Contents
Overview 1
Introduction to Monitoring Event Logs 2
Monitoring Security Events 4
Analyzing Security Events 9
Monitoring System and Application Events 14
Viewing Event Logs 17
Managing Event Logs 21
Lab A: Monitoring Event Logs 25
Best Practices 32
Review 33




This course is a prerelease course and is based on
Microsoft Windows 2000 Beta 3 software. Content in the
final release of the course may be different than the content
included in this prerelease version. All labs in the course
are to be completed using the Beta 3 version of
Microsoft Windows 2000 Advanced Server.

Module 9: Monitoring
Event Logs

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.


1999 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, MS, Windows, Active Directory, PowerPoint, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.


The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Project Lead/Senior Instructional Designer:

Red Johnston
Instructional Designers:
Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.)
Program Manager:
Jim Cochran (Volt Computer)
Lab Simulations Developers:
David Carlile (ArtSource), Tammy Stockton (Write Stuff)
Technical Contributor:
Kim Ralls
Graphic Artist:
Julie Stone (Independent Contractor)
Editing Manager:
Tina Tsiakalis
Editors:
Wendy Cleary (S&T OnSite), Diana George (S&T OnSite)
Online Program Manager:
Nikki McCormick
Online Support:
Tammy Stockton (Write Stuff)
Compact Disc Testing:
ST Labs
Production Support:
Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser)
Manufacturing Manager:
Bo Galford
Manufacturing Support:
Mimi Dukes (S&T OnSite)
Lead Project Manager, Development Services:
Elaine Nuerenberg
Lead Product Manager:

Sandy Alto
Group Product Manager:
Robert Stewart
Module 9: Monitoring Event Logs iii

Introduction
This module provides students with information about monitoring event logs.
The module discusses how to monitor user activities and system and application
events. It emphasizes that students should monitor these activities and events
for security reasons, to track resource use, and to discover system and
application errors. The module also teaches that the security events that are
recorded are based on an audit policy set up by a security administrator for the
network that he or she administers. The module presents how to view and
analyze event logs to discover activities and events that require administrative
action. It also covers how to review and analyze event logs. At the end of the
module, students will be able to monitor event logs.
Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Materials
To teach this module, you need the following materials:
!"
Microsoft
®
PowerPoint
®
file 1556A_09.ppt
!"
Module 9, “Monitoring Event Logs”


Preparation
To prepare for this module, you should:
!"
Read all the materials for this module. Notice that some slides are animated
and require that you click them several times as you step students through
the illustrated processes. Animated slides are indicated with an icon in the
lower left corner of the slide.
!"
Review the Delivery Tips and Key Points for each section and topic.
!"
Complete the lab.
!"
Study the review questions and prepare alternative answers for discussion.
!"
Anticipate questions that students may ask. Write out the questions and
provide answers to them.

Presentation:
30 Minutes

Lab:
30 Minutes
iv Module 9: Monitoring Event Logs


Module Strategy
Use the following strategy to present this module:
!"
Introduction to Monitoring Event Logs
Introduce monitoring events in Microsoft Windows

®
2000. The topic on
introducing event log monitoring has an animated slide. The icon on the
bottom left corner of the slide identifies the slide. Use the slide to explain to
students that system and application events are recorded automatically, and
that security events are recorded according to the Audit Policy that has been
set up for the network. Then explain that events are recorded in event logs,
viewed in Event Viewer, and analyzed by the network administrator.
Describe the different kinds of events. Windows 2000 creates system
events, applications create application events, and security events are
recorded when users perform an action. The user actions that are recorded
are based on an Audit Policy for the network. Tell students that events are
recorded in event logs.
!"
Monitoring Security Events
Provide an overview of monitoring security events. Explain that security
events are recorded in the security log. Describe the categories of security
events in the security log. The topic on categories of security events has an
animated slide. The icon on the bottom left corner of the slide identifies the
slide. Use the slide to describe security event categories that are recorded in
the security log. Tell students that they can look for specific categories when
viewing the security log. Explain object access events, such as access to
files and folders, which can be audited.
!"
Analyzing Security Events
Provide students with an overview of analyzing security logs. Explain how
to analyze security logs, such as analyzing successful or failed events and
detecting trends in recorded events. Point out that certain security events are
most likely to signify a user action that requires your attention.
!"

Monitoring System and Application Events
Provide an overview of monitoring system and application events. Describe
the system and application logs and the detailed information recorded in
them. Present the types of system and application events, and point out that
the type of event affects the administrative action that you need to take. The
topic on types of system and application events has an animated slide. The
icon on the bottom left corner of the slide identifies the slide. Use the slide
to describe the types of system and application events that are recorded in
the system and application logs. Tell students that they can look for specific
types of events when viewing the system and application logs.
Module 9: Monitoring Event Logs v

!"
Viewing Event Logs
Provide an overview of Event Viewer to view and locate system,
application, and security events. Explain how Event Viewer is used to view
event logs. Demonstrate the use of the Find feature to locate specific events
and the Filter feature to limit the events that event Viewer displays.
!"
Managing Event Logs
Provide an overview of managing event logs. Present the options to limit the
size of an event log. Explain that the strategy used to limit the log size is
based on security and the kinds of events that are being audited. Describe
how to archive logs and review archived logs.
!"
Best Practices
Read the Best Practices section before you start the module, and then refer
to the appropriate practice as you teach the corresponding module section.
Then, at the end of the module, summarize all of the best practices for the
module.


vi Module 9: Monitoring Event Logs


Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on the student computers during the labs. This
information is provided to assist you in replicating and customizing this module
with other Microsoft Official Curriculum (MOC) courseware.

The labs in this module are also dependent on the classroom
configuration that is specified in the “Customization Information” section at the
end of the Classroom Setup Guide for course 1556A, Administering
Microsoft Windows 2000.

Lab Setup
There are no setup requirements for the lab in this module.

Lab Results
Performing the lab in this module introduces the following configuration
change:
!"
Addition of the London.csv and Applog.csv files in the
C:\MOC\NT1556A\Labfiles\Logs folder on drive D


Important
Module 9: Monitoring Event Logs 1

Overview

!
Introduction to Monitoring Event Logs
!
Monitoring Security Events
!
Analyzing Security Events
!
Monitoring System and Application Events
!
Viewing Event Logs
!
Managing Event Logs
!
Best Practices


You can monitor most user activities, Microsoft
®
Windows
®
2000 events, and
application events. Events are user actions that are recorded based on an Audit
policy, and any significant occurrence in Windows 2000 or in an application
that requires users to be notified. You monitor these activities and events for
security reasons, to track resource use, and to discover system and application
errors. The security events that you monitor are based on an Audit policy that is
set up by a security administrator for the network that you administer. The
Windows 2000 and application events that you monitor are preset by the
operating system and application developers who decided which events will be
recorded.

Events are recorded in event logs. You view and analyze event logs to discover
activities and events that require administrative consideration. Based on your
analysis of the event logs, you may need to take any of the following
administrative actions:
!"
Resolve security violations
!"
Address system problems
!"
Reallocate resources
!"
Recommend changes in Audit policy or to audit settings

At the end of this module, you will be able to:
!"
Describe monitoring events in Windows 2000.
!"
Monitor security events.
!"
Analyze security event.
!"
Monitor system and application events.
!"
View events in event logs.
!"
Manage event logs.
!"
Apply best practices for monitoring events.
Slide Objective
To provide an overview of

the module topics and
objectives.
Lead-in
In this module, you will learn
how to monitor activities on
a computer.
2 Module 9: Monitoring Event Logs



Introduction to Monitoring Event Logs
Audit
Policy
User
User
Administrator
Administrator
Failed Access
Failed Access
System or
Application Event
System or
Application Event
Log
X
X
X
Administrative
Action
Administrative

Action


Windows 2000 records security, system, and application events in logs on the
computer, usually a domain controller or member server, on which the event
occurred. You view these logs to discover activities and events that require your
attention.

Window 2000 maintains other logs, as well. Because of the network
administrator’s scope of responsibility that this course addresses, this module
discusses only security, system, and application event logs.

Events
Windows 2000 and applications record events automatically. Security events
are not logged automatically; Windows 2000 logs security events according to
the Audit policy that has been set up.
!"
An Audit policy defines the categories of user activities that Windows 2000
records in the security logs on each computer. Auditing policies are set up to
track authorized and unauthorized access to resources. The Audit policy is
designed to serve the needs of your organization.
By default, auditing is not enabled. A security administrator configures an
Audit policy to enable auditing and determine what activities are audited.
Extensive auditing slows down the computer on which auditing is enabled.
!"
System and application events are alerts and warnings produced by
Windows 2000, its services, and installed applications. Some critical events,
such as a full disk drive or low memory, are noted in an on-screen message.
Those events not requiring immediate attention are noted in an event log.
Slide Objective

To introduce monitoring
events in Windows 2000.
Lead-in
You monitor user activities,
Windows 2000 events, and
application events.
Delivery Tip
The slide for this topic is
animated. Begin by
explaining to students that
system and application
events are recorded
automatically. Security
events are recorded
according to the Audit policy
that has been set up for the
network. Then explain that
events are recorded in
event logs, viewed in Event
Viewer, and analyzed by the
network administrator.
Note
Key Points
Windows 2000 and
application events are
recorded automatically.

Security events are
recorded according to
auditing policies.


By default, auditing is not
enabled.
Module 9: Monitoring Event Logs 3


Event Logs
When an event occurs, the event is recorded in the event logs. Event logs enable
you to monitor information about hardware, software, system problems, and
security. You can also archive logs in various file formats.
Event Viewer
You use Event Viewer to view events that Windows 2000 has recorded in
the logs. Event Viewer is available on Windows 2000 Professional and
Windows 2000 Server. Event logging starts automatically each time you start
Windows 2000 Server. With Event Viewer, you can troubleshoot various
hardware and software problems and monitor Windows 2000 Server security
events.
Analysis and Administrative Action
You analyze event logs to determine actions, such as users gaining access to
printers or files, and to verify attempts at unauthorized use of resources. You
can also archive log files to compare current and archived logged events to
discover trends. Your analyses may lead to administrative actions, changes in
resource security, or changes to an Audit policy.
4 Module 9: Monitoring Event Logs



#
##
#


Monitoring Security Events
!
The Security Log
!
Categories of Security Events
!
Auditing Object Access Events


Security events that Windows 2000 tracks are recorded in the security log. The
log provides detailed information about each event. Security events are divided
into categories such as account logon and object access. The object access
category includes files and folders, printers, and other objects in the directory
service of Active Directory
™
. You can audit to determine whether the access to
an object was a success or a failure. The security needs of your organization
determine the categories that you audit, and whether you audit for success or
failure.

Slide Objective
To provide an overview of
monitoring security events.
Lead-in
To monitor network security
for your organization, you
view the security log to
locate security events.
Delivery Tip

This is an overview of
monitoring security events.
Prepare students for the
topic by providing the
following key points of
information.
Key Points
Security events are
recorded in the security log.

Security events are divided
into categories. The Audit
policy set up for your
organization determines the
categories that are
recorded.

