Windows 2000 log files typically have application logs, security logs, system logs, DNS server logs, FTP logs, WWW logs, etc., which may differ depending on the service turned on by the server. When we use a stream light detection, for example, IPC detection will quickly record the username, time, etc. used in the safety log, and after the FTP detection will be used, it will immediately record IP in the FTP log. Time, the username and password used to detect, and so on. Even when the moving is started, you need a msvcp60.dll this dynasty link library. If the server doesn't have this file, it will be recorded in the log. Why don't you take the reason for the domestic host, they will be easy after your IP will be easy. Find you, as long as he wants to find you! ! There is also an important log, and you should know that Srv.exe that is often used is to start through this service, which records all behaviors that are started by the Scheduler service, such as the startup and stop of the service.
Log file default location:
Application log, security log, system log, DNS log default location:% systemroot% / system32 / config, default file size 512KB, administrator changes this default size.
Safety Log File:% SystemRoot% / System32 / Config / SECEVENT.EVT System Log File:% SystemRoot% / System32 / Config / SYSEVENT.EVT Application Log File:% SystemRoot% / System32 / Config / APPEVENT.EVT Internet Information Services FTP Log Default location:% systemroot% / system32 / logfiles / msftpsvc1 /, default daily log internet information WWW log default location:% systemroot% / system32 / logfiles / w3svc1 /, default a day a log Scheduler service log default location:% systemRoot % / SCHEDLGU.TXT
The above logs in the registry:
Application log, security log, system log, DNS server log, these log files in the registry: hkey_local_machine / system / currentcontrolset / services / EventLog
Some administrators are likely to locate these logs. There are many sub-tables below EventLog, which can find the location directory of the above logs.
Schedluler Service Log in the Registry HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / SchedulingAgent
FTP and WWW log details:
FTP logs and WWW log defaults, generate a log file daily, including all records of the day, the file name is usually EX (month) (date), such as EX001023, is the log that is generated on October 23, 2000 , Use notepad to open directly, as in the following example:
#Software: Microsoft Internet Information Services 5.0 (Microsoft IIS5.0) #Version: 1.0 (Version 1.0) #date: 20001023 0315 (Service Start Date) #fields: Time Cip Csmeth Csuristem Scstatus 0315 127.0.0.1 [1] User Administator 331 (IP address is 127.0.0.1 User named administator tries to log in) 0318 127.0.0.1 [1] Pass - 530 (login failed) 032: 04 127.0.0.1 [1] user NT 331 (IP address is 127.0.0.1 username User to NT to try to log in) 032: 06 127.0.0.1 [1] Pass - 530 (Login Failed) 032: 09 127.0.0.1 [1] User CYZ 331 (IP address is 127.0.0.1 User named CYZ users attempt to log in 0322 127.0.0.1 [1] Pass - 530 (Login Failed) 0322 127.0.0.1 [1] User Administrator 331 (IP address is 127.0.0.1 User named Administrator tried to log in) 0324 127.0.0.1 [1] Pass - 230 ( Successful login) 0321 127.0.0.1 [1] MKD NT 550 (new directory failed) 0325 127.0.0.1 [1] quit- 550 (exiting the FTP program)
From the log, you can see the IP address of 127.0.0.1 has been trying to log in to the system. If you change the four user names and passwords, the administrator can know the administrator's intrusion time, IP address, and the username of the detection. If the above case, the intruder is ultimately entered with the Administrator username, then consider replacing the password of this username, or rename the Administrator user. WWW log WWW service is the same as FTP services, the resulting log is also in% systemroot% / system32 / logfiles / w3svc1 directory, the default is a log file daily, below is a typical WWW log file #software: Microsoft Internet Information Services 5.0 # Version: 1.0 #Date: 20001023 03: 091 #Fields: date time cip csusername sip sport csmethod csuristem csuriquery scstatus cs (UserAgent) 20001023 03: 091 192.168.1.26 192.168.1.37 80 GET /iisstart.asp 200 Mozilla / 4.0 (compatible MSIE 5.0; Windows 98; DiGext) 20001023 03: 094 192.168.1.26 192.168.1.37 80 Get /PageRror.gif 200 Mozilla / 4.0 (Compatible; MSIE 5.0; WINDOWS 98; DIGEXT By analyzing the sixth line, it can be seen that users of the IP address of 192.168.1.26 by accessing the IISstart.asp of 192.168.1.37 machines from October 23, 2000, and viewed a page IISStart.asp, this user's The browser is compatible; msie 5.0; Windows 98 DiGext, experienced administrators can determine the intruder's IP address and the intrusion time through the security log, the FTP log, and WWW log. Even the FTP and WWW logs are deleted, but it will still be recorded in the system log and the security log, but better is that only your machine name is displayed, and there is no IP, such as the above detection, the system The log will produce the following record: At a glance, you can see October 23, 16:17, and the system has a warning of some events, double-click, open its properties: The reason for the cause of the warning It is because some people try to log in with the Administator username, an error, the source is FTP service. At the same time, the security record will be written at the same time, we can see two icons: key (indicating success) and lock (indicating that the user stops when the user is doing). Connected four lock icons, indicating four failed audits, the event type is the account login and login, the logout failed, the date is October 18, 2000, the time is 1002, which requires key observation. Double-point first failed audit event, that is, the detailed description of this event, we can know that there is a CYZ workstation, log in this machine with the Administator user, but because the username is unknown or password error (actually password error) Failed to succeed.
