Scribd
Upload
79 views12 pages

Windows Server 2003 Logs

The document discusses how to view, filter, configure and archive Windows Server 2003 security logs using the Event Viewer. It describes the three default logs - Application, Security, and System. It provides steps to view security logs locally or remotely, find and filter specific events, configure the log size, clear the log manually, and archive the log for future viewing.

Uploaded by

Luca Toni
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
79 views12 pages

Windows Server 2003 Logs

The document discusses how to view, filter, configure and archive Windows Server 2003 security logs using the Event Viewer. It describes the three default logs - Application, Security, and System. It provides steps to view security logs locally or remotely, find and filter specific events, configure the log size, clear the log manually, and archive the log for future viewing.

Uploaded by

Luca Toni
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Understanding Windows Server 2003 Logs You use the Event Viewer console to view information contained in Windows

Server 2003 logs. By default, there are three logs available to view in the Event Viewer console. These logs are described in Table 13-7.
Table 13-7. Logs Maintained by Windows Server 2003

Log Application log Security log System log

Description Contains errors, warnings, or information that programs, such as a database program or an e-mail program, generate. The program developer presets the events to record. Contains information about the success or failure of audited events. The events that Windows Server 2003 records are a result of your audit policy.

Contains errors, warnings, and information that Windows Server 2003 generates. Windows Server 2003 presets the events to record. Application and system logs can be viewed by all users. The security log is accessible only to system administrators. Viewing the Security Log The security log contains information about events that are monitored by an audit policy, such as failed and successful logon attempts. Review the security log frequently. Set a schedule and regularly review the security log because configuring auditing alone does not alert you to security breaches. To view the security log, complete the following steps: 1. Click Start, point to Administrative Tools, and then click Event Viewer. 2. In the console tree, select Security. In the details pane, the Event Viewer console displays a list of log entries and summary information for each item, as shown in Figure 13-12.
Figure 13-12. Event Viewer console displaying a sample security log

3. To view the properties for any event, double-click the event. The properties for a logon/logoff event are shown in Figure 13-13.

Figure 13-13. The Event Properties dialog box showing properties for a logon/logoff event

Viewing the Security Log on a Remote Computer

Windows Server 2003 records events in the security log on the computer at which the event occurred. You can view these events from any computer as long as you have administrative privileges for the computer where the events occurred. To view the security log on a remote computer, complete the following steps: 1. Ensure that security auditing has been enabled on a remote machine. 2. Click Start, point to Administrative Tools, and then click Event Viewer. 3. Right-click the Event Viewer (Local) node and select Connect To Another Computer. 4. In the Select Computer dialog box, click Another Computer and type the network name, IP address, or DNS address for the computer for which you want to display a security log. You can also browse for the computer name. 5. Click OK.

Finding Events in the Security Log When you first start the Event Viewer console, it automatically displays all events that are recorded in the security log. You can search for specific events in the security log by using the Find option. To find events in the security log, complete the following steps: 1. Start Event Viewer, view the security log, and then click Find on the View menu. 2. In the Find In dialog box for the security log, shown in Figure 13-14, indicate your choices of the available search criteria.

Select the types of events you want to locate in the Event Types area. Select the software or component driver that logged the event in the Event Source list. Select the event category in the Category list. Indicate the event number that identifies the event in the Event ID box. Indicate the user logon name in the User box. Indicate the computer name in the Computer box. Indicate the description of the event in the Description box. Select the direction in which to search the log (up or down) in the Search Direction area.
Figure 13-14. The Find In dialog box

3. Click Find Next. If an event matching the criteria you specified is found, it is highlighted in the security log. 4. Click Find Next to find the next matching event, or click Close to end your search. Filtering Events in the Security Log To display only specific events that appear in the security logfor example, attempting to write to a text file without the necessary permissionsyou can narrow down the events to display by using the Filter option. To filter events in the security log, complete the following steps: 1. Start the Event Viewer console, view the security log, and then click Filter on the View menu.

2. In the Filter tab in the Security Properties dialog box, shown in Figure 13-15, indicate your choices of the available filtering criteria.

Figure 13-15. The Filter tab of the Security Properties dialog box

Select the types of events you want to display in the Event Types area. Select the software or component driver that logged the event in the Event Source list. Select the event category in the Category list. Indicate the event number that identifies the event in the Event ID box. Indicate the user logon name in the User box. Indicate the computer name in the Computer box. Indicate the beginning of the range of events that you want to filter in the From list. Select First Event to see events starting with the first event in the log. Select Events On to see events that occurred starting at a specific time and date. Indicate the end of the range of events that you want to filter in the To list. Select Last Event to see events ending with the last event in the log. Select Events On to see events that occurred up to a specific time and date.

3. Click OK. The events you selected for your filtered display appear in the security

log.

To remove a security log filter, complete the following steps: 1. Start the Event Viewer console, view the security log, and then click Filter on the View menu. 2. In the Filter tab in the Security Properties dialog box, click Restore Defaults, and then click OK. Configuring the Security Log Security logging begins when you set an audit policy for the domain controller or local computer. Logging stops when the security log becomes full and cannot overwrite itself, either because it has been set for manual clearing or because the first event in the log is not old enough. When security logging stops, an error might be written to the application log. You can avoid a full security log by logging only key events and by configuring the size of the security log. To configure the security log size, complete the following steps: 1. Open the Event Viewer console. 2. In the console tree, right-click Security, and then click Properties.

3. In the General tab in the Security Properties dialog box, shown in Figure 13-16, type the maximum log file size, which can be from 64 kilobytes (KB) to 4,194,240 KB (4 gigabytes). The default size is 512 KB.

Figure 13-16. The General tab of the Security Properties dialog box

4. Under When Maximum Log File Size Is Reached, select one of the following:

Overwrite Events As Needed to write all new events to the log. When the log is full, each new event replaces the oldest event. Use this option with caution; it can be used to hide undesirable events. Overwrite Events Older Than X Days and specify for X the number of days (1365) an event is to be retained before it is overwritten. New events are not added if the maximum log size is reached and there are no events older than this period. Do Not Overwrite Events (Clear Log Manually) to specify whether existing events are retained when the log is full. If the maximum log size is reached, new events are discarded. This option requires you to manually clear the log.

Clearing the Security Log When the log is full and no more events can be logged, you can clear the log manually. Clearing the log erases all events permanently. Reducing the amount of time you keep an event also frees the log if it allows the next record to be overwritten.

To manually clear the security log, complete the following steps: 1. Open the Event Viewer console. 2. Right-click Security in the console tree, and then click Clear All Events. 3. In the Event Viewer message box

Click Yes to archive the log before clearing. Click No to permanently discard the current event records and start recording new events.

4. If you clicked Yes, in the Save As dialog box, in the File Name list, type a name for the log file to be archived. 5. In the Save As Type list, click a file format, and then click Save. Archiving the Security Log Archiving security logs allows you to maintain a history of security-related events. Many organizations have policies on keeping archive logs for a specified period to track security-related information over time. When you archive a log, the entire log is saved, regardless of filtering options. To archive a security log, complete the following steps: 1. Open the Event Viewer console. 2. Right-click Security in the console tree, and then click Save Log File As. 3. In the Save As dialog box, in the File Name list, type a name for the log file to be archived. 4. In the Save As Type list, click a file format, and then click Save.

If you archive a log in log-file format, you can reopen it in the Event Viewer console. Logs saved as event log files (*.evt) retain the binary data for each event recorded. If you archive a log in text or comma-delimited format (*.txt and *.csv, respectively), you can reopen the log in other programs such as word-processing or spreadsheet programs. Logs saved in text or comma-delimited format do not retain the binary data and cannot be reopened in the Event Viewer console. To view an archived security log, complete the following steps:

1. Open the Event Viewer console. 2. Right-click the security log in the console tree, and then click Open Log File. 3. In the Open dialog box, click the file you want to open. You might need to search for the drive or folder that contains the document. 4. In the Log Type list, select Security for the type of log to be opened. 5. In the Display Name box, type the name of the file as you want it to appear in the console tree, and then click Open.

To remove an archived log file from your system, delete the file in Windows Explorer.

Exercise 1: Viewing and Filtering the Security Log

In this exercise, you view the security log for your computer. Then, you filter the log to display only specific events. To view and filter the security log 1. Use the procedure provided earlier in this lesson to view the security log. As you scroll through the log, double-click a couple of events to view a description. 2. Use the procedure provided earlier in this lesson to filter all event types to display those with the Event ID of 576. 3. Use the procedure provided earlier in this lesson to remove the security log filter.

Exercise 2: Configuring the Security Log

In this exercise, you configure the Event Viewer console to overwrite events when the security log gets full.

To configure the security log


Use the procedure provided earlier in this lesson to configure the security log size. Change the maximum log size to 2048 KB and overwrite older events with new events as necessary.

Exercise 3: Clearing and Archiving the Security Log

In this exercise, you clear the security log, archive a security log, and view the archived security log. To clear and archive the security log 1. Use the procedure provided earlier in this lesson to clear and archive the security log. Save the log in a file named Archive.evt. 2. Use the procedure provided earlier in this lesson to view the archived security log file named Archive.evt.

Lesson Review The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the "Questions and Answers" section at the end of this chapter. 1. What information is logged in the security log? ____________________________________________________________ ____________________________________________________________ 2. What is the default size of the security log? ____________________________________________________________ ____________________________________________________________ 3. In which of the following file formats can you archive a security log? Choose three. a. b. c. d. e. f. g. .txt .doc .rtf .bmp .evt .csv .crv

4.

In which of the following archived file formats can you reopen the file in the Event Viewer console? a. b. c. d. e. f. g. .txt .doc .rtf .bmp .evt .csv .crv

5.

You filtered a security log to display only the events with Event ID 576. Then you archived this log. What information is saved? a. b. c. d. The entire log is saved The filtered log is saved The entire log and the filtered log are each saved separately No log is saved

You might also like