You use Event Viewer to perform a variety of tasks, including viewing the audit logs that are generated as a result of setting the audit policy and auditing events. You can also use Event Viewer to view the contents of security log files and find specific events within log files.
You use Event Viewer to view information contained in Windows XP Professional logs. By default, Event Viewer has three logs available to view, as described in Table 12.4.
Table 12.4??Logs Maintained by Windows XP Professional
The security log contains information about events that are monitored by an audit policy, such as failed and successful logon attempts. You can view the security log by performing the following steps:
In the details pane, Event Viewer displays a list of log entries and summary information for each item, as shown in Figure 12.5.
Successful events are marked with a key icon and unsuccessful events are marked with a lock icon. Other important information includes the date and time that the event occurred, the category of the event, and the user who generated the event.
The category indicates the type of event, such as object access, account management, directory service access, or logon events.
Windows XP Professional records events in the security log on the computer on which the event occurred. You can view these events from any computer as long as you have administrative privileges for the computer where the events occurred. To view the security log on a remote computer, open the MMC console and point Event Viewer to a remote computer.
When you first start Event Viewer, it automatically displays all events that are recorded in the selected log. To change what appears in the log, you can locate selected events using the Filter command. You can also search for specific events using the Find command.
To filter or find events, start Event Viewer, and then on the View menu click Filter or click Find. The options provided by Filter and Find are almost identical. Figure 12.6 shows the options available in the Filter tab.
Table 12.5 describes the options for using the Filter tab to filter events and the Find command to find events.
Table 12.5??Options for Filtering and Finding Events
Option | Description |
---|---|
Event Types |
The types of events to view. |
Event Source |
The software or component driver that logged the event. |
Category |
The type of event, such as a logon or logoff attempt or a system event. |
Event ID |
An event number to identify the event. This number helps product support representatives track events. |
User |
A user logon name. |
Computer |
A computer name. |
From and To |
The date ranges for which to view events (Filter tab only). |
Restore Defaults |
Clears any changes in this tab and restores all defaults. |
Description |
The text that is in the description of the event (Find dialog box only). |
Search Direction |
The direction (up or down) in which to search the log (Find dialog box only). |
Find Next |
Finds and displays the next occurrence defined by the Find Settings. |
You can track trends in Windows XP Professional by archiving event logs and comparing logs from different periods. Viewing trends helps you determine resource use and plan for growth. You can also use logs to determine if a pattern of unauthorized resource use is a concern. Windows XP Professional allows you to control the size of the logs and to specify the action that it takes when a log becomes full.
You can configure the properties of each individual audit log. To configure the settings for logs, select the log in Event Viewer, and then on the Action menu, click Properties to display the Properties dialog box for the log.
Use the Properties dialog box for each type of audit log to control the following:
Table 12.6??Options for Handling Full Audit Log Files
Option | Description |
---|---|
Overwrite Events As Needed |
You might lose information if the log becomes full before you archive it. However, this setting requires no maintenance. |
Overwrite Events Older Than X Days |
You might lose information if the log becomes full before you archive it, but Windows XP Professional will only lose information that is at least x days old. Enter the number of days for this option. The default is 7 days. |
Do Not Overwrite Events |
This option requires you to clear the log manually. When the log becomes full, Windows XP Professional will stop, but no security log entries will be overwritten. |
Archiving security logs allows you to maintain a history of security-related events. Many companies have policies on keeping archive logs for a specified period to track security-related information over time.
If you want to archive, clear, or view an archived log, select the log you want to configure in Event Viewer, click the Action menu, and then click one of the options described in Table 12.7.
Table 12.7?? Options to Archive, Clear, or View a Log File
To | Do this |
---|---|
Archive the log |
Click Save Log File As and then type a filename. |
Clear the log |
Click Clear All Events to clear the log. Windows XP Professional creates a security log entry stating that the log was cleared. |
View an archived log |
Click New Log View; add another view of the selected log. |
In this practice, you'll plan an audit policy for your computer. Then you'll set up an audit policy by enabling auditing on certain events. You'll also set up auditing of a file and a printer. Then you'll view the security log file and configure Event Viewer to overwrite events when the log file is filled.
In this exercise, you plan an audit policy for your computer. You need to determine the following:
Use the following criteria to make your decisions:
Record your decisions to audit successful events, failed events, or both for the actions listed in the following table:
Action to audit | Successful | Failed |
---|---|---|
Account Logon Events |
|
|
Account Management |
|
|
Directory Service Access |
|
|
Logon Events |
|
|
Object Access |
|
|
Policy Change |
|
|
Privilege Use |
|
|
Process Tracking |
|
|
System Events |
|
|
In this exercise, you open the MMC console, add the Group Policy snap-in pointing to the local machine, and then enable auditing for selected events.
In the Add/Remove Snap-In dialog box, notice that it says Local Computer Policy, even though you added Group Policy. Group Policy for the local computer is referred to as Local Computer Policy.
The console displays the current audit policy settings in the details pane of the Local Computer Policy window.
In this exercise, you set up auditing for a file.
Windows XP Professional displays the Everyone group in the Advanced Security Settings For dialog box.
Leave the Audit Properties dialog box open for the next procedure.
In this exercise, you set up auditing of a printer.
Windows XP Professional displays the Everyone group in the Access Control Settings For HP Color LaserJet 4500 PS dialog box.
In this exercise, you attempt to access and modify the AUDIT file to create entries in the security log for your computer.
Notepad opens and displays the blank file AUDIT.
Were you able to save the file? Why or why not?
In this exercise, you view the security log for your computer, and then you use Event Viewer to filter events and to search for potential security breaches.
Filtering reduces the number of events that you have to search through.
In this exercise, you configure Event Viewer to overwrite events when the log file gets full. Then you clear the security log and view an archived security log.
Windows XP Professional now allows the log to grow to 2048 KB and will then overwrite older events with new events as necessary.
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next chapter. The answers are in Appendix A, "Questions and Answers."