Networking / Beginners

Missing Log Files or Gaps in the Log Files

On a working Windows 2000 system that has audit turned on, the event logs should never be empty. Many intruders empty log files as soon as they enter a system in the hopes of hiding their tracks. If you find an empty log file, you should immediately assume that something is wrong with the system and investigate why the logs are empty. You may find that another administrator chose to empty the log files because they were very large. However, you may also find that the system has been compromised.

More recently, tools have appeared that allow intruders to modify particular entries in the log files. If an intruder attempts to do this, you may find a gap in the log file. To spot the gap, simply look for larger than normal time spaces between log entries. If you see large gaps, investigate the reason. Keep in mind that the system does not make log entries when it is turned off. In this case, you should see a shutdown and startup entry around the gap.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 2000 Security Issues
  2. Setting up the System
  3. Local Security Policy Settings
  4. Logon Message
  5. LAN Manager Authentication Level
  6. System Configuration
  7. File Systems
  8. Network
  9. Account Settings
  10. USER MANAGEMENT
  11. Setting File Permissions
  12. System Management
  13. Analysis
  14. Configuration
  15. Validation
  16. Export
  17. Auditing a System
  18. Log Files
  19. Looking for Suspicious Signs
  20. Missing Log Files or Gaps in the Log Files
  21. Unknown Processes