I do it every morning and evening.
Printable View
I do it every morning and evening.
Just before I close down for the day, or when there is a problem.
You don't have that option? :)
Johnno, feel free to edit it. :)
#### edit
I have some remote nodes that I check as well, but only when they're online. I have antennas hooked up to a machine in another state so I can listen to the traffic from there, here at home.
Hi Rusty~ I have edited the post and moved your vote.
Yes I have the same qualification as yourself, in that I only check machines that I am actually using. I also have Win98 and Win ME boxes.
:)
i check them every morning using dumpel re-directed to an htm doc or when ever there is a problem.
Ah once a week is good enough for me.
Im more by weekly, usually when im bored I always check it. I really dont check it as much as I should, and its the first thing I check when somethings not working or going on.
You're supposed to check them regularly???...so...why didn't anybody tell me :D
It's been checked three...maybe four times...in a year...OPPS!
I voted ' Only when stuff goes wrong! ' but ' Never ' would be closer to reality...in the very few times I have checked it was in those rare cases that there was a problem I couldn't figure out what it was and fiddle my way around to fix it.
Eg ;)
Ok......this is a good question, but let me play devils advocate.
What is an event viewer, what does it do, and how do I find it or get to it? And....how would I use it?
Now I think I could answer this question completely, but it is possible I am wrong and don't even know it. What would your answer be to these questions?
My wife was reading over my shoulder when I was first reading this thread and then asked me what was an event viewer and I consequently was attempting to explain it to her. I even showed her but faultered in my explaination of it a bit.......she didn't comprehend what I was trying to express. (Now I realise that I will never be able to really explain it to her, but I would like a good explanation for myself.)
moxnix
Alright, ill step up to the bar. I wont use any links or quote websites to cheat. I'll 'free style' this one.
Event viewer IMHO is a central point for checking logs about applications, warnings and errors. If a program produces errors, fails to start, or starts up the logs for that event will be kept in the application section of EV (Event Viewer). Security in security, Services in system, and maybe even antivirus info in antivirus (if there). Now to get to EV you should to start, settings, controll pannel, administration tools, EV for windows xp or 2k machines (unless xp has its start menu set to the default then its just start, controll pannel) In win95/98/me I cant remember........Im not going back there and ill know it when i see it. The information in EV will help you see what happened and work backwards towards your problem. E.g. your new norton doesnt work one day. You check and see that the real time pertection service didnt start, and why.
few. Thats what I got. :)
In the (TFM) Trusted Facility Manual as stated:Code:eventvwr
Quote:
Event Viewer is used to view and manage event logs, including the security log. It allows for viewing, sorting, filtering, and searching the event logs. The user must have access to the event log file in order to successfully view it. To view the contents of the security log, the user must be logged on as a member of the Administrators group. No special privilege isrequired to use Event Viewer itself. Security is enforced by the ACL on the log and certain registry settings.
Quote:
Using Windows NT, an administrator can audit all security events and user actions. User Manager enables you to specify which events (such as logon or file access) will be monitored. All audited information is stored in the Event Log, which can be viewed in Event Viewer.
Quote:
In addition to listing events by event ID, the security log in Event Viewer lists them by category. The following categories of events are displayed in the Security Log. (Those in parentheses are found in the Audit Policy dialog box of User Manager.)
Quote:
Event Viewer provides two sorting options: newest events first or the oldest events first. To filter events, there is a predefined set of options available. Some of the filter options are: from date, through date, warnings, errors, success or failure audit, source of logging events, user, and event category (e.g., policy changes). Event Viewer also provides for the saving of audit data in a number of formats, including comma-delimited ASCII.
Quote:
For user documentation about Event Viewer, see "Using Event Viewer" in Chapter 9, "Monitoring Events," of Microsoft« Windows NT« Server Version 4.0 Concepts and Planning.
Quote:
Enable auditing for successful object writes in the entire system directory and all subdirectories. After installing a new application, use Event Viewer to examine the security log for object access events. For each object access event, read the event detail. If the path portion of the object name indicates that the object is a system file and the type of access audited is WriteData, then a system file has been overwritten.
Nothing magical about "event viewer"
All it is is a formatted logfile viewer and manager. The Windows defaults are Applications, Security Audit and System.......................I also have AV and Video Card Manager.