In addition, there is a DNS server log, not too important, this is slightly (in fact, I have not seen it) I know the details of the Windows2000 log, let's learn how to delete these logs: By above, I know that the log file usually has some The item is protected in the background, in addition to the system log, security log, application log, etc., their services are the critical process of WindOS2000, and with the registry file in one, when the Windows2000 is started, start the service to protect these files, so very It is difficult to delete, and the FTP log and the WWW log, and the SCEDLGU log can be easily deleted. First, you have to get one of the Admnistrator password or the member of the Administrators group, then Telnet to the remote host, first try to delete the FTP log: D: / server> del schedlgu.txt d: /server/schedlgu.txt process cannot access the file, because another A program is using this file. Said, the background has service protection, first stop the service! D: / Server> Net Stop "Task Scheduler" The following services depends on the Task Scheduler service. Stop TAS
The K Scheduler service will also stop these services. Does REMOTE STORAGE ENGINE Continue this? (Y / N) [N]: Y Remote Storage Engine service is stopping ... The Remote Storage Engine service has been successfully stopped. The Task Scheduler service is stopping. The Task Scheduler service has been successfully stopped. OK, its service stopped, but also stopped with its dependencies. Try to delete it again! D: / server> Del Schedlgu.txt d: / server> No response? Success! The next is the FTP log and the WWW log, the principle is the same, stop the relevant service first, then delete the log! D: / server / system32 / logfiles / msftpsvc1> del ex * .log D: / server / system32 / logfiles / msftpsvc1> The above operation successfully deletes the FTP log! Come on the WWW log! D: / server / system32 / logfiles / w3svc1> del ex * .log d: / server / system32 / logfiles / w3svc1> ok! Congratulations, now a simple log has been successfully deleted. Here is a difficult security log and system log, guarding these logs is Event log, trying to stop it! D: / server / system32 / logfiles / w3svc1> Net Stop EventLog This service cannot accept the "Pause" or "Stop" operation of the request. No way, it is a key service. If you do not need a third-party tool, you don't delete the security log and system log at all on the command line! So, it is still necessary to use a simple but speed slow crash. Open "Event Viewer" in the "Management Tool" of "Control Panel" (98 is not, know the benefits of Win2K), "Operation" in the menu The item has a menu named "Connect to another computer", enter the IP of the remote computer, then click on the smoke, wait for dozens of minutes, endure the torture of the crash, select the security log of the remote computer, right click to select it Properties: Click the "Clear Log" button in the properties, OK! The safety log is clear! The same endurance pain to clear the system log! Before the case where the third tool is not allowed, the FTP can be cleared, and the WWW has a Schedlgu log. It is the system log and the security log belong to the strict guardian of Windows2000. It can only be opened with a local event viewer. Because in the graphical interface, add the network speed and slow, if your silver is more, time is idle, or you can clear it. In summary, the Windows2000 log file and the delete method are introduced, but you must be administrator, pay attention to a member of the administrator or management group to open the security logging. This process applies to Windows 2000 Professional Computers, which also applies to Windows 2000 Server computers running as a standalone server or member server.