Auditing can be set up to
record access to objects
such as files, folders, and
printers.
Module 9: Monitoring Event Logs 5

The Security Log
!
Contains Information About:
$
Date and time the event occurred
$
Source of the event

$
Category of the event
$
User who generated the event
$
Successful or failed attempt


Windows 2000 records audit events in the security log. The security log
contains information about network security events that are monitored, such as
logon attempts. A security administrator creates an Audit policy that specifies
which events are recorded in the security log. For example, if logon auditing is
enabled, Windows 2000 records attempts to log on to the system in the security
log. Success events appear with a key icon; failure events appear with a lock
icon. Other important information includes the date and time that an event
occurred, the source of the event, the category of the event, and the user who
generated the event.
Successful and Failed Attempts
The security administrator can specify whether to record success or failure
events.
Success Audit A successful, audited security access attempt. For example, Windows
2000 logs a user’s successful logon attempt as a Success Audit event.
Failure Audit A failed, audited security access attempt. For example, if a user tries
to access a network drive and fails, Windows 2000 logs the attempt as
a Failure Audit event.


For more information about creating and implementing auditing policies,
see course 1558, Advanced Administration for Microsoft Windows 2000.



Slide Objective
To explain the security log.
Lead-in
Security events are
recorded in the security log.
Delivery Tip
Open the saved security log,
Security.evt, which is in the
Labfiles folder. Show
students the events that are
recorded. Point out success
and failure events and the
other information provided in
the log, especially the
category.
Note
6 Module 9: Monitoring Event Logs


Categories of Security Events
Categories of Security Events
Categories of Security Events
Categories of Security Events
Account Logon
Account Logon
Object Access
Object Access
Privilege Use
Privilege Use

System Event
System Event


The security events that Windows 2000 tracks are divided into categories. The
security administrator responsible for setting up auditing for your network
enables auditing for the categories that are appropriate for your business
situation. When you review events, you may look for specific categories of
events. For each event category, you can audit both successful and failed access
to objects.
The following table describes some of the event categories.
Category Description

Account Logon Logs an event each time that a user attempts to log on. Typically,
you will audit only failures for this category in order to alert an
administrator to unauthorized users who have gained access to the
network.
Object Access Logs an event each time that a user attempts to access an object such
as a printer, folder, or file.
For example, it may be important for you to balance the print jobs
sent to the print devices in your company. You can set an Audit
policy to log an event each time that a user accesses a printer. From
this log, you can determine printer load, and you may decide to
direct some printing to other print devices.
Privilege Use Logs an event each time that a user attempts, successfully or
unsuccessfully, to exercise privileges such as changing the system
time.
System Event Logs designated system events. Windows 2000 may log system
events when a user restarts or shuts down a computer, or when an
event has occurred that affects Windows 2000 security or the

security log. An example of an event that affects the security log is
when the event log is full and Windows 2000 has begun to discard
entries.

Slide Objective
To explain the categories of
security events in the
security log.
Lead-in
Security events are divided
into categories. When you
review security events, you
can look for specific
categories.
Delivery Tip
The slide for this topic is
animated. Use it to describe
to students the four security
event categories that are
recorded in the security log.
Module 9: Monitoring Event Logs 7

Auditing Object Access Events
!
Audit Access to Files and Folders
!
Audit Access to Printers
!
Audit Access to Other Objects in Active Directory
!

Audit the Success or Failure of User Access Attempts


An Audit policy has been set up to monitor access to objects such as files and
folders, printers, and other objects in Active Directory. The Audit policy
determines whether to track successful or failed access attempts.
Auditing Access to Files and Folders
When auditing is set up on specific files and folders, you can view which users
attempt to access the files or folders, and the type of access that the users
attempt. Some of the user activities that you can audit are:
!"
Displaying the contents of a file or folder.
!"
Changing the contents of a folder.
!"
Adding data to a file.
!"
Deleting a file or folder in a folder.
!"
Changing permissions for a file or folder.


You can audit files and folders only when they are located on NTFS file
system partitions.

Slide Objective
To explain the access
events that can be audited.
Lead-in
You can audit access to files

and folders, printers, and
Active Directory objects
Note
8 Module 9: Monitoring Event Logs



Auditing Access to Printers
Auditing access to printers has been set up to determine the type or amount of
use. You can audit printers to determine the specific users who accessed or
attempted to access the printer, and the types of access that each user or group
attempted.
Some of the printer access events that you can audit are:
!"
Changing printer settings, pausing a printer, sharing a printer, or removing a
printer.
!"
Changing job settings; pausing, restarting, moving, or deleting documents;
sharing a printer; or changing printer properties.
!"
Changing printer permissions.

Auditing Access to Objects in Active Directory
Windows 2000 represents everything in Active Directory as an object. You can
set up auditing to track access to specific objects such as users, computers, and
groups. When you set up auditing on specific Active Directory objects,
Windows 2000 logs the users who attempt to access the objects and the types of
access that the users attempt.
Some of the types of access to Active Directory objects that you can audit are:
!"

Viewing the audited object.
!"
Creating any object within the audited object.
!"
Deleting any object within the audited object.
!"
Changing the permissions for the audited object.

Success or Failure of User Access Attempts
The Audit policy is configured to record the success, failure (or both) of
attempts to access resources. An Audit policy might log only failed logon
attempts. Repeated failed logons may alert you to attempts at unauthorized
access to the network. Alternately, an Audit policy might log only successful
actions, such as successful attempts to access a shared folder on a server and
how many users are accessing it.
Module 9: Monitoring Event Logs 9


#
##
#
Analyzing Security Events
!
Analyzing Security Logs
!
Looking for Specific Security Events


Depending on the security categories that Windows 2000 audits for your
computers, the number of events that are logged can be quite large. Analyzing

all of the events that are logged may be time consuming. You should limit the
categories that you view and analyze.
To limit the scope of your analysis, identify specific security events that require
action. Take action and notify other administrators when appropriate.

Slide Objective
To introduce analyzing
security logs.
Lead-in
You must determine the
events that are important to
your organization and limit
your analysis to them.
Delivery Tip
This is an overview of
analyzing security logs.
Prepare students for the
topic by providing the
following key points of
information.
Key Points
Analyze security logs to
ensure that security events
do not go undetected.

There are specific security
events that you should
analyze.
10 Module 9: Monitoring Event Logs




Analyzing Security Logs
!
Interpret Security Events to Determine Their Meanings
!
Analyze Security Events to Identify Failed Attempts to
Access Resources
!
Analyze Security Events to Identify Successful Attempts
to Access Resources
!
Track Events Over Time to Detect Trends
!
Take Action to Resolve Security Problems


Regular analysis of the security log enables an administrator to track events and
ensure that security violations are corrected. You look for categories of events
that are important to the security of your organization. You can focus your
analysis on failure events or success events. You can look for trends over time.
When you find events that violate security or policy, you can take appropriate
action.
Interpreting Security Events
The analysis of resource access includes interpretation of whether system
resources are being used correctly. Analyzing resource use consists of
examining entries that Windows 2000 logs and understanding the possible
actions that may have led to the entries. During this analysis process you should
determine which entry or entries are affecting the integrity of system resources.
Analyzing Failed Security Events

In some situations, you should analyze failure events. For example, you will
need to know if someone attempts to gain access to a file for which they have
no permissions, or if someone attempts to gain access to another user’s account
by guessing the password.
Analyzing Success Security Events
In some situations, you should analyze success events, such as successful
access to resources. For example, in a law firm, you may want to bill a client
for every time that one of your employees accesses a reference CD-ROM. You
can log every successful attempt to access the CD-ROM and the user who
accessed it.
Slide Objective
To explain how you analyze
security logs.
Lead-in
You analyze security logs to
ensure that security events
do not go undetected.
Key Points
When you analyze security
logs, you:
•
Interpret events.
•
Analyze failure events.
•
Analyze success
events.
•
Detect trends.
•

Take administrative
action, based on your
analysis.