By now, you've probably had the opportunity to use the LogParser command-line tool to track and analyze important events in your Windows Security logs, as I showed you how to do in "Targeting Failed Logons," September 2004, InstantDoc ID 43450, and "LogParser," July 2004, InstantDoc ID 42174. I've given you a basic understanding of how this tool works and an example of how to use its Strings field and EXTRACT_TOKEN function to distill data in your domain controllers' (DCs') Security logs. You can use LogParser to write queries that will zero in on just about any Security-log information: Simply look at a sample event for the type of occurrence you want to track, determine which Strings elements you want LogParser to return and how you want to refer to them, and which elements you want to use to filter your data—then use the sample queries in this and my other LogParser articles to format your own queries.
In "Targeting Failed Logons," I wrote about tracking authentication failures caused by bad passwords. Let's examine several other types of events—such as failed authentications caused by problems other than bad passwords, the addition of a member to a group, and certain user-account changes (e.g., password resets)—that the savvy IT pro will want to keep an eye on. . . .
Register
JGraha September 27, 2004 (Article Rating: