Windows NT event log description
Author: NtWak0
Translation finishing: 补 天 - 樱
summary
The following is a very good, in-depth article about the Windows NT event log. The log usually manages with a audit machine or some kind of tool.
This article also contains: When a user is locked by Locked Out, the SID reported in the event log is a bit small problem.
Details
Log type:
Here are three types of NT event logs:
System log
Track a wide variety of system events, such as tracking events or hardware and controllers in the system startup.
Application log
Tracking an application associated with an application, such as an application generated by an application, a failure of the DLL (Dynamic Link Library) will appear in the log.
Security log
Tracking events such as logging in to the Internet, the next network, changing access, and the system start and shuts down. Note: The default status of the security log is closed.
Log location and startup method
The location of the NT log is:
% SystemRoot% / System32 / Config / SYSEVENT.EVT
% SystemRoot% / System32 / Config / SECEVENT.EVT
% SystemRoot% / System32 / Config / APPEVENT.EVT
Usually, NT is not a log of all incidents, you have to start the audit manually, take the steps below:
1 - Select the program from the Start menu and select the management tool. From the Administrative Tools Sub-menu, select User Manager, display the User Manager window.
2 - Click Policies from the Menu of the User Manager, and then click Audit, the audit policy window will appear.
3- Select the radio frame "Audit Theest Events" (audit these events)
4 - Select Press OK you need to start, then turn off the User Manager.
Special authority audit:
Some special permissions in the system cannot be audited by default events, even privileged audits have been started. This is a proper control of the growth of the audit log.
Special permissions have the following:
1 - Wrought the verification limit - (for everyone) is agreed to everyone, so it is meaningless to see it from the viewpoint of auditing.
2-Debug program (for administrator). It is not used in the working system and can be removed from the administrator group (or cancel).
3 - Create a symbolic object (no one), it is not allowed to do anyone.
4-Replace the process level mark (no one), it is not allowed to do anyone.
5- Generate a safety audit (no one), it is not allowed to do anyone.
6 - Backup files and directories, (Administrator Backup Operator), which is used in the normal system operation.
7- Restore files and directories, (Administrator Backup Operators), which is used in the normal system operation.
To launch an audit for these special permissions, add the following to the registry:
Hive: HKEY_LOCAL_MACHINE / SYSTEM
Key: System / CurrentControlSet / Control / LSA
Name: fullprivilegeauditing
TYPE: REG_BINARY
Value: 1
Or create a text file called Audit.REG, cut the following statement and paste into the text.
-------------------------------------------------- --------- [Snip here] ------
Regedit4
Add A Blank Line Here
[HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA] "Fullprivilegeauditing" = HEX: 01
Add A Blank Line Here
-------------------------------------------------- --------- [Snip here] ------
To deposit .reg files into the registry, you can double-click it, or open a command line mode and enter the command regedit / s Audit.reg
This will make your file merge into the system registry.
Audit base object
The registration key of this placement indicates that the base objects should be created by the default system audit control list.
Administrators still need to use the User Manager to open the audit of the "Target Access" category.
Start the audit of the base object, add the following key in the registry
Hive: HKEY_LOCAL_MACHINE / SYSTEM
Key: / CurrentControlSet / Control / LSA
Name: AuditBaseObjects
TYPE: REG_DWORD
Value: 1
Or create a file called audit0bj.reg and cut the following content and copy it into this file.
-------------------------------------------------- --------- [Snip here] ------
Regedit4
Add A Blank Line Here
[HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA]
"AuditBaseObjects" = dword: 00000001
Add A Blank Line Here
-------------------------------------------------- --------- [Snip here] ------
To deposit .reg files into the registry, you can double-click it, or open a command line mode and enter the command regedit / s Auditobj.reg
This will make your file merge into the system registry.
example:
What do you see when you start a security audit?
In this example, you will see the content recorded in the event log after the login Internet failed:
Logon Failure:
Reason: Unknown User Name OR Bad Password
User name: WAKING
Domain: WAK0
Logon Type: 3
Logon Process: ksecdd
Authentication package: microsoft_authentication_package_v1_0
Workstation Name: // Braincell
Clear the NT log:
To clear a log, switch to the log you want to clear, click "Clear all events" in the log menu, one message will pop up asking you if you want to archive the current event,
If you answer Yes, the "Save AS" dialog box will appear, enter the file name and directory you want to archive. Whether you answer or no, an event reader clears the current log.
