Windows Server 2003 includes a set of log files that
are configured and presented within the Event Viewer. By configuring the
options on each of the logs to meet the requirements of your
environment, you can collect data appropriate for troubleshooting
hardware, application, system, and resource access.
Logs Available in Event Viewer
The Windows
Server 2003 Event Log service, present and started automatically on all
Windows Server 2003 computers, records events in one of three log files:
Application Developers of an application can program their software to report configuration changes, errors, or other events to this log.
System
The Windows Server 2003 operating system will report events (service
start or abnormal shutdown, device failures, and so on) to this log. The
events reported to this log are preconfigured.
Security
Logon and resource access events (audits) are reported to this log.
Configuration for most of these events is at the discrimination of the
system administrator.
Note
Although
the Application and System log events are determined by the application
developer and operating system, respectively, the Security log must
first be configured for the type of events to record (Success or Failure
for each). If File and Object Access events are selected, the security
properties of each object must be configured to record auditing events
to the Security log. |
Windows Server 2003 computers filling the role of a Domain Controller contain two additional logs:
Directory Service
This log contains events related to the Microsoft Active Directory
directory service, such as irreconcilable object replication or
significant events within the directory.
File Replication Service This
log contains errors or significant events reported by the File
Replication Service related to the copying of information between Domain
Controllers during a replication cycle.
Lastly, a Windows Server 2003 computer filling the role of a Domain Name System (DNS) server will contain one additional log:
Configuring Event Viewer Logs
When you first start
Event Viewer, all events that are recorded in the selected log are
displayed. Such a list may be lengthy, containing many entries of both
informational and warning types. You can locate events by type using the
Filter command on the shortcut menu’s View menu for the log you want to
view. The Filter properties page for the Security log is shown in Figure 1.
Adjacent to the
Filter tab in the properties of a log is the General tab, which provides
access to the behaviors of the log, including
The display name for the view of the log.
The maximum size of the log.
Whether
the oldest events in the log should be overwritten when the maximum log
size is reached. There are three overwrite options:.
Overwrite Events As Needed (default) This behavior will overwrite the oldest entries in the log with newer ones when the log reaches the maximum size.
Overwrite Events Older Than n Days This configuration will overwrite events that exceed the age setting when the log reaches the maximum size.
Do Not Overwrite Events (Clear Log Manually) This configuration will halt event logging when the log reaches the maximum size.
Security Alert
Leaving
the default setting of Overwrite Events As Needed on the Security log
could overwrite important resource access or other security-related data
if the log is not checked often. A regular schedule of analysis is
recommended. Log files can be archived (that is, saved to disk) if
needed for record-keeping or other administrative purposes. For
better assurance that no Security log entries have been lost, Windows
Server 2003 Group Policy provides a setting in the Computer
Configuration Policy: Security Settings that will force a computer to
shutdown if it is unable to write to the Security log with audit
information. This setting forces disciplined administrative practice if
the Security log is set to be cleared manually. |
The General tab for the Security log is shown in Figure 2.
Practice: Event Monitor
In
this practice, you will configure the Security log for File and Object
Access, and filter the data displayed in the Security log.
Exercise 1: Configuring the Security Log
In this exercise, you will configure the auditing of File and Object Access.
1. | Logged on to Server01 as an administrator, open Active Directory Users And Computers.
|
2. | Right-click the Domain Controllers Organizational Unit (OU), and then choose Properties from the shortcut menu.
|
3. | On the Group Policy tab, select the Default Domain Controllers Policy, and then click Edit.
|
4. | Under the Computer Configuration node, expand Windows Settings, Security Settings, Local Policies, and then click Audit Policy.
|
5. | In the details pane, right-click Audit Object Access, and then select Properties from the shortcut menu.
|
6. | In the Audit Object Access Properties dialog box, select Audit These Attempts: Failure, and then click OK.
|
7. | Close
the Group Policy Object Editor, click OK to close the Domain
Controllers Properties dialog box, and then close Active Directory Users
And Computers.
|
8. | Open a command window, type gpupdate, and then press Enter.
|
9. | When the Computer Policy reports as refreshed, close the command window.
|
You have now enabled
the auditing of failed Object Access attempts on Server01 (as part of
the Domain Controllers OU), and refreshed Group Policy so that the
settings take effect immediately.
Exercise 2: Setting File and Object Auditing
In this exercise,
you will configure auditing on a folder that you will create.
Permissions will be set so as to simulate a user attempting to gain
unauthorized access to the resource.
1. | On your desktop, create a folder called Data.
|
2. | Right-click the folder and select Properties from the shortcut menu.
|
3. | Select the Security tab, and then select your user account.
|
4. | Select the check box indicating Deny:Full Control permissions for your user account, click Yes in the warning dialog box.
|
5. | Click
Advanced, and then select the Auditing tab. Add your user account to
audit List Folder / Read Data: Failed, and then click OK to close all
Property dialog boxes.
|
6. | Double-click the Data folder to open it. You should receive an Access Denied warning message.
|
Exercise 3: Reading the Security Log
In this exercise, you will confirm the auditing of your failed access to the Data folder.
1. | From Administratives Tools, open the Computer Management console.
|
2. | Expand the Event Viewer node, and then click the Security log in the folder pane.
Near the top of the list of events, you should see several
Failure Audit events (with ID 560) indicating your failed attempt to
access the Data folder.
|
3. | Right-click the Security log in the folder pane, select View from the shortcut menu, and then choose Filter.
|
4. | In the Filter dialog box, select each of the following:
|
5. | Click OK to apply the filter to the Security log.
|
You have now filtered the Security log data to display only the events that apply to failed object access.
