There's no longer any Type. Now, we have Level and Keywords. As far as I can
tell, all events in the Security log appear to have the Information level,
and either the Audit Failure or Audit Success keywords.
You'll find that the event descriptions have changed drastically. Windows 2008
inserts many more dynamic values in the descriptions, and Microsoft has made
progress in enforcing some consistency in description data throughout the different
event IDs. The event ID descriptions are a good example of how a well-designed
XML schema helps handle data records that are similar in structure but dynamic
from one instance to another.
Many event ID descriptions share common data elements. For instance, nearly
every event needs to log subject information—that is, the "who" of the
event. As Figure 2 and the text above
show, subject information includes SID, account name, domain, and logon ID.
Historically, Windows has been inconsistent from one event to another about
exactly how it logged this subject information. Some subject data was sometimes
omitted or labeled differently.
To see an example, compare the subject data in Windows 2003's Account Logon
events. The account name is labeled several different ways, and certain subject
data is missing from some event IDs.
In Windows 2008, you'll find a number of common sections across most event
IDs. I already mentioned the Subject section. Events that track an operation
on some type of object—such as access to a file—have an Object
section with all the appropriate fields for identifying the object, such as
the type of object and its fully qualified name. All events that note the system
process involved in the event include a Process Information section that documents
the process identifier (PID) and name of the executable.
Finally, you'll find more explanatory text at the bottom of some event descriptions
giving background on the event or explaining a little bit about some of the
values in the description. But the coverage is pretty spotty and frequently
incomplete. Whew! My Security Log Encyclopedia lives on!
New Event Viewer
I'll finish up by describing the new Microsoft Management Console (MMC) Event
Viewer snap-in. Event Viewer is still not a full event log management solution,
but it's a much improved tool for casual, ad hoc analysis of security events.
The first thing you'll notice about Event Viewer is the new task pane, shown
on the right in Figure 4, which greatly
reduces the clicks required to perform common tasks such as setting up and later
clearing a filter. On the subject of filtering your view of the Security log,
Event Viewer provides the same basic filter features it's always had but with
a number of improvements.
When you click Filter Current Log in the task pane, you'll see the Filter Current
Log dialog box shown in Figure 5. The
Logged drop-down box makes it much easier to limit the time range you want to
analyze by providing Last hour, Last 12 hours, Last 24 hours,
Last 7 days, Last 30 days, and of course Custom range options.
These options are a great improvement over Windows 2003 and earlier, which required
you to specify exact date and time ranges.
You can limit the view to failure or success events by using the Keywords drop-down
box and filter by subcategories with the Task category drop-down box.
Note that the Task category drop-down isn't populated with the 52 audit
subcategories until you select Microsoft Windows security auditing in
the Event sources drop-down box. To view the results of your filter,
just click OK.
Here's a cool new feature: Once you have the filter set up just the way you
want it, you can save it for future use with the Save Filter to Custom View
option in the task pane. When the Save Filter to Custom View dialog box appears,
you provide a name, a description, and a location under the Custom Views folder
(visible in Figure 4).
For the first time, Event Viewer lets you easily attach to events tasks that
are automatically executed whenever the events occur. Say you have a special
Microsoft SharePoint server dedicated to your company's senior executives, and
you want to know whenever an account gets locked out so that you can call the
executive and help him or her get back onto the server with minimum inconvenience
(for the executive, anyway!). You can trigger a message to be emailed or displayed
on the console or a command or script to be executed whenever an account lockout
event is logged.
)
Two hyperlinks identified on page two of the article are invalid!
ars21292@yahoo.com January 07, 2008 (Article Rating: