The primary purpose of the Audit policy change category which includes a subcategory of the same name is to notify you of changes to important security policies on the local system.
Such changes include changes to the system's audit policy or, if the local system is a DC, changes to trust relationships. The Audit privilege use category tracks the exercise of user rights.
Microsoft uses the terms privilege, right, and permission inconsistently. This category generates a lot of noise; I usually recommend that you leave it disabled. The Audit process tracking category's primary purpose is to track each program that is executed by either the system or by end users.
You can even determine how long the program was open. You can tie this policy, Audit logon events, and Audit object access events together by using the Logon ID, Process ID, and Handle ID fields within the various event descriptions, thereby painting a detailed picture of a user's activities. The preceding audit policies allow you to fire up the Windows auditing function.
But when Windows starts sending events to the Security log, you need a way to view them. By default, Event Viewer displays the local computer's event logs, but you can easily use the console to view the logs of other computers on the network.
You must have Manage auditing and security log and Access this computer from the network user rights on the target system. To view another computer's logs, right-click the root in the left pane, and select Connect to another computer. Use Event Viewer in Windows Server to view security events. On the preview pane's General tab, Event Viewer shows more information about each event; select the Details tab to see all of the information.
You might also want to open the event's Properties for a different view of the information Figure You'll see standard fields called System fields and a Details field in the upper scroll box of the Properties' General tab. System fields in the lower section of the tab display the event ID, the date and time that the event occurred, whether the event is a Success or Failure look in the Keywords field , the event's source, and the event's category in the Task Category field.
All events in the Security log list the source as Security, with the exception of events having to do with the logging mechanism itself the source for those tasks is Eventlog.
Security events fall into 50 task categories, which correspond to the 50 audit policy subcategories. Select the Details tab for a different view of the information. This is where you'll find the valuable information about the event. When you view an event's details, you are actually seeing two types of information that have been merged. Each event ID has a static description that contains defined placeholders; dynamic strings of information that are connected with a particular instance of the event are merged into these placeholders.
Figure shows all the information for an instance of event ID This is the output you'll see when you use the Details tab's Copy button. The information appears twice, first in the "friendly" format and then in XML format. Note that the fields offer a combination of static information that appears in every event and dynamic information that is inserted as the event is constructed. Logon Type: 3. This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon. The logon type field indicates the kind of logon that occurred. The most common types are 2 interactive and 3 network.
The New Logon fields indicate the account for whom the new logon was created, i. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request.
This will be 0 if no session key was requested. Microsoft attempts to explain some of these event fields, but for a much more detailed and clear explanation, see our wiki. Randy's Security Log Encyclopedia: www. The EventData section appears toward the end of this output. You need to understand how this section works because it is in this section that the important event details reside.
String 9 tells you the type of logon that was attempted type 3—a network logon. These dynamic strings are also important when you have a Security log—management solution or want to use a utility such as Microsoft LogParser to analyze the log.
Many of the typical alerts that such solutions let you define require criteria that is based in part on one or more strings from an event's description. In most cases, filtering based on event ID alone isn't sufficient.
When designing a report that is based on the Security log, you'll often find that you need to parse one of the report columns from a string in the event's description.
If you are shopping for a Security log—management product, make sure that it provides the flexibility to create alert criteria and reports that are based on specific string numbers within the description. The filter in the new Event Viewer is also a big improvement Figure In the action pane on the right of Event Viewer Figure , click Filter current event log to access the filter.
For the Security log, the only event source available is Microsoft Windows security auditing. You must choose this source in the Event sources drop-down box before you can see and choose which subcategories called task categories in this GUI to filter. You can use a filtered view to save a subset of event logs for further analysis.
You can save a filtered view for later use as a custom view. The Find feature provides a useful way to correlate events. In the action pane on the right of Event Viewer Figure , click Find to access this feature. For example, you can search for a logon ID to find when a user logged on, the audited objects that the user accessed, and when the user logged off Figure These files can be double clicked and they will automatically open with Event Viewer, and these are the files that are read when browsing through Event Viewer.
Note that specific applications may have their own custom log locations, in which case you will need to check the vendors documentation regarding log file location. Website URL. Notify me of follow-up comments by email.
Notify me of new posts by email. Please dont forget to write it down. And Thank you for reading my post. Your email address will not be published. Save my name, email, and website in this browser for the next time I comment. Skip to content. Share this on Please rate your experience Yes No. Any additional feedback?
Submit and view feedback for This product This page. View all page feedback. In this article.
0コメント