .txtb. .docc. .rtfd. .bmpe. .evtf. .csvg. .crv
7/31/2019 Windows Server 2003 Logs
12/12
4. In which of the following archived file formats can you reopen the file in theEvent Viewer console?
a. .txtb. .docc. .rtfd. .bmpe. .evtf. .csvg. .crv
5. You filtered a security log to display only the events with Event ID 576. Then
you archived this log. What information is saved?
a. The entire log is savedb. The filtered log is savedc. The entire log and the filtered log are each saved separatelyd. No log is saved