Synopses & Reviews
Event logging is a facility used by computer systems to record the occurrence of significant events. An "event" is any change that occurs in a system -- for example, a user logon, an addition to a file, or a change to a user's privileges. Because a computer system may experience hundreds or thousands of events each second, it is important to distinguish which events require the immediate attention of a system administrator, which should be recorded as entries in the system's event log for later analysis, and which can be safely ignored.Event logs provide a centralized collection point for all kinds of error reports, system alerts, diagnostic messages, and status messages generated by a system. This book describes the characteristics of these messages, why they are important, and how you can access them and act upon them. Event logs are particularly important to system security and problem troubleshooting. Windows NT systems generate three distinct types of event logs:
- Security log. Stores reports of security-related events -- for example, a user has written to a file or there has been a change in a user's privileges.
- System log. Stores reports generated by system components, including drivers and services -- for example, a device failed, a driver failed to load, or a memory allocation or I/O error occurred.
- Application log. Stores reports on all other events -- for example, an internal application error (such as a failure to allocate memory) occurred, or a file download aborted.
This book is aimed at several specific audiences:For system administrators, event logging is a tool for analyzing system and user activities and performance and for troubleshooting system problems. For this audience, the book explains how to view and maintain the event logs via the system's Event Viewer and how to interpret the results.For programmers, event logging helps in diagnosing system or network problems. For this audience, the book describes the event logging API (Application Programming Interface) and the internals of the system's message files. It also provides instructions for and examples of accessing (reading, backing up, clearing, monitoring, and writing to) the event logs from C, Visual Basic 5, Perl 5 for Win32, Visual J++, and a C++ class for MFC (Microsoft Foundation Classes).For security administrators, event logging is an important tool in auditing security-related events and tracking down the source of security breaches. For this audience, the book provides help in specifying the events to be audited and in analyzing auditing results; it also discusses the security auditing requirements imposed on a C2-level secure system (one approved by the U.S. government's National Computer Security Center).The book comes with a CD-ROM containing examples from the book and many contributed event logging and auditing software packages. A brief table of contents follows:Preface 1. About Event Logging2. The Event Logging Service3. Even Viewer4. Windows NT Security Auditing5. The Event Logging API6. Message Files7. Accessing the Event Logs8. Reporting EventsA. References and ResourcesB. Event Logging under Windows for WorkgroupsC. NT Security Auditing EventsD. DumpEl: Event Logging Dump UtilityE. Kernel-mode Event LoggingF. What's on the CD-ROM?
Synopsis
Event logging is a facility used by computer systems to record the occurrence of significant events. An "event" is any change that occurs in a system -- for example, a user logon, an addition to a file, a change to a user's privileges, or an application program error. This book describes Windows NT event logging for three main audiences: For system administrators, using event logging as a tool for analyzing performance and troubleshooting system problems; includes the details of the system's Event Viewer. For Win 32 programmers, using the event logging API from C, Visual Basic 5, Perl 5 for Win32, Visual J++, C++/MFC (Microsoft Foundation Classes). Also describes how to localize the contents of the system's message files to create event log records in non-English languages. For security administrators, using event logging to specify and audit security-related events. Specifies the NT security auditing events and summarizes the specific security auditing requirements imposed on C2-level secure systems. The book comes with a CD-ROM containing examples from the book and many contributed event logging and auditing software packages.
Synopsis
Event logging is a facility used by computer systems to record the occurrenceof significant events. An "event" is any change that occurs in a system. Thisbook describes the characteristics of these messages, why they are important, and how you can access them and act upon them.
About the Author
James Murray is an Orthopaedic Specialist Registrar, Great Western Hospital, Swindon and Bath Royal United Hospital, UK.
Table of Contents
Table of Contents
Foreword
Preface
1. About Event Logging
What Are Events and Event Logs?
Concepts and Terminology
Event Logging Under Windows NT
2. The Event Logging Service
Components of NT Event Logging
Accessing Remote Event Logs
The Event Log Files
Localization and Event Message Resources
Event Logging and the Registry
Maintaining the Event Logs
Security and Reliability
3. Event Viewer
Starting Event Viewer
Main Window Menu
Event Viewer Annoyances
Error Messages
Event Viewer for Windows 95
4. Windows NT Security Auditing
Determining an Auditing Policy
User Rights and Groups
Using User Manager
Types of Auditing
Maintaining the Auditing Facility
Auditing and C2-Level Security
Other Security-Related Issues
Auditing Tools
5. The Event Logging API
Constant Definitions and Return Types
The EVENTLOGRECORD Data Type
Error Codes
Event Logging Functions
6. Message Files
Localizing Event Messages
Building a Message File
The Message Compiler
Message Definition Scripts
Creating Category and Parameter Message Files
Message Compiler Output Files
7. Accessing the Event Logs
Reading the Event Logs
Reading Event Source Registry Information
Clearing the Event Logs
Backing Up the Event Logs
Monitoring the Event Logs
8. Reporting Events
What Goes in Event Reports?
C and C++
Microsoft Foundation Classes (MFC)
Visual Basic 5
Microsoft J++
Perl 5 for Win32
A. References and Resources
B. Event Logging Under Windows for Workgroups
C. NT Security Auditing Events
D. DumpEl: Event Logging Dump Utility
E. Kernel-Mode Event Logging
F. What's on the CD-ROM?
Index