It was not available as an integral part of Win 9x, although I have seen third party software. Not that those OSes were noted for producing logfiles................Boot and DrWatson would be mostly what you used :D
Its advantage over Notepad and Wordpad is that it has a pretty little GUI and management functionality. You can clear the logfiles, control their size and overwriting policy and filter events that are reported.
Unless you have a problem just scan the logs for stuff that are marked in red or yellow, and anything unusual.
;)
My OSs eyes and ears and because I'm nosy........ I like viewing it. I didn't expect anyone to be in line with me here. :)
This statement seems a little dismissive.Quote:
Its advantage over Notepad and Wordpad is that it has a pretty little GUI and management functionality. You can clear the logfiles, control their size and overwriting policy and filter events that are reported.
"management functionality" that allows you to view and alter auditing settings for any number of systems from a central location.
"Control their size and overwriting policy" glosses over one of Windows' most significant security features, Crash on Audit Failure (CAF).
But really, all applications pale in functionality when compared to emacs. ;)
cheers,
catch
emacs, I thought that was only for looking uber when taking screenshots? ;)
ah that is just another one of its trillions of functions... my favorite is the NASDAQ easter egg... in case you ever wish to run your own major stock market.
cheers,
catch
A census taker once tried to test me. I ate his liver with some fava beans and a nice chianti.
How about this. I never check it. That's right. You heard me.
I pass off event viewer data to a central syslog server where it gets churned through an aggregation process and if there is something I need to worry about, the event climbs up my watch list display.
Checking event viewer logs (which kinda suck anyway) is not practical when you have thousands of servers to tend to and 20 times more workstations.
--TH13
What did Lecter say about the first principles? What does this guy do? He covets. How do we first start to covet?
Doctor, this question wasn't directed at the network gods.....it's just Microsoft security awareness month for the mere mortals.
The question was what is Event Viewer ?
That is what I answered. I do not see the relevance of an operating system that was intended to support networks and remote management, or that was intended to provide security functionality, to a question about a logfile viewer?
:D
I check my event logs about 3 times a week, I find them not nearly as interesting (thank god!) as the firewall and ids, and ipaudit logs that are checked randoml;y throughout the day.
Hey Hey,
I'll post on both for both home and work... My vote was for work.
I've got 2 servers at work, I check out their event viewer and my workstation event viewer daily.
When I'm at home I sometimes forget that it even exists... I check it when I have problems and that's about it... sometimes not even when I have problems.
Peace
HT
hokay - now why I voted once a month...
My firewall catches bad outside stuff that's happening as it occurs and alerts me to it.
My computer systems which have net access are shut down completely every night while I'm sleeping.
My spyware/av proggies can catch nasty crap that gets through when Mrs |ce is doing things without telling me...(like downloading those damn spyware laden screensavers! grrr).
So I look at the winblows event logs (assuming this is the event logs you're referring to) about once a month to see if there's anything that was missed, and to see how badly it spazzed out when this or that crash occurred, or this or that power-outage hit.
Nuff said and hope that helped.
For my servers... I do similar things as Tedob1, where I dump them out into a text file which is saved on a central server and then parse them with a Perl script which looks for suspicious activity (re.; login failures, account re-enables, attempted login into disabled accounts, etc) and sends those suspicious entries to my team who reviews it every morning. Even when diagnosing an issue I will dump out the event log into text file before trying to use the crappy Win event log app.
We are starting to deploy syslog agents on all the Win servers and will point them at our centralized syslog server that has all the logs on it: firewall, ids, router, switches, *nix servers, and now Win servers. We then run Swatch against it along with custom scripts run adhoc.
For my workstations... only when there's a problem. Eventually we will point them to the syslog server but only send security alerts - nothing from system and app logs.
ric-o what syslog agent are you using? gfi has an app that looks rather good but its awful pricey for my budget, for right now anyway. im kinda thinking thay whatever TH13 is using is way outa range...is it TH?
What application(s) are you using, I would be interested to look into something along these lines. While I am only responsible for 30 windows server (mighty small in comparison) I would be interested in finding a decent application for a fairly inexpensive priceQuote:
Originally posted here by thehorse13
I pass off event viewer data to a central syslog server where it gets churned through an aggregation process and if there is something I need to worry about, the event climbs up my watch list display.
Checking event viewer logs (which kinda