One: Start - Program - Administrative Tools - Computer Management - System Tools - Event Viewer, and then clear the log. Second: Windows2000 log files typically have application logs, security logs, system logs, DNS server logs, FTP logs, WWW logs, and more.
Log file default location: Application log, security log, system log, DNS log default location:% sys temroot% / system32 / config, default file size 512KB, administrator will change this default size. Safety Log File:% SystemRoot% / System32 / Config / SECEVENT.EVT System Log File:% SystemRoot% / System32 / Config / SYSEVENT.EVT Application Log File:% SystemRoot% / System32 / Config / APPEVENT.EVTINTERNET Information Services FTP Log Default location:% systemroot% / system32 / logfiles / msftpsvc1 /, default a log internet information WWW log default location:% systemroot% / system32 / logfiles / w3svc1 /, default daily log SCHEDULER service log default location:% sys temroot % / SCHEDLGU.TXT
The above logs in the registration table: Application logs, security logs, system logs, DNS server logs, these log files in the registry: hkey_local_machine / system / currentcontrolset / service / eventlog Some administrators are likely to put these Log retarding. There are many sub-tables below EventLog, which can find the location directory of the above logs. Schedluler Service Log in the Registry HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / SchedulingAgent
FTP and WWW log detailed: FTP log and WWW log default, generate a log file daily, including all records of the day, the file name is usually EX (month) (date), such as EX001023, is 2000 10 The log created on the 23rd, you can open it directly with Notepad, as in the following example: #software: Microsoft Internet Information Services 5.0 (Microsoft IIS5.0) #Version: 1.0 (version 1.0) #date: 20001023 0315 (Service Start Date #Fields: Time Cip Csmethod Csuristem ScStatus 0315 127.0.0.1 [1] User Administator 331 (IP address is 127.0.0.1 User named administator tried to log in) 0318 127.0.0.1 [1] Pass - 530 (login failed) 032: 04 127.0.0.1 [1] User NT 331 (IP address is 127.0.0.1 User named NT user tries to log in) 032: 06 127.0.0.1 [1] Pass - 530 (login failed) 032: 09 127.0.0.1 [1] User CYZ 331 (IP address is 127.0.0.1 User named CYZ User Trial Login) 0322 127.0.0.1 [1] Pass - 530 (Login Failed) 0322 127.0.1 [1] User Administrator 331 (IP address is 127.0.0.0.1 User named Administrator tried to log in) 0324 127.0.0.1 [1] Pass - 230 (Sign in success) 0321 127.0.0.1 [1] MKD NT 550 (New Directory failed) 0325 127.0.0.1 [1] Quit - 550 (Exit FTP program From the log, you can see that users of the IP address of 127.0.0.1 have been trying to log in to the system, change the four usernames and passwords, and the administrator can know the administrator's invasion time, IP address, and probe users. Name, if the above case invader is ultimately entered with the Administrator username, then consider replacing the password of this username, or rename the Administrator user.
WWW log WWW service is the same as FTP services, the resulting log is also in% sys temroot% / sys tem32 / logfiles / w3svc1 directory, the default is a log file per day, below is a typical WWW log file #software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 20001023 03: 091 #Fields: date time cip csusername sip sport csmethod csuristem csuriquery scstatus cs (UserAgent) 20001023 03: 091 192.168.1.26 192.168.1.37 80 GET /iisstart.asp 200 Mozilla / 4.0 (Compatible; MSIE 5.0; Windows 98; DiGext) 20001023 03: 094 192.168.1.26 192.168.1.37 80 Get /PageRror.gif 200 Mozilla / 4.0 (Compatible; MSIE 5.0; Windows 98; DiGext) By analyzing the sixth line, you can see October 23, 2000, users of the IP address of 192.168.1.26, by accessing the IISStart.asp, this is an IISStart.asp, this The user's browser is compatible; msie 5.0; Windows 98 DiGext, experienced administrators can determine the intruder's IP address and intrusion times through the security log, the FTP log, and WWW log. Even the FTP and WWW logs are deleted, but it will still be recorded in the system log and the security log, but better is that only your machine name is displayed, and there is no IP, such as the above detection, the system The log will produce the following record:
At a glance, I can see October 23, 2000, 16:17, the system has a warning, double-click one, open its properties because some events have a warning, open its properties:
The reason why the warning has been recorded because some people tried to log in with the Administator username, an error, the source is an FTP service. At the same time, the safety record will be written at the same time: (EKIN: This picture is not the security log of this example)
Two icons can be seen in the above figure: Key (indicated success) and lock (indicating that the user stops when the user is doing). Connected four lock icons, indicating four failed audits, the event type is the account login and login, the logout failed, the date is October 18, 2000, the time is 1002, which requires key observation. Double-point first failed audit event, that is, the detailed description of this event, as shown in Figure 12 below:
Analyze the image above, we can learn that there is a CYZ workstation, with the Administator user name to record this machine, but because the username is unknown or password error (actually password error) failed. There is also a DNS server log, not too important, this is this (actually I have not seen it)
I know the details of the Windows2000 log. Let's learn how to delete these logs: By above, you know that the log file usually has a service in the background protection, in addition to the system log, security log, application log, etc., their services are The critical process of WindOS2000, and with the registry file in one, when Windows2000 is started, start the service to protect these files, so it is difficult to delete, and the FTP log and the WWW log and the SCEDLGU log can be easily deleted. First, you have to get one of the Admnistrator password or the member of the Administrators group, then Telnet to the remote host, first try to delete the FTP log: D: / server> del schedlgu.txt d: /server/schedlgu.txt process cannot access the file, because another A program is using this file. Said, the background has service protection, first stop the service! D: / Server> Net Stop "Task Scheduler" The following services depends on the Task Scheduler service. Stop Task Scheduler services will also stop these services. Remote Storage Engine
Do you continue to do this? (Y / N) [N]: Y Remote Storage Engine service is stopping ... Remote Storage Engine service has been successfully stopped.
The Task Scheduler service is stopping. The Task Scheduler service has been successfully stopped. OK, its service stopped, but also stopped with its dependencies. Try to delete it again! D: / server> Del Schedlgu.txt d: / server> No response? Success! The next is the FTP log and the WWW log, the principle is the same, stop the relevant service first, then delete the log! D: / server / system32 / logfiles / msftpsvc1> del em * .log
D: / server / system32 / logfiles / msftpsvc1> The above operation successfully deleted the FTP log! Come on the WWW log! D: / server / system32 / logfiles / w3svc1> del em * .log
D: / server / system32 / logfiles / w3svc1> ok! Congratulations, now a simple log has been successfully deleted. Here is a difficult security log and system log, guarding these logs is Event log, trying to stop it! D: / server / system32 / logfiles / w3svc1> Net Stop EventLog This service cannot accept the "Pause" or "Stop" operation of the request. Kao, I service U, no way, it is a key service. If you do not need a third-party tool, you don't delete the security log and system log at all on the command line! So, it is still necessary to use a simple but speed slow crash. Open "Event Viewer" in the "Management Tool" of "Control Panel" (98 is not, know the benefits of Win2K), "Operation" in the menu The item has a menu named "Connect to another computer", click on it as shown below:
Enter the IP of the remote computer, then click on the smoke, wait for dozens of minutes, endure the torture of the crash, and then open the figure below:
Select the security log of the remote computer, right click to select its properties:
Click the "Clear Log" button in the properties, OK! The safety log is clear! The same endurance pain to clear the system log! At present, the FTP can be removed quickly and smoothly, and the WWW also has a SCHEDLGU log. It is the system log and security log belong to the strict guardian of Windows2000. It can only be opened with local event viewers. Because in the graphical interface, add the network speed and slow, if your silver is more, time is idle, or you can clear it. In summary, the Windows2000 log file and the delete method are introduced, but you must be administrator, pay attention to a member of the administrator or management group to open the security logging. This process applies to Windows 2000 Professional Computers, which also applies to Windows 2000 Server computers running as a standalone server or member server. At this point, the Windows2000 security knowledge base lecture is completed, and there are a few words to say, everyone also looks out, although the FTP and other logs can be cleared, but the system logs and security logs are not so fast, so they can delete it smoothly. If you encounter a clever administrator, transfer the log file to another, it is even more difficult, so advise everyone, don't take the domestic host to do test, the domestic law is very strict! When I was eating today, I heard that there were two people to joking, and one person hide another person's East Tie, the result is an urgent, reported, so that the Tibetan is sentenced to four years! ! The judge said that the law did not joke! ! ! So everyone must keep this! (Don't say that my old life is often talking)
