Networking / Beginners

Log Files

Audit log entries on a Windows 2000 system are written to the security event log, which is located in \%systemroot%\system32\config. The permissions on the security event log limit access to administrators. Administrators should look at the log files on a regular basis. Since the log files are the best location to see if something may be wrong with a system or if a user is attempting to do something inappropriate, if the administrators do not examine the log files, there is no sense in capturing the information (see the next section "Looking for Suspicious Signs" for what to look for).

If the system is being backed up on a regular basis, the log files should also be backed up. If the event logs need to be kept for longer periods of time, it may be appropriate to move the event log files off the system periodically. The files can be saved as text files or in a comma-delimited format by choosing Save As from the Action menu in the Event Viewer.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 2000 Security Issues
  2. Setting up the System
  3. Local Security Policy Settings
  4. Logon Message
  5. LAN Manager Authentication Level
  6. System Configuration
  7. File Systems
  8. Network
  9. Account Settings
  10. USER MANAGEMENT
  11. Setting File Permissions
  12. System Management
  13. Analysis
  14. Configuration
  15. Validation
  16. Export
  17. Auditing a System
  18. Log Files
  19. Looking for Suspicious Signs
  20. Missing Log Files or Gaps in the Log Files
  21. Unknown Processes