Contents Overview 1 Introduction to Monitoring Event Logs 2 Monitoring Security Events 4 Analyzing Security Events 9 Monitoring System and Application Events 14 Viewing Event Logs 17 Managing Event Logs 21 Lab A: Monitoring Event Logs 25 Best Practices 32 Review 33 This course is a prerelease course and is based on Microsoft Windows 2000 Beta 3 software. Content in the final release of the course may be different than the content included in this prerelease version. All labs in the course are to be completed using the Beta 3 version of Microsoft Windows 2000 Advanced Server. Module 9: Monitoring Event Logs Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  1999 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, MS, Windows, Active Directory, PowerPoint, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead/Senior Instructional Designer: Red Johnston Instructional Designers: Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.) Program Manager: Jim Cochran (Volt Computer) Lab Simulations Developers: David Carlile (ArtSource), Tammy Stockton (Write Stuff) Technical Contributor: Kim Ralls Graphic Artist: Julie Stone (Independent Contractor) Editing Manager: Tina Tsiakalis Editors: Wendy Cleary (S&T OnSite), Diana George (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Tammy Stockton (Write Stuff) Compact Disc Testing: ST Labs Production Support: Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser) Manufacturing Manager: Bo Galford Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Project Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert Stewart Module 9: Monitoring Event Logs iii Introduction This module provides students with information about monitoring event logs. The module discusses how to monitor user activities and system and application events. It emphasizes that students should monitor these activities and events for security reasons, to track resource use, and to discover system and application errors. The module also teaches that the security events that are recorded are based on an audit policy set up by a security administrator for the network that he or she administers. The module presents how to view and analyze event logs to discover activities and events that require administrative action. It also covers how to review and analyze event logs. At the end of the module, students will be able to monitor event logs. Materials and Preparation This section provides you with the materials and preparation needed to teach this module. Materials To teach this module, you need the following materials: !" Microsoft ® PowerPoint ® file 1556A_09.ppt !" Module 9, “Monitoring Event Logs” Preparation To prepare for this module, you should: !" Read all the materials for this module. Notice that some slides are animated and require that you click them several times as you step students through the illustrated processes. Animated slides are indicated with an icon in the lower left corner of the slide. !" Review the Delivery Tips and Key Points for each section and topic. !" Complete the lab. !" Study the review questions and prepare alternative answers for discussion. !" Anticipate questions that students may ask. Write out the questions and provide answers to them. Presentation: 30 Minutes Lab: 30 Minutes iv Module 9: Monitoring Event Logs Module Strategy Use the following strategy to present this module: !" Introduction to Monitoring Event Logs Introduce monitoring events in Microsoft Windows ® 2000. The topic on introducing event log monitoring has an animated slide. The icon on the bottom left corner of the slide identifies the slide. Use the slide to explain to students that system and application events are recorded automatically, and that security events are recorded according to the Audit Policy that has been set up for the network. Then explain that events are recorded in event logs, viewed in Event Viewer, and analyzed by the network administrator. Describe the different kinds of events. Windows 2000 creates system events, applications create application events, and security events are recorded when users perform an action. The user actions that are recorded are based on an Audit Policy for the network. Tell students that events are recorded in event logs. !" Monitoring Security Events Provide an overview of monitoring security events. Explain that security events are recorded in the security log. Describe the categories of security events in the security log. The topic on categories of security events has an animated slide. The icon on the bottom left corner of the slide identifies the slide. Use the slide to describe security event categories that are recorded in the security log. Tell students that they can look for specific categories when viewing the security log. Explain object access events, such as access to files and folders, which can be audited. !" Analyzing Security Events Provide students with an overview of analyzing security logs. Explain how to analyze security logs, such as analyzing successful or failed events and detecting trends in recorded events. Point out that certain security events are most likely to signify a user action that requires your attention. !" Monitoring System and Application Events Provide an overview of monitoring system and application events. Describe the system and application logs and the detailed information recorded in them. Present the types of system and application events, and point out that the type of event affects the administrative action that you need to take. The topic on types of system and application events has an animated slide. The icon on the bottom left corner of the slide identifies the slide. Use the slide to describe the types of system and application events that are recorded in the system and application logs. Tell students that they can look for specific types of events when viewing the system and application logs. Module 9: Monitoring Event Logs v !" Viewing Event Logs Provide an overview of Event Viewer to view and locate system, application, and security events. Explain how Event Viewer is used to view event logs. Demonstrate the use of the Find feature to locate specific events and the Filter feature to limit the events that event Viewer displays. !" Managing Event Logs Provide an overview of managing event logs. Present the options to limit the size of an event log. Explain that the strategy used to limit the log size is based on security and the kinds of events that are being audited. Describe how to archive logs and review archived logs. !" Best Practices Read the Best Practices section before you start the module, and then refer to the appropriate practice as you teach the corresponding module section. Then, at the end of the module, summarize all of the best practices for the module. vi Module 9: Monitoring Event Logs Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on the student computers during the labs. This information is provided to assist you in replicating and customizing this module with other Microsoft Official Curriculum (MOC) courseware. The labs in this module are also dependent on the classroom configuration that is specified in the “Customization Information” section at the end of the Classroom Setup Guide for course 1556A, Administering Microsoft Windows 2000. Lab Setup There are no setup requirements for the lab in this module. Lab Results Performing the lab in this module introduces the following configuration change: !" Addition of the London.csv and Applog.csv files in the C:\MOC\NT1556A\Labfiles\Logs folder on drive D Important Module 9: Monitoring Event Logs 1 Overview ! Introduction to Monitoring Event Logs ! Monitoring Security Events ! Analyzing Security Events ! Monitoring System and Application Events ! Viewing Event Logs ! Managing Event Logs ! Best Practices You can monitor most user activities, Microsoft ® Windows ® 2000 events, and application events. Events are user actions that are recorded based on an Audit policy, and any significant occurrence in Windows 2000 or in an application that requires users to be notified. You monitor these activities and events for security reasons, to track resource use, and to discover system and application errors. The security events that you monitor are based on an Audit policy that is set up by a security administrator for the network that you administer. The Windows 2000 and application events that you monitor are preset by the operating system and application developers who decided which events will be recorded. Events are recorded in event logs. You view and analyze event logs to discover activities and events that require administrative consideration. Based on your analysis of the event logs, you may need to take any of the following administrative actions: !" Resolve security violations !" Address system problems !" Reallocate resources !" Recommend changes in Audit policy or to audit settings At the end of this module, you will be able to: !" Describe monitoring events in Windows 2000. !" Monitor security events. !" Analyze security event. !" Monitor system and application events. !" View events in event logs. !" Manage event logs. !" Apply best practices for monitoring events. Slide Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn how to monitor activities on a computer. 2 Module 9: Monitoring Event Logs Introduction to Monitoring Event Logs Audit Policy User User Administrator Administrator Failed Access Failed Access System or Application Event System or Application Event Log X X X Administrative Action Administrative Action Windows 2000 records security, system, and application events in logs on the computer, usually a domain controller or member server, on which the event occurred. You view these logs to discover activities and events that require your attention. Window 2000 maintains other logs, as well. Because of the network administrator’s scope of responsibility that this course addresses, this module discusses only security, system, and application event logs. Events Windows 2000 and applications record events automatically. Security events are not logged automatically; Windows 2000 logs security events according to the Audit policy that has been set up. !" An Audit policy defines the categories of user activities that Windows 2000 records in the security logs on each computer. Auditing policies are set up to track authorized and unauthorized access to resources. The Audit policy is designed to serve the needs of your organization. By default, auditing is not enabled. A security administrator configures an Audit policy to enable auditing and determine what activities are audited. Extensive auditing slows down the computer on which auditing is enabled. !" System and application events are alerts and warnings produced by Windows 2000, its services, and installed applications. Some critical events, such as a full disk drive or low memory, are noted in an on-screen message. Those events not requiring immediate attention are noted in an event log. Slide Objective To introduce monitoring events in Windows 2000. Lead-in You monitor user activities, Windows 2000 events, and application events. Delivery Tip The slide for this topic is animated. Begin by explaining to students that system and application events are recorded automatically. Security events are recorded according to the Audit policy that has been set up for the network. Then explain that events are recorded in event logs, viewed in Event Viewer, and analyzed by the network administrator. Note Key Points Windows 2000 and application events are recorded automatically. Security events are recorded according to auditing policies. By default, auditing is not enabled. Module 9: Monitoring Event Logs 3 Event Logs When an event occurs, the event is recorded in the event logs. Event logs enable you to monitor information about hardware, software, system problems, and security. You can also archive logs in various file formats. Event Viewer You use Event Viewer to view events that Windows 2000 has recorded in the logs. Event Viewer is available on Windows 2000 Professional and Windows 2000 Server. Event logging starts automatically each time you start Windows 2000 Server. With Event Viewer, you can troubleshoot various hardware and software problems and monitor Windows 2000 Server security events. Analysis and Administrative Action You analyze event logs to determine actions, such as users gaining access to printers or files, and to verify attempts at unauthorized use of resources. You can also archive log files to compare current and archived logged events to discover trends. Your analyses may lead to administrative actions, changes in resource security, or changes to an Audit policy. 4 Module 9: Monitoring Event Logs # ## # Monitoring Security Events ! The Security Log ! Categories of Security Events ! Auditing Object Access Events Security events that Windows 2000 tracks are recorded in the security log. The log provides detailed information about each event. Security events are divided into categories such as account logon and object access. The object access category includes files and folders, printers, and other objects in the directory service of Active Directory ™ . You can audit to determine whether the access to an object was a success or a failure. The security needs of your organization determine the categories that you audit, and whether you audit for success or failure. Slide Objective To provide an overview of monitoring security events. Lead-in To monitor network security for your organization, you view the security log to locate security events. Delivery Tip This is an overview of monitoring security events. Prepare students for the topic by providing the following key points of information. Key Points Security events are recorded in the security log. Security events are divided into categories. The Audit policy set up for your organization determines the categories that are recorded. Auditing can be set up to record access to objects such as files, folders, and printers. [...]... application event, or the category of security event 17 18 Module 9: Monitoring Event Logs Using Event Viewer to View Logs Slide Objective To explain using Event Viewer to view event logs Lead-in Event Viewer enables you to view audit events Use Event Viewer to View Detailed Event Information ! Use Event Viewer to View Logs on a Remote Computer ! eventvwr - [Event Viewer (local)\Security Log] Action View 0 event( s)... startup, Windows 2000 will log an error Module 9: Monitoring Event Logs # Viewing Event Logs Slide Objective To introduce using Event Viewer to view and locate events ! Using Event Viewer to View Logs Lead-in ! Using Event Viewer to Locate Events Let’s look at where Windows 2000 records events and how you can view them Delivery Tip This is an overview of viewing event logs Prepare students for the topic... you used and perform another search Module 9: Monitoring Event Logs 21 # Managing Event Logs Slide Objective To introduce managing event logs ! Limiting the Size of Event Log Files Lead-in ! Archiving Logs You must manage the size of event logs, and you can archive logs for future use Save as Save as 512 Kb Delivery Tip This is an overview of managing event logs Prepare students for the topics by... application events that are recorded Types of system and application events are information, warnings, and errors Each event contains detailed information such as the type of event You use event information to accurately identify the event and take appropriate action Module 9: Monitoring Event Logs 15 System and Application Logs Slide Objective To explain system and application logs ! System Log Contains Events... charging a department for their portion of printing supplies 24 Module 9: Monitoring Event Logs Archiving Logs Slide Objective To explain how to archive logs and view archived logs Lead-in ! Archive Logs ! Archive Logs You can archive logs to maintain a history of logged events ! View an Archived Log ! View an Archived Log ! Save Logs as: ! Save Logs as: $Log file format (.evt) $Log file format (.evt) $Text... remove these rights from the user 14 Module 9: Monitoring Event Logs # Monitoring System and Application Events Slide Objective To provide an overview of monitoring system and application events Lead-in To keep track of Windows 2000 and application events, you monitor system and application logs Delivery Tip This is an overview of monitoring system and application events Prepare students for the topic... events that require action Take action and notify other administrators when appropriate 9 10 Module 9: Monitoring Event Logs Analyzing Security Logs Slide Objective To explain how you analyze security logs When you analyze security logs, you: • Interpret events • Analyze failure events • Analyze success events • Detect trends • Take administrative action, based on your analysis ! Analyze Security Events... which the computer exists and then select the computer to which you want to connect Module 9: Monitoring Event Logs Using Event Viewer to Locate Events System Log Properties Slide Objective General To show how to filter and find events by using Event Viewer Find in local System Log View Events From: First Event To: Last Event Lead-in Use the Filter and Find features to focus on selected items in the log... increments) Event log wrapping Overwrite events as needed Overwrite events older than 7 days Do not overwrite events (clear log manually) Default Low speed connection OK Clear all Events Cancel Apply You can limit the size of event logs and select a method to overwrite older log event entries with new log entries Overwriting older event logs is called event log wrapping When you enable Event log wrapping,... for filtering and finding events Option Description View Events Choose from first to last event, or the dates for which to view events (only on the Filter tab) Types The type of event to view Source The software or component driver that logged the event Category The category of event, such as a logon or logoff attempt User A user logon name 19 20 Module 9: Monitoring Event Logs (continued) Option Description . auditing is not enabled. Module 9: Monitoring Event Logs 3 Event Logs When an event occurs, the event is recorded in the event logs. Event logs enable you to. C:MOCNT1556ALabfiles Logs folder on drive D Important Module 9: Monitoring Event Logs 1 Overview ! Introduction to Monitoring Event Logs ! Monitoring Security Events