Then only the new event will appear in the log.
Note: When you delete a security log, an event will appear in the security log.
Even if you clear the log, you will still see the following entry in the log:
The Audit Log Was Clead
Primary user name: System User Name: SYSTEM
PRIMARY DOMAIN: NT AUTHORITY
Primary logon ID: (0x0,0x3e7)
Client User Name: WAKING
Client Domain: BraincellClient Logon ID: (0x0,0x2581)
These entries say you clear the safety event log. Now if you want to complete the log, you can follow these steps:
1 - Open the service in the control panel
2 - Find the ENENTLOG service, and click the Startup button
3 - Select Manual or Disabled in the start type
4- Start NT
5- to% SystemRoot% / System32 / Config / SECEVENT.EVT Delete SECEVENT.EVT
After doing this, the system will stop the event log service, you can delete the log you want to delete.
Manage tools for managing NT logs:
Dumpel.exe in the NT Resource Kit
Ntlast
NTLAST is a tool for serious system security and IIS management. Book Review Your NT Event Log is not desirable to your network because of a regular system audit
Can lead to a service destruction. Use NTLAST to identify and track anyone who has obtained the system's access, and the archive detail makes it easy.
This tool quickly reports the status of the IIS user, and the login of the web server is filtered from the console.
EventReader
EventReader (TM) is a management tool that allows network administrators to analyze and manage event logs. This program allows you from a network's Windows NT machine
Collect event logs and store information to one or more ODBC compatible (Microsoft SQL)
Server or Microsoft Access Database. You can assign which computer to collect information, assign a schedule, collect data, back up event log parameters.
The installation package includes a Microsoft Access sample database that includes many queries and reports that can effectively analyze event logs.
Event Archiver Enterprise
Event Archiver Enterprise is one of the most easily used products in the event management tool in the market, with its adaptability exceeds other similar products.
We think it is a "setting once, permanent run" application, and quite expensive saves your organization's time and money.
Calculated with average time cost of a Windows NT / 2000 administrator, configuring Event Archiver Enterprise to greatly reduce the overall cost of your company.
Installing Event Archiver, the administrator can start analytical event log entries without cumbersome and regularly saving and storing them.
EventReporter Version 4.0
The 4.0 version provides some important enhancements, enhanced documents, enhanced WebSite. For example: increasing the message through the Email client
Custom EventRepp Porter filtering graphics interface based on strict code (eg, error, warning).
Remote Viewers - Event Log Monitor
Remote Viewer for Windows PC runs on Microsoft Windows 95, Windows 98, Windows NT,
Let you query and display the event log information received by the console. Receive user-selected real-time warnings from a remote view console that can be displayed immediately.
Provide remote management processes, service, and device drivers.
Provide remote query, editing, create user-defined notes, information reference, and diverse remote command forms.
SID security issues:
Many administrators know the NT SID and allow you to get the user's SID tool "SID2USER". There is another way to obtain the user's SID here.
Assume that the following is true:
1- The default NT log can be remotely viewed
2- You have activated the audit
3- Your system strategy is when an account (login) error reaches a specified number of times, blocks this account (continue to try to log in). Below is how you make NT fall out of the SID:
Try to log in to the remote server with any existing account, the server prompts you to fail, a record will generate a record in the event reader:
Logon Failure:
Reason: Unknown User Name OR Bad Password
User name: WAKING
Domain: WAK0
Logon Type: 3
Logon Process: ksecdd
Authentication package: microsoft_authentication_package_v1_0
Workstation Name: // Braincell
If you have a policy is when an account (login) error reaches a specified number of times, your system policy prevents this account (continue to try to log in),
You will see the following entry in your log file:
User Account Locked Out:
Target Account Name: WAKING
Target Account ID: S-1-5-21-431509504-1754822488-11247502488-1124750213-500
Caller Machine Name: // Braincell
Caller User Name: System
Caller Domain: NT Authority
Caller logon ID: (0x0,0x3e7)
So if you now use the event viewer to connect the remote computer's event log, you will see the SID of the target account in the log:
S-1-5-21-431509504-1754822488-11247502488-1124750213-500
More good articles, please go to China
http://www.patching.net