Windows NT event log description

zhaozj2021-02-08  228

Windows NT event log description

Author: NtWak0

Translation finishing: 补 天 - 樱

summary

The following is a very good, in-depth article about the Windows NT event log. The log usually manages with a audit machine or some kind of tool.

This article also contains: When a user is locked by Locked Out, the SID reported in the event log is a bit small problem.

Details

Log type:

Here are three types of NT event logs:

System log

Track a wide variety of system events, such as tracking events or hardware and controllers in the system startup.

Application log

Tracking an application associated with an application, such as an application generated by an application, a failure of the DLL (Dynamic Link Library) will appear in the log.

Security log

Tracking events such as logging in to the Internet, the next network, changing access, and the system start and shuts down. Note: The default status of the security log is closed.

Log location and startup method

The location of the NT log is:

% SystemRoot% / System32 / Config / SYSEVENT.EVT

% SystemRoot% / System32 / Config / SECEVENT.EVT

% SystemRoot% / System32 / Config / APPEVENT.EVT

Usually, NT is not a log of all incidents, you have to start the audit manually, take the steps below:

1 - Select the program from the Start menu and select the management tool. From the Administrative Tools Sub-menu, select User Manager, display the User Manager window.

2 - Click Policies from the Menu of the User Manager, and then click Audit, the audit policy window will appear.

3- Select the radio frame "Audit Theest Events" (audit these events)

4 - Select Press OK you need to start, then turn off the User Manager.

Special authority audit:

Some special permissions in the system cannot be audited by default events, even privileged audits have been started. This is a proper control of the growth of the audit log.

Special permissions have the following:

1 - Wrought the verification limit - (for everyone) is agreed to everyone, so it is meaningless to see it from the viewpoint of auditing.

2-Debug program (for administrator). It is not used in the working system and can be removed from the administrator group (or cancel).

3 - Create a symbolic object (no one), it is not allowed to do anyone.

4-Replace the process level mark (no one), it is not allowed to do anyone.

5- Generate a safety audit (no one), it is not allowed to do anyone.

6 - Backup files and directories, (Administrator Backup Operator), which is used in the normal system operation.

7- Restore files and directories, (Administrator Backup Operators), which is used in the normal system operation.

To launch an audit for these special permissions, add the following to the registry:

Hive: HKEY_LOCAL_MACHINE / SYSTEM

Key: System / CurrentControlSet / Control / LSA

Name: fullprivilegeauditing

TYPE: REG_BINARY

Value: 1

Or create a text file called Audit.REG, cut the following statement and paste into the text.

-------------------------------------------------- --------- [Snip here] ------

Regedit4

Add A Blank Line Here

[HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA] "Fullprivilegeauditing" = HEX: 01

Add A Blank Line Here

-------------------------------------------------- --------- [Snip here] ------

To deposit .reg files into the registry, you can double-click it, or open a command line mode and enter the command regedit / s Audit.reg

This will make your file merge into the system registry.

Audit base object

The registration key of this placement indicates that the base objects should be created by the default system audit control list.

Administrators still need to use the User Manager to open the audit of the "Target Access" category.

Start the audit of the base object, add the following key in the registry

Hive: HKEY_LOCAL_MACHINE / SYSTEM

Key: / CurrentControlSet / Control / LSA

Name: AuditBaseObjects

TYPE: REG_DWORD

Value: 1

Or create a file called audit0bj.reg and cut the following content and copy it into this file.

-------------------------------------------------- --------- [Snip here] ------

Regedit4

Add A Blank Line Here

[HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA]

"AuditBaseObjects" = dword: 00000001

Add A Blank Line Here

-------------------------------------------------- --------- [Snip here] ------

To deposit .reg files into the registry, you can double-click it, or open a command line mode and enter the command regedit / s Auditobj.reg

This will make your file merge into the system registry.

example:

What do you see when you start a security audit?

In this example, you will see the content recorded in the event log after the login Internet failed:

Logon Failure:

Reason: Unknown User Name OR Bad Password

User name: WAKING

Domain: WAK0

Logon Type: 3

Logon Process: ksecdd

Authentication package: microsoft_authentication_package_v1_0

Workstation Name: // Braincell

Clear the NT log:

To clear a log, switch to the log you want to clear, click "Clear all events" in the log menu, one message will pop up asking you if you want to archive the current event,

If you answer Yes, the "Save AS" dialog box will appear, enter the file name and directory you want to archive. Whether you answer or no, an event reader clears the current log.

