Finding a Specific Event
Sometimes you need to see an event in context rather than filtering it. To find an event, select View, Find from the main menu, and select or enter the search criteria. The Find dialog box resembles the Filter dialog box. The Find function shows you the desired event in a list with other events in the log, as Screen 1 shows. To look through the entire log, press F3 to jump to the next event with the desired search criteria.
Security Auditing
By default, NT performs no security auditing. You must turn on security auditing before you can view events in the Security log. You can audit only if you use NTFS; FAT has no security capability and thus does not support auditing.
Open User Manager for Domains, and select Policies, Audit. Select the events you want to audit (e.g., success and failure for logons, file and object access, use of user rights, security policy changes), as Screen 5 shows. If you choose file and object access, you must set the auditing options for the files, using the Security tab of the Properties window for the file, directory, or disk, as Screen 6 shows. You do not have to audit all files and users and then filter the logs. You can audit only certain users or groups, and only specific files or directories.
If you are operating in a high-security environment, you might want the system to shut down when the Security log fills up. Shutting down the system prevents an attacker from filling the Security log with bogus events, then breaking in without leaving an audit trail. After the system shuts down, only the systems administrator can connect to the system. The systems administrator must clear the log before anyone else can connect.
To configure an automatic shutdown when the Security log fills up, open a Registry editor and go to HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\Lsa. (Before you edit the Registry, update your Emergency Repair Disk--ERD.) Add the value name CrashOnAuditFail, data type REG_DWORD, and entry value 1. When the Security log fills up, the Registry entry value changes to 2, and the system shuts down. The systems administrator can restart the Security log, clear it, and change the value back to 1. Users cannot log on until the system reboots.
Saving Logs
You might want to save event logs for security purposes or for later analysis. From the main menu, select Log, Save As. You can then save the log in one of three formats: .evt, Text Files, or Comma Delimited. The .evt format saves the log in the event log format, which lets you read the log later and use the Event Viewer tools to examine it. The Text Files option saves the log as a simple text file, which you can read by using a text editor. The Comma Delimited option is useful if you want to read the event log file in a program such as Excel or Access.
Improving Your Reports
The Microsoft Windows NT Workstation 4.0 Resource Kit includes the Crystal Reports Event Log Viewer. This report writer lets you extract, view, save, and publish information from the event logs. If you frequently need formatted reports, you'll want to further investigate this useful application.
Advance Diagnosis and Cure
The Event Viewer is the first tool you reach for to diagnose a problem in NT. You need to understand how the Event Viewer works, what information it shows, and which data deserves closer examination. Do not wait until you have a problem before you examine the event logs. If you scan the logs weekly, you can discover potential problems and solve them before they affect users.