Question

A Windows event log is one of the first tools to use to learn to analyze problems. As a security administrator, you must ensure that local logging is enabled on systems and networking devices. The process that can create an audit log is usually required to run in privileged mode so that users cannot stop or change it. To view logs on a Windows asset through a graphic user interface (GUI) like you see in Figure 9.1 , you have to open the Event Viewer.

Figure 9.1 : Windows Event Viewer displaying logs

Events are placed into three different categories, each of which is related to a log that Windows keeps. While there are a lot of categories, the majority of troubleshooting and investigation happens in the application, system, or security log.

• Application The application log records events related to Windows components like drivers.
• System The system log records events about programs installed.
• Security When security logging is enabled, this log records events related to security, such as logon attempts and resources accessed.

In Lab 9.1 you'll learn how to examine the Windows security logs.

---

LAB 9.1 : EXAMINING WINDOWS SECURITY LOGS

1. On a Windows system, use the Windows+R key combination to open the Run menu.
2. Type eventvwr in the Open field and press Enter.
3. There are three panes on the Event Viewer screen. The pane to the left is the hierarchy of log files. The pane to the right shows the actions you can take. For a granular view of the logs, you use the large center pane. Open each level of logs by clicking the arrow to the left of the folder or file in the left pane.
4. Under Windows Logs, click Security. In the center of the page, a list of all security events that have been recorded on this machine is displayed. As you see in Figure 9.2 , these are audit successes recorded on this host. To the left, you see actions you can take on these logs, including filtering them for critical events or warnings as well as examining the log properties.

   

   Figure 9.2 : Security logs on a Windows machine

5. When you're familiar with the security logs, open the Application and System folders. These logs will help you understand what applications are running on your machine, what they are doing, and whether they are having difficulties. The System folder is an excellent place to filter critical events such as configuration changes or power loss, as displayed in Figure 9.3 .

   

   Figure 9.3 : Critical warning on a Windows machine

---