Then only the new event will appear in the log.

Note: When you delete a security log, an event will appear in the security log.

Even if you clear the log, you will still see the following entry in the log:

The Audit Log Was Clead

Primary user name: System User Name: SYSTEM

PRIMARY DOMAIN: NT AUTHORITY

Primary logon ID: (0x0,0x3e7)

Client User Name: WAKING

Client Domain: BraincellClient Logon ID: (0x0,0x2581)

These entries say you clear the safety event log. Now if you want to complete the log, you can follow these steps:

1 - Open the service in the control panel

2 - Find the ENENTLOG service, and click the Startup button

3 - Select Manual or Disabled in the start type

4- Start NT

5- to% SystemRoot% / System32 / Config / SECEVENT.EVT Delete SECEVENT.EVT

After doing this, the system will stop the event log service, you can delete the log you want to delete.

Manage tools for managing NT logs:

Dumpel.exe in the NT Resource Kit

Ntlast

NTLAST is a tool for serious system security and IIS management. Book Review Your NT Event Log is not desirable to your network because of a regular system audit

Can lead to a service destruction. Use NTLAST to identify and track anyone who has obtained the system's access, and the archive detail makes it easy.

This tool quickly reports the status of the IIS user, and the login of the web server is filtered from the console.

EventReader

EventReader (TM) is a management tool that allows network administrators to analyze and manage event logs. This program allows you from a network's Windows NT machine

Collect event logs and store information to one or more ODBC compatible (Microsoft SQL)

Server or Microsoft Access Database. You can assign which computer to collect information, assign a schedule, collect data, back up event log parameters.

The installation package includes a Microsoft Access sample database that includes many queries and reports that can effectively analyze event logs.

Event Archiver Enterprise

Event Archiver Enterprise is one of the most easily used products in the event management tool in the market, with its adaptability exceeds other similar products.

We think it is a "setting once, permanent run" application, and quite expensive saves your organization's time and money.

Calculated with average time cost of a Windows NT / 2000 administrator, configuring Event Archiver Enterprise to greatly reduce the overall cost of your company.

Installing Event Archiver, the administrator can start analytical event log entries without cumbersome and regularly saving and storing them.

EventReporter Version 4.0

The 4.0 version provides some important enhancements, enhanced documents, enhanced WebSite. For example: increasing the message through the Email client

Custom EventRepp Porter filtering graphics interface based on strict code (eg, error, warning).

Remote Viewers - Event Log Monitor

Remote Viewer for Windows PC runs on Microsoft Windows 95, Windows 98, Windows NT,

Let you query and display the event log information received by the console. Receive user-selected real-time warnings from a remote view console that can be displayed immediately.

Provide remote management processes, service, and device drivers.

Provide remote query, editing, create user-defined notes, information reference, and diverse remote command forms.

SID security issues:

Many administrators know the NT SID and allow you to get the user's SID tool "SID2USER". There is another way to obtain the user's SID here.

Assume that the following is true:

1- The default NT log can be remotely viewed

2- You have activated the audit

3- Your system strategy is when an account (login) error reaches a specified number of times, blocks this account (continue to try to log in). Below is how you make NT fall out of the SID:

Try to log in to the remote server with any existing account, the server prompts you to fail, a record will generate a record in the event reader:

Logon Failure:

Reason: Unknown User Name OR Bad Password

User name: WAKING

Domain: WAK0

Logon Type: 3

Logon Process: ksecdd

Authentication package: microsoft_authentication_package_v1_0

Workstation Name: // Braincell

If you have a policy is when an account (login) error reaches a specified number of times, your system policy prevents this account (continue to try to log in),

You will see the following entry in your log file:

User Account Locked Out:

Target Account Name: WAKING

Target Account ID: S-1-5-21-431509504-1754822488-11247502488-1124750213-500

Caller Machine Name: // Braincell

Caller User Name: System

Caller Domain: NT Authority

Caller logon ID: (0x0,0x3e7)

So if you now use the event viewer to connect the remote computer's event log, you will see the SID of the target account in the log:

S-1-5-21-431509504-1754822488-11247502488-1124750213-500

More good articles, please go to China

http://www.patching.net

转载请注明原文地址:https://www.9cbs.com/read-2017.html

New Post(0)