The simplest way to attach a task to an event is to select the desired event
in Event Viewer and then click the Attach Task To This Event option in the task
pane, which starts the Create Basic Task wizard. The wizard asks you to name
the task and prompts you to define the program, email message, or display message
you desire when that event ID is logged. After you finish the wizard, you can
view the event, its properties, and its history by opening the MMC Task Scheduler
snap-in found on the Start Menu under All Programs\Accessories\System Tools.
Often, though, you'll need to be a little more specific with your trigger criteria
than simply specifying an event ID. The good news is that any criteria you can
specify in a custom view filter you can also specify in an event trigger, including
advanced filters written in XML. The bad news is that you can't use Event Viewer
to create the trigger—you must use Task Scheduler instead. Open Task
Scheduler and click Create Task. Specify the name and description of the event
as well as what account the task should execute under on the General tab.
Then select the Trigger tab and click New. In the New Trigger dialog box, select
On an event from the Begin the task drop-down list. Select Custom
in the Settings drop-down box, and click New Event Filter. Now you're shown
the same dialog box as when you create a custom view in Event Viewer. You can
either use the Filter tab to specify the filter criteria or use the XML tab
to specify an advanced filter in XML syntax. After you finish the trigger criteria,
you can go to the Actions tab to specify one or more actions for Task Scheduler
to execute.
A final thing I like about Event Viewer is the revamped log retention policy
options you see when you open the properties of the Security log. The old Overwrite
events older than _ days has been replaced by Archive the log when full,
do not overwrite events, which for the first time exposes a feature that's
been around for a long time but was configurable only via the registry by using
the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ Service\AutoBackupLogFiles
setting. If you select the Archive the log when full option, Windows
will automatically archive the Security log to C:\Windows\System32\winevt\Logs.
A word of caution, though: Windows will continue logging and archiving events
until it fills the drive, so you need some kind of automated process for moving
the logs. In the end, there's no good substitute for a real log management solution
from an ISV. "Event Response," November 2004, InstantDoc ID 44093, compares
three such tools. The Security Pro VIP article "Enterprise Event Logging for
SMBs," InstantDoc ID 95511, describes six enterprise log collection and management
tools.
Get Going
As you can see, a lot has changed and a lot has stayed the same in Windows auditing
and security logging, but in general, there are many improvements. The new more
granular audit policy will help you eliminate some but not all the noise that
Windows writes to the Security log. The automatic task execution capability
might help you automate responses or be alerted to important events when they
occur. And the custom filter views will certainly help administrators that don't
have a full-featured log management solution.
All the new event IDs and their changed formats will definitely mean a steep
learning curve and lots of report and alert criteria redesign before you can
start monitoring and analyzing Windows 2008 and Vista logs. Ultimately, though,
the new formats are an improvement, especially in the area of consistency.
One other major new feature associated with event logs in Windows 2008 and
Vista is the new event-forwarding capability, which for the first time allows
Windows systems to automatically send events to other servers on which you can
theoretically do centralized event management. But collecting logs from multiple
computers is a gargantuan task, and Windows 2008's HTTP-based method for event
forwarding is only intended for small volumes of events defined with very specific
criteria. "Windows Eventing 6.0" describes Windows 2008 and Vista's centralized
event-collection capabilities.
Get to know the new event log in Windows 2008 as soon as possible so that your
security monitoring and compliance activities can continue unimpaired as you
start migrating to the new platform.