Lab 5A-2: Windows Log Analysis
Purpose
The purpose of this lab is to maintain and analyze log files using Windows Event Viewer.
Tools
Windows Event Viewer
Procedures
Click Start, Run and type mmc. When the MMC console opens, select Add/Remove Snap-in. Select Group Policy and add Event Viewer. Configure the local machine�s logging facilities by expending Local Computer Policy. Expand the Computer Configuration group and Windows Settings, Security Settings, Local Policies. Select Audit Policy. Open Audit account logon events setting and check Success and Failure. Do the same for Audit logon events. Open the Event Viewer and click Security. Double click Logon/Logoff under the Category setting. It will display more detailed information.
Results
In the lab the maximum allowable log size was 190KB. Privilege use, System Event, Object Access were some of the evens listed in Security logs. The logs in the lab are overwritten as needed.
Time
35 min
Reflection
Maintaining log files is an absolute must for any systems administrator. In addition there are a number of software packages available both commercially and as open source that can process and aggregate log files into a predetermined format that can greatly assist administrators who do not have the time or resources to review each log individually.