Subject: [NT] Windows NT Event Log explained Date: Tue, 12 Sep 2000 21:57:02 +0200 Windows NT Event Log explained -------------------------------------------------------------------------------- SUMMARY The following is a very good and in-depth article of Windows NT's Event Log, Audit Engine, and tools used to manage the Logs. The article also contains a minor issue where a SID is reported back inside an Event Log message when a user is locked out. The article was written by NtWak0. DETAILS NT Logs description: Event Log is very easy to manage all you need to do is run "Event Viewer", this isn't the only program that is enable to read the Event Log, but rather the default one. There are a few API functions supported by Windows NT that would allow you to manage the Event Log programmatically. The Event Log itself is a normal service, which can be stopped and started: C:\>net stop EVENTLOG C:\>net start EVENTLOG Once that is done (stopped), no new log messages will be added to the Event Log. Logs type: The three types of NT event logs are: System log Tracks miscellaneous system events, e.g. track events during system startup and hardware and controller failures. Application log Tracks application related events, e.g. applications generate informational such as failing to load a DLL will appear in the log. Security log Tracks events such as logon, logoff, changes to access rights, and system startup and shutdown. NOTE: By default the security log is turned off. Logs location and enabling: The location of NT logs is: %SYSTEMROOT%\system32\config\SysEvent.Evt %SYSTEMROOT%\system32\config\SecEvent.Evt %SYSTEMROOT%\system32\config\AppEvent.Evt By default, NT does not log all the events. You have to enable auditing, to do so follow these steps: 1- From the Start Menu, choose Program and then Administrative Tools (Common). From the Administrative Tools submenu, choose User Manager, which displays the User Manager window. 2- From User Manager Menu Click POLICIES then Click Audit, the Audit policy window appears 3- Select the Radio Box "Audit These Events" 4- Select what you want and Click OK and Close User Manager. Auditing of Privileges: Certain privileges in the system are not audited by default even when auditing on privilege use is turned on. This is done to control the growth of audit logs. The privileges are: 1- Bypass traverse checking *** To Everyone ***. Is granted to everyone so is meaningless from auditing perspective 2- Debug programs *** To Administrators ***. Not used in a working system and can be removed from administrators group 3- Create a token object *** To no one ***. Should not be granted to anyone 4- Replace process level token *** To no one ***. Should not be granted to anyone 5- Generate Security Audits *** To no one ***. Should not be granted to anyone 6- Backup files and directories *** To Administrators Backup Operators ***. Used during normal system operations 7- Restore files and directories *** To Administrators Backup Operators ***. Used during normal system operations To enable auditing of these privileges, add the following key Hive: HKEY_LOCAL_MACHINE\SYSTEM Key: System\CurrentControlSet\Control\Lsa Name: FullPrivilegeAuditing Type: REG_BINARY Value: 1 Or Create a text file call it audit.reg and cut and past the lines below -----------------------------------------------------------[SNIP HERE]------ REGEDIT4 ADD A BLANK LINE HERE [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "FullPrivilegeAuditing"=hex:01 ADD A BLANK LINE HERE -----------------------------------------------------------[SNIP HERE]------ To merge the .Reg file Or you double click on it or you open a command prompt and you type: REGEDIT /S audit.reg This will merge the file you have created Auditing Base Objects: This registry key setting tells Local Security Authority that base objects should be created with a default system audit control list. Still the administrator will need to turn auditing on for the "Object Access" category using User Manager To enable auditing of base objects, add the following key Hive: HKEY_LOCAL_MACHINE\SYSTEM Key: \CurrentControlSet\Control\Lsa Name: AuditBaseObjects Type: REG_DWORD Value: 1 Or Create a text file call it auditObj.reg and cut and past the lines below -----------------------------------------------------------[SNIP HERE]------ REGEDIT4 ADD A BLANK LINE HERE [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] "AuditBaseObjects"=dword:00000001 ADD A BLANK LINE HERE -----------------------------------------------------------[SNIP HERE]------ To merge the .Reg file Or you double click on it or you open a command prompt and you type: REGEDIT /S auditObj.reg This will merge the file you have created Example: What do you see when you enable Security Auditing ? In this example, you will what is written to the Event Log in case of Logon Failure: Logon Failure: Reason: Unknown user name or bad password User Name: WaKiNg Domain: WaK0 Logon Type: 3 Logon Process: KSecDD Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\BRAINCELL Clearing the NT Logs: To clear a log, switch to the log you want to clear, on the Log menu click clear all events a message asks if you want to archive the current events. If you answer Yes, the "save as" dialog box appears. Enter the filename and folder path where you want to store the saved logs After you answer Yes or No, Event Viewer empties the current log. Only new events will appear in the log. NOTE: When you clear the SECURITY LOG an event will SHOW in the Security log Even if you clean the log, you still see this entry: The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E7) Client User Name: WaKiNg Client Domain: BRAINCELL Client Logon ID: (0x0,0x2581) This entry means you cleared the security event log. Now if you want to clean the log well you can do the following : 1- Open control panel and then services 2- Locate EVENTLOG service and Click the STARTUP button 3- In Startup Type choose Manual Or Disabled 4- Restart NT 5- Go to %SYSTEMROOT%\system32\config\SecEvent.Evt and delete SecEvent.Evt By doing so it will stop the event log service and you can then delete the log you are interested in. Tools to manage NT logs: Dumpel.exe from NT Resource Kit: NTLast http://www.ntobjectives.com/ntlastv2.htm NTLast is specifically targeted for serious security and IIS administration. Scheduled review of your NT event logs is critical for your network. A server breach can be uncovered by regular system auditing. Identifying and tracking who has gained access to your system, then documenting the details is now made easier with NTLast. This tool is able to quickly report on the status of IIS users, as well as filter out web server logons from console logons EventReader http://www.strongsoftware.net/eventrd/ EventReader(TM) is an administrative tool that allows network administrators to analyze and manage event logs. The program lets you collect event logs from Windows NT computers in a network and store the information in one or several ODBC compatible databases (Microsoft SQL Server or Microsoft Access). You can designate the computers from which to collect the information, and assign a schedule and data collection and event log backup parameters. The installation package includes a Microsoft Access sample database, which contains many queries and reports for effective event log analysis. Event Archiver Enterprise http://www.eventarchiver.com/download.asp Event Archiver Enterprise is one of the easiest to use products in the event log management market, and stands above the others with its flexibility. We think of it as a "set once, run forever" application that saves your organization considerable time and money. Given the average hourly cost of a Windows NT/2000 administrator, deploying Event Archiver Enterprise greatly reduces your organization's TCO. After installing Event Archiver, administrators can start analyzing event log entries instead of just trying to save and store them regularly EventReporter version 4.0 http://www.eventreporter.com/en/ Version 4.0 provides a number of important enhancements: Support for message delivery via email Client added - a graphical user interface for customizing EventReporter Filtering of events based on severity code (e. g. error, warning,) Greatly enhanced documentation Greatly enhanced web site - especially support area. Remote Viewers - Event Log Monitor http://www.tntsoftware.com/products/emon22/viewers.asp The Remote Viewer for Windows PC runs on Microsoft® Windows 95, Windows 98, Windows NT Let you search and display event log information as it is received by the console. Receive user selected real-time Alerts from the console which are immediately displayed in the Remote Viewer. Provide remote management for processes, services, and device drivers Provide remote search, edit, create user defined notes and message reference Provide multiple remote command prompt windows SID Security issue: Many administrators know about the SID in NT and the tool "sid2user" that allows you to get users SID. There is another less obvious way to gain knowledge of a user's SID, assuming the following is true: 1- By default NT logs can be viewed remotely. 2- You have Auditing Enabled 3- Your policies Block The account after certain failure count. Now here is what you need to do to get NT Spit out the SID: Try to login to the remote box using any existing account and the box you will get a logon failure and in event viewer you will generate an entry: Logon Failure: Reason: Unknown user name or bad password User Name: WaKiNg Domain: WaK0 Logon Type: 3 Logon Process: KSecDD Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\BRAINCELL If you have a policy that block an account after certain count. You will you see this entry in your log file. User Account Locked Out: Target Account Name: WaKiNg Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500 Caller Machine Name: \\BRAINCELL Caller User Name: SYSTEM Caller Domain: NT AUTHORITY Caller Logon ID: (0x0,0x3E7) So now if you connect to the remote event box using event viewer you will be able to see the logs and you will see the SID Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500 ADDITIONAL INFORMATION The information has been provided by NtWak0. ======================================== ==== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.