This document discusses best practices for monitoring event logs. It covers monitoring security events and analyzing security logs to detect failures or suspicious access attempts. It also addresses monitoring system and application logs for errors or warnings. The document reviews using Event Viewer to view and filter logs, managing log size by setting overwrite policies, and archiving logs for long-term analysis. It recommends regularly reviewing logs, archiving logs to track trends over time, and selecting the appropriate log overwrite option.
2. Overview
Introduction to Monitoring Event Logs
Monitoring Security Events
Analyzing Security Events
Monitoring System and Application Events
Viewing Event Logs
Managing Event Logs
Best Practices
3. Introduction to Monitoring Event Logs
Audit Failed Access
Policy
System or
Application Event
User
Log
X
Administrative
Action
Administrator
4. Monitoring Security Events
The Security Log
Categories of Security Events
Auditing Object Access Events
5. The Security Log
Contains Information About:
Date and time the event occurred
Source of the event
Category of the event
User who generated the event
Successful or failed attempt
6. Categories of Security Events
Categories of Security Events
Account Logon
Object Access
Privilege Use
System Event
7. Auditing Object Access Events
Audit Access to Files and Folders
Audit Access to Printers
Audit Access to Other Objects in Active Directory
Audit the Success or Failure of User Access Attempts
8. Analyzing Security Events
Analyzing Security Logs
Looking for Specific Security Events
9. Analyzing Security Logs
Interpret Security Events to Determine Their Meanings
Analyze Security Events to Identify Failed Attempts to
Access Resources
Analyze Security Events to Identify Successful Attempts
to Access Resources
Track Events Over Time to Detect Trends
Take Action to Resolve Security Problems
10. Looking for Specific Security Events
Logon Failure
Failure When Attempting to Read a File
Deletes or Attempts to Delete a Data File
Assigns or Attempts to Assign
Take Ownership permission
Change Permissions permission
Restart, Shutdown, and System Audit on Network Servers
11. Monitoring System and Application Events
System and Application Logs
Types of System and Application Events
12. System and Application Logs
System Log Contains Events Logged by Windows 2003
Application Logs Contain Events Logged by Applications
System and Application Logs Contain:
Errors, warnings, and information
Date and time the event occurred
Source of the error
Application
Category of event
User who generated the event System
13. Types of System and Application Events
Types of System and Application Events
Information
Warning
Error
14. Viewing Event Logs
Using Event Viewer to View Logs
Using Event Viewer to Locate Events
15. Using Event Viewer to View Logs
Use Event Viewer to View Detailed Event Information
Use Event Viewer to View Logs on a Remote Computer
eventvwr - [Event Viewer (local)Security Log]
Action View
0 event(s)
Event Viewer (Local) Type Date Time Source Category Event User
Application Log Success Audit 6/11/98 11:36:21 AM Security Privilege Use 577 SYSTE
Directory Log Failure Audit 6/11/98 11:32:55 AM Security Privilege Use 578 Adminis
Success Audit 6/11/98 11:03:49 AM Security Privilege Use 577 SYSTE
DNS Server
File Replication Servi
Security Log
Security Log
System Log Connect to another computer…
Connect to another computer…
New
All Tasks
Help
16. Using Event Viewer to Locate Events
System Log Properties ?
General Filter Find in local System Log ?
View Events Types
Clear
From: Information Success audit
First Event 6/11/98 7:27:03 AMWarning Failure audit
To: Error
Last Event 6/11/98 7:27:50 AM
Types Source: (All)
Information Warning Error
Category: (All)
Success Audit Failure Audit
Event ID:
Source: (All) Computer:
Category: (All) User:
User:
Description:
Computer: Description
Event ID: Up Down
OK Cancel Apply Next
Find Close Clear Help
17. Managing Event Logs
Limiting the Size of Event Log Files
Archiving Logs
Save as...
512 Kb
18. Limiting the Size of Event Log Files
Security Log Properties ?
General Filter
Display name: Security Log
Log name: D:NTIDSSystem32configSecEvent.Evt
Choose a Size: 64.0 KB (65,536 bytes)
Strategy to Created: Thursday, June 11, 1998 7:26:56 AM
Limit Log Size Modified: Thursday, June 11, 1998 11:33:29 AM
Accessed: Thursday, June 11, 1998 11:33:29 AM
Maximum log size: 512 Kilobytes (64K increments)
Event log wrapping
Overwrite events as needed
Overwrite events older than 7 days
Do not overwrite events (clear log manually)
Low speed connection Default Clear all Events
OK Cancel Apply
19. Archiving Logs
Archive Logs
View an Archived Log
SaveLogs as:
Log file format (.evt)
Text file format (.txt)
Comma-delimited text file format (.csv)
20. Best Practices
Set Up a Schedule and Review Event Logs Regularly
Archive Event Logs Regularly to Track Trends
Review Security Logs for Significant Events
Select an Appropriate Option to Overwrite Old Log Events
21. Review
Introduction to Monitoring Event Logs
Monitoring Security Events
Analyzing Security Events
Monitoring System and Application Events
Viewing Event Logs
Managing Event Logs
Best Practices