Windows Logging - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Windows Logging

Description:

The Security log, which you almost never saw enabled on desktops. ... Log Parser is still a trifle buggy when used with .evtx files. ... – PowerPoint PPT presentation

Number of Views:235
Avg rating:3.0/5.0
Slides: 30
Provided by: newma4
Category:

less

Transcript and Presenter's Notes

Title: Windows Logging


1
Windows Logging
  • Or managing the morass...

2
The Good Old Days...
  • Back in the good old days of Windows NT, there
    were three main logs
  • The Application log
  • The System log
  • The Security log, which you almost never saw
    enabled on desktops.
  • Windows 9x (95/ 98 and ME) of course didn't
    bother with anything so sophisticated.
  • Most users never realised that Windows logs
    existed.
  • Even those who did had no idea what most of the
    error messages meant.

3
Then life got a lot more complicated...
  • Currently there are two main setups, pre-Vista
    and post-Vista.
  • The logs which most sysadmins are used to are
    probably still the main three logs of Windows NT
    although the some minor tweaks have been made.
  • The Security log is not necessarily enabled on
    desktops.
  • It is turned on automatically on servers (2003)
    but the default settings record success and
    failure equally, which may not be the most
    efficient of settings.
  • One improvement is that Windows 2003 security
    logs may now record the full IP address of
    machines attempting a login (previously only the
    NetBIOS name was recorded).

4
Vista-Style Logging changes
  • Vista logs use a different XML-based format and
    the .evtx rather than a .evt extension).
  • More details can be found here
  • http//www.eventlogblog.com/blog/2007/12/vista-eve
    nt-log-changes.html
  • There are two very important consequences
  • Vista and Windows 2008 .evtx logfiles cannot be
    read on pre-Vista machines (at least in native
    .evtx format)
  • http//eventlogs.blogspot.com/
  • The fields in which certain events are recorded
    have changed.
  • Specifically the Type field which was previously
    used to record the severity of events
    (Information, Warning, Error, Audit Success,
    Audit Failure) is now called Level. Mostly
    security events are now recorded in the new
    Keywords field, not the Level field.
  • If you already have a log-collecting procedure,
    then clearly what you collect will need to
    change.

5
Vista-Style Logging changes
  • Vista logs use a different three-pane interface.
  • Windows 2008 logs follow this style but are
    potentially far more numerous.
  • Part of the consequences of the new structure is
    that opening a Vista log even on a powerful
    machine takes far longer than the old .evt-style
    interface.
  • As a consequence of recording much more detail,
    post-Vista-style logs can expand very rapidly so
    its wise to allow much more space for them.
  • The differences in what is recorded between Vista
    logs (desktop) and Windows 2008 logs,
    particularly on AD servers is much more marked.

6
Vista/Windows 2008 Three-Pane Interface
  • The left-pane details the all the categories of
    logs.
  • The middle-pane gives the old familiar log
    entries with the details of the line you click on
    presented beneath.
  • The right-pane has a list of possible actions and
    tasks (for example the Filter action which was
    previously found under the main menu. )

7
What does all this mean for SysAdmins?
  • The primary use for logs is still for
    troubleshooting hardware and software problems as
    well as for security purposes.
  • The problem is that as the complexity of log
    entries increase so does the ratio of background
    noise to useful information.
  • The old-style logs are still quite effective
    tools.
  • For example repeated messages in system logs
    about disk errors at decreasing intervals often
    precedes a hard disk failure.
  • Or a malware-affected portable may give warning
    about "new" services being installed or even
    (when such malware has been partially cleaned by
    anti-virus or anti-spyware) of the malware's
    failure.

8
What does all this mean for SysAdmins?
  • The advantage of the older style of logs is that
    their format and error messages are in general
    well understood.
  • Specialist sites like eventid.net give good
    information on their meanings and possible
    consequences.
  • Even if a specialist site cannot give specific
    advice details of the circumstances under which
    the error can arise they may still be helpful.
  • The following example uses a filter which
    displays only the Warning, Error and Failure
    Audit entries in the Application log on a Windows
    XP box, and gives the less than helpful error
    message about a Fault Bucket failure.

9
Windows XP filtered Application Log
10
Odd Fault Bucket Error
11
Determining what the logs mean...
12
Determining what the errors mean...
  • Looking up the unhelpful error message 'Fault
    bucket', no source except 'Application Error' and
    an event ID of 1001 gives a page of cases when
    this error messages has arisen and what solved
    the problem, as well as reference to Microsoft
    Technet articles.
  • In this particular case http//support.microsoft.c
    om/kb/828664 (one of the Technet articles
    mentioned above) makes it clear that this error
    is normally related to another eventid (1004)
    which when looking back at the log which was
    being scanned linked the error message with a
    Firefox problem.
  • So even the more obscure old-style messages can
    normally be determined.

13
What does all this mean for SysAdmins?
  • Basically just going through the logs on a
    regular basis manually, particularily on
    desktops is no longer a viable proposition for
    most sysadmins, especially since the known
    problems database for Vista-style logs isnt
    really there yet.
  • So although mostly you will still need to go back
    to the full set of logs to diagnose a problem in
    further detail, some form of scripting
    collecting/sorting/pruning of logs is needed.
  • You can link directly to Microsofts database of
    errors from Vista-style logs but although Ive
    tried this several times, mostly I get told I
    have an unknown error.
  • Hopefully as Vista and Windows 2008 age the
    known database of problems will get larger...

14
A small SQL Server patch problem
15
So what does all this mean for SysAdmins?
  • Various third-party products which perform this
    function have been around for ten years,
    including Event Alarm, GFI Events Manager and
    EventSentry.
  • Microsoft realised the growing market in this
    area was being exploited in the late 90s and
    brought out MOM 2000 (Microsoft Operations
    Manager).
  • MOM 2005 with SP1 is compatible with Windows
    2008, but it looks as though that is the end of
    the line (?merging with SMS).
  • 2007 saw the release of System Center Operations
    Manager 2007 http//www.microsoft.com/systemcente
    r/operationsmanager/en/us/default.aspx
  • All of these are specialized products, and they
    are not free. Only large organisations can
    generally afford them.
  • So whats the alternative?

16
Free Alternatives
  • One product which has been around for several
    years is a product produced (and to a certain
    extent supported) by Microsoft called Log Parser.
  • It can be downloaded from Microsoft
    http//www.microsoft.com/downloads/details.aspx?Fa
    milyID890cd06b-abf8-4c25-91b2-f8d975cf8c07displa
    ylangen
  • Although the blurb says its compatible with
    Windows XP Pro, Windows 2000 and Windows 2003 it
    runs perfectly happily on Windows Vista and
    Windows Server 2008.
  • A word of warning this is a command-line tool
    which demands a fair amount of care in usage and
    a basic knowledge of SQL syntax. It repays work
    put into it but you will need to spend a little
    time getting used to it.

17
Free Alternatives
  • Log Parser will deal with many log formats other
    than the standard .evt and .evtx ones, including
    syslog files, W3C (IIS log-format) and various
    other Windows format files.
  • It has various output formats including a Chart
    one (pie graphs and the like) and SQL.
  • Log Parser is still a trifle buggy when used with
    .evtx files. You need to specify -iEVT to get
    it to recognise these files.
  • The default output format used if you do not
    specify one is NAT, which is a very wide tabular
    based format you may not find entirely helpful.
  • It comes with a directory full of SQL samples
    directed at the IIS log format so they will need
    to be adapted for ordinary event log use.

18
Free Alternatives
  • The following command-line produces an output
    file called report.txt detailing a particular
    type of SQL error from the Application log on a
    Windows 2008 server running SQL Server 2005 in
    the Datagrid format when run from the Program
    File\Log Parser directory (probably best to
    extend the PATH to include the Log Parser
    directory on a regular basis).
  • logparser -iEVT "SELECT INTO report.txt FROM
    Application WHERE SourceName'MSSQLSERVER' AND
    EventType16" -o DATAGRID

19
Free Alternatives
20
Free Alternatives format details (EVT)
21
Free Alternatives
  • The first details to check if you want to use Log
    Parser are the fields used in the format you
    want, or you will find that you are getting an
    awful lot of errors every time you try to run a
    query.
  • The examples given in the Log Parser online help
    files (or from the command-line) are far from
    exhaustive.
  • If you are more used to a GUI-style interface and
    unhappy having to build up your scripts from
    there, then there is a GUI front-end available
    http//en.serialcoder.net/logiciels/visual-logpars
    er.aspx
  • You need to read the documentation to ensure you
    have the right components available to use it.

22
Free Alternatives
  • Log parser examples (also in the on-line Help)
  • http//www.microsoft.com/technet/scriptcenter/tool
    s/logparser/lpexamples.mspx
  • SecurityFocus article on using Log Parser to look
    at IIS log files (includes description of all the
    fields used in this format)
  • http//www.securityfocus.com/infocus/1712
  • Lots of IIS examples
  • http//www.codinghorror.com/blog/archives/000369.h
    tml
  • A step-by-step guide on importing Security logs
  • http//www.databasejournal.com/features/mssql/arti
    cle.php/3515886/Import-Security-event-logs-using-L
    og-parser-and-SQL-Server.htm

23
Other Possible Solutions
  • Microsoft have included a query-driven language
    using XML behind the scenes which you may prefer
    to use if you are happier with XML than SQL.
  • It is driven in much the usual way from the
    normal grey GUI-style of interface.
  • For example in Windows 2008 server you will see
    an entry at the bottom of the left-hand pane
    entitled Subscriptions.
  • If you click on Subscriptions the normal type of
    wizard starts asking you the type of questions
    youd expect e.g. which computers do you wish to
    connect to (an obvious option is domain
    computers).
  • You also have the possibility of choosing which
    level of events (e.g. Audit Failure, Error etc)
    you choose to collect.

24
Other Possible Solutions
  • The important point about setting up
    subscriptions in the underlying new functionality
    in the post-Vista world of collecting remote logs
    (even on a desktop) which is where the new
    Forwarded Events log comes in.
  • This allows you to combine logs from a variety of
    differing sources.

25
The Event Collector Wizard
26
Other Alternatives
  • Other features in the new-look logs include the
    ability to attach a task to a particular log (a
    wizard runs).
  • The scheduled job can then be tidied up and/or
    developed in the usual way using the Scheduler.
  • There is also the ability to create Custom Logs
    for particular tasks.
  • Some particularly useful pre-supplied logs are
    included with the various new role functions in
    Windows Server 2008.
  • For example if a Windows 2008 server is set up as
    a Windows Terminal Server Gateway (TSG) then a
    log of who is accessing the TSG is automatically
    started.

27
Attaching a Task to a log
28
Mixed Solutions
  • It is perfectly possible to use a combination of
    Log Parser and the new functionality of normal
    Vista logging to handle more complex tasks.
  • For example you could use the new Forwarded
    Events log to collect all event of any severity
    from domain computers and then run the resulting
    output through Log Parser (which also produces
    CSV and TSV output) into the database of your
    choice
  • For the brave heres the Microsoft take on AD
    auditing
  • http//technet.microsoft.com/en-us/library/cc73160
    7.aspx

29
The Future
  • Well what can I say? If you are interested you
    can read the Microsoft Center Teams plan to take
    over the world
  • http//blogs.technet.com/systemcenter/archive/2008
    /04/29/operations-manager-2007-goes-cross-platform
    .aspx
  • THE END
Write a Comment
User Comments (0)
About PowerShow.com