June 27, 2000 01:54 PM

Archiving and Analyzing the NT Security Log

Rating: (0)
Randy Franklin Smith
Windows IT Pro
InstantDoc ID #9043
Free and inexpensive tools help you track event-log activities
Windows NT thoroughly captures security events, but the OS doesn't provide many tools to track those events. Given the difficulty and time-consuming nature of manual event-log analysis, you might neglect Security-log analysis activities. But if you ignore these important tasks, you might lose security-event data or miss the signs of an attempted (and possibly successful) attack. In this final article of the ...

ARTICLE TOOLS

Want to use this article? Click here for options!

You must be a paid Professional Member to access this entire article.

Already a Professional Member? Please log in now:

NOT A PROFESSIONAL MEMBER? YOU CHOOSE:

Monthly or Annual

Professional Membership

VIP Membership

Compare Member Benefits

Add a Comment

I'm trying to find a couple of thing. 1) what event number will tell me when a users has entered a bad password? I know 529 will but it also shows up under other actions. What about 675? 2) What is a good tool to report on the Security log? I need a could of all bad password by user and then a listing of each. Something automated.

Morgan6/15/2007 1:01:03 PM



Unfortunately, the user account doesn't maintain this information. Your only option is to catch all occurrences of event ID 624 in each domain controller's Security log. Event ID 624 identifies newly created user accounts.


­--Randy Franklin Smith

Randy Franklin Smith 12/1/2000 3:17:56 PM

I've been searching for books, articles, and vendor information about the Windows NT event logs. Randy Franklin Smith's articles about the NT Security log (March through August 2000) are especially useful in clarifying the meaning of a lot of the events I see every day in the Security log. Can you tell me other sources I can get my hands on to dive more deeply into this subject?



EDWARD9/14/2000 1:55:42 PM

I found the auditcat.hlp file in the Microsoft Windows NT Server 4.0 Resource Kit to be very informative. You also can learn a lot from searching the Microsoft Knowledge Base (http://support
.microsoft.com) and experimenting on your own.


--­Randy Franklin Smith

Randy Franklin Smith 9/14/2000 1:52:33 PM

I've enjoyed reading Randy Franklin Smith's articles about the Windows NT Security log (March through August 2000), but I have a question that I haven't been able to find an answer to. My network policy is not to audit workstations (i.e., auditing isn't turned on through User Manager). I want to turn on auditing, and I need to accomplish this task remotely. I have the ability to use a KiXtart script during logon, or I can use Tivoli to send a software package. Is there a way to handle this task remotely? I have more than 3600 workstations in a four-state area. Obviously, sneaker net isn't an option.

Fred Montney 8/10/2000 3:33:24 PM

The first tool that comes to mind is auditpol.exe, a Microsoft Windows NT Server 4.0 Resource Kit utility that lets you set audit policy on remote computers from the command line. Assuming that you have Domain Administrators authority and that the Server service is running on the workstations (it does by default), you can write a simple script that calls Auditpol once for each workstation. If the Server service isn't running, you can call Auditpol from the logon script if your users are members of the local Administrators group on their workstations (which isn't a good idea, by the way). Like any other program that sets audit policy, Auditpol requires you to be running with local Administrator privileges. Bear in mind that you might be able to use Tivoli if the Tivoli agent has Administrator authority on the workstations. (Windows 2000 completely solves this problem with Group Policy.)


--Randy Franklin Smith

Randy Franklin Smith 8/10/2000 3:31:45 PM

Have a look at http://www.heysoft.de/index.htm. The utilities are posted there, plus some similar tools for reporting on other event codes in the EVT files.

Phil Spencley 8/8/2000 12:32:59 PM

Where can I get hold of the R528 and R529 utils?

Rob Williams 8/4/2000 7:42:47 AM

You must log on before posting a comment.

Are you a new visitor? Register Here

windows server 2008 login scripts

I have 2 win2k8 servers one pdc and bdc. The domain is exampledom.com They are connected to 2 iscsi luns which replicate each other. We are running ac...222-96118

advertisement

GOOGLE LINKS
SPONSORED LINKS
FEATURED LINKS

White Papers

Your remote offices contain valuable electronic data – are they adequately protected? Learn how proven technologies can reliably and cost-effectively back up a branch office from a central location, in real time, to disk or tape, and even utilize existing backup solutions.

Downloads

PacketTrap IT is a comprehensive and affordable network management and application monitoring solution that solves problems associated with bandwidth, network and application performance, and connectivity. Gain insight into your network - try PacketTrapIT free for 21 days!

Web Seminars

IT administrators have to solve a myriad of problems. This web seminar outlines the ten most common systems management pains - including managing highly distributed systems and dealing with data theft/loss – and the best practices to address each.

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

DevProConnections ITTV Left-Brain SharePointPro Connections SQL Server Magazine SuperSite for Windows Windows IT Pro

© Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.