Windows Server 2003 Logs

7/31/2019 Windows Server 2003 Logs

1/12

Understanding Windows Server 2003 Logs

You use the Event Viewer console to view information contained in Windows Server2003 logs. By default, there are three logs available to view in the Event Viewer console.

These logs are described in Table 13-7.

Table 13-7. Logs Maintained by Windows Server 2003

Log Description

Applicationlog

Contains errors, warnings, or information that programs, such as adatabase program or an e-mail program, generate. The program developer

presets the events to record.

Security log Contains information about the success or failure of audited events. The

events that Windows Server 2003 records are a result of your audit policy.

System log Contains errors, warnings, and information that Windows Server 2003

generates. Windows Server 2003 presets the events to record.Application and system logs can be viewed by all users. The security log is accessibleonly to system administrators.

Viewing the Security Log

The security log contains information about events that are monitored by an audit policy,such as failed and successful logon attempts. Review the security log frequently. Set a

schedule and regularly review the security log because configuring auditing alone doesnot alert you to security breaches.

To view the security log, complete the following steps:

1. Click Start, point to Administrative Tools, and then click Event Viewer.

2. In the console tree, select Security. In the details pane, the Event Viewer console

displays a list of log entries and summary information for each item, as shown inFigure 13-12.

Figure 13-12. Event Viewer console displaying a sample security log


2/12

3.To view the properties for any event, double-click the event. The properties for a

logon/logoff event are shown in Figure 13-13.

Figure 13-13. The Event Properties dialog box showing properties for a logon/logoff event


3/12

Viewing the Security Log on a Remote Computer

Windows Server 2003 records events in the security log on the computer at which theevent occurred. You can view these events from any computer as long as you have

administrative privileges for the computer where the events occurred.

To view the security log on a remote computer, complete the following steps:

1. Ensure that security auditing has been enabled on a remote machine.

2. Click Start, point to Administrative Tools, and then click Event Viewer.

3. Right-click the Event Viewer (Local) node and select Connect To Another

Computer.

4. In the Select Computer dialog box, click Another Computer and type the network

name, IP address, or DNS address for the computer for which you want to display asecurity log. You can also browse for the computer name.

5. Click OK.


4/12

Finding Events in the Security Log

When you first start the Event Viewer console, it automatically displays all events thatare recorded in the security log. You can search for specific events in the security log by

using the Find option.

To find events in the security log, complete the following steps:

1. Start Event Viewer, view the security log, and then click Find on the View menu.

2. In the Find In dialog box for the security log, shown in Figure 13-14, indicate yourchoices of the available search criteria.

Select the types of events you want to locate in the Event Types area. Select the software or component driver that logged the event in the Event

Source list.

Select the event category in the Category list. Indicate the event number that identifies the event in the Event ID box. Indicate the user logon name in the User box. Indicate the computer name in the Computer box. Indicate the description of the event in the Description box. Select the direction in which to search the log (up or down) in the Search

Direction area.

Figure 13-14. The Find In dialog box


5/12

3. Click Find Next. If an event matching the criteria you specified is found, it is

highlighted in the security log.

4. Click Find Next to find the next matching event, or click Close to end your search.

Filtering Events in the Security Log

To display only specific events that appear in the security logfor example, attempting towrite to a text file without the necessary permissionsyou can narrow down the events to

display by using the Filter option.

To filter events in the security log, complete the following steps:

1. Start the Event Viewer console, view the security log, and then click Filter on theView menu.

2. In the Filter tab in the Security Properties dialog box, shown in Figure 13-15,

indicate your choices of the available filtering criteria.


6/12

Figure 13-15. The Filter tab of the Security Properties dialog box

Select the types of events you want to display in the Event Types area. Select the software or component driver that logged the event in the Event

Source list.

Select the event category in the Category list. Indicate the event number that identifies the event in the Event ID box. Indicate the user logon name in the User box. Indicate the computer name in the Computer box. Indicate the beginning of the range of events that you want to filter in the

From list. Select First Event to see events starting with the first event in the

log. Select Events On to see events that occurred starting at a specific timeand date.

Indicate the end of the range of events that you want to filter in the To list.Select Last Event to see events ending with the last event in the log. Select

Events On to see events that occurred up to a specific time and date.

3. Click OK. The events you selected for your filtered display appear in the security


7/12

log.

To remove a security log filter, complete the following steps:

1. Start the Event Viewer console, view the security log, and then click Filter on theView menu.

2. In the Filter tab in the Security Properties dialog box, click Restore Defaults, andthen click OK.

Configuring the Security Log

Security logging begins when you set an audit policy for the domain controller or localcomputer. Logging stops when the security log becomes full and cannot overwrite itself,

either because it has been set for manual clearing or because the first event in the log is

not old enough. When security logging stops, an error might be written to the applicationlog. You can avoid a full security log by logging only key events and by configuring thesize of the security log.

To configure the security log size, complete the following steps:

1. Open the Event Viewer console.

2. In the console tree, right-click Security, and then click Properties.

3. In the General tab in the Security Properties dialog box, shown in Figure 13-16, typethe maximum log file size, which can be from 64 kilobytes (KB) to 4,194,240 KB (4

gigabytes). The default size is 512 KB.

Figure 13-16. The General tab of the Security Properties dialog box


8/12

4. Under When Maximum Log File Size Is Reached, select one of the following:

Overwrite Events As Needed to write all new events to the log. When the logis full, each new event replaces the oldest event. Use this option with caution;

it can be used to hide undesirable events.

Overwrite Events Older Than X Days and specify for X the number of days(1365) an event is to be retained before it is overwritten. New events are notadded if the maximum log size is reached and there are no events older than

this period.

Do Not Overwrite Events (Clear Log Manually) to specify whether existingevents are retained when the log is full. If the maximum log size is reached,new events are discarded. This option requires you to manually clear the log.

Clearing the Security Log

When the log is full and no more events can be logged, you can clear the log manually.Clearing the log erases all events permanently. Reducing the amount of time you keep an

event also frees the log if it allows the next record to be overwritten.


9/12

To manually clear the security log, complete the following steps:


2. Right-click Security in the console tree, and then click Clear All Events.

3. In the Event Viewer message box

Click Yes to archive the log before clearing. Click No to permanently discard the current event records and start recording

new events.

4. If you clicked Yes, in the Save As dialog box, in the File Name list, type a name for

the log file to be archived.

5. In the Save As Type list, click a file format, and then click Save.

Archiving the Security Log

Archiving security logs allows you to maintain a history of security-related events. Manyorganizations have policies on keeping archive logs for a specified period to track

security-related information over time. When you archive a log, the entire log is saved,regardless of filtering options.

To archive a security log, complete the following steps:


2. Right-click Security in the console tree, and then click Save Log File As.

3. In the Save As dialog box, in the File Name list, type a name for the log file to be

archived.

4. In the Save As Type list, click a file format, and then click Save.

If you archive a log in log-file format, you can reopen it in the Event Viewer console.

Logs saved as event log files (*.evt) retain the binary data for each event recorded. If youarchive a log in text or comma-delimited format (*.txt and *.csv, respectively), you can

reopen the log in other programs such as word-processing or spreadsheet programs. Logssaved in text or comma-delimited format do not retain the binary data and cannot be

reopened in the Event Viewer console.

To view an archived security log, complete the following steps:


10/12


2. Right-click the security log in the console tree, and then click Open Log File.

3. In the Open dialog box, click the file you want to open. You might need to search for

the drive or folder that contains the document.

4. In the Log Type list, select Security for the type of log to be opened.

5. In the Display Name box, type the name of the file as you want it to appear in theconsole tree, and then click Open.

To remove an archived log file from your system, delete the file in Windows Explorer.

Exercise 1: Viewing and Filtering the Security Log

In this exercise, you view the security log for your computer. Then, you filter the log todisplay only specific events.

To view and filter the security log

1. Use the procedure provided earlier in this lesson to view the security log. As you

scroll through the log, double-click a couple of events to view a description.

2. Use the procedure provided earlier in this lesson to filter all event types to display

those with the Event ID of 576.

3. Use the procedure provided earlier in this lesson to remove the security log filter.

Exercise 2: Configuring the Security Log

In this exercise, you configure the Event Viewer console to overwrite events when the

security log gets full.

To configure the security log

Use the procedure provided earlier in this lesson to configure the security log size.

Change the maximum log size to 2048 KB and overwrite older events with new events asnecessary.


11/12

Exercise 3: Clearing and Archiving the Security Log

In this exercise, you clear the security log, archive a security log, and view the archived

security log.

To clear and archive the security log

1. Use the procedure provided earlier in this lesson to clear and archive the security log.

Save the log in a file named Archive.evt.

2. Use the procedure provided earlier in this lesson to view the archived security log file

named Archive.evt.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson.If you are unable to answer a question, review the lesson and then try the question again.

Answers to the questions can be found in the "Questions and Answers" section at the endof this chapter.

1. What information is logged in the security log?

____________________________________________________________

____________________________________________________________

2. What is the default size of the security log?

____________________________________________________________

____________________________________________________________

3. In which of the following file formats can you archive a security log? Choose

three.

a. .txtb. .docc. .rtfd. .bmpe. .evtf. .csvg. .crv


12/12

4. In which of the following archived file formats can you reopen the file in theEvent Viewer console?

a. .txtb. .docc. .rtfd. .bmpe. .evtf. .csvg. .crv

5. You filtered a security log to display only the events with Event ID 576. Then

you archived this log. What information is saved?

a. The entire log is savedb. The filtered log is savedc. The entire log and the filtered log are each saved separatelyd. No log is saved

Documents

Windows Server 2003 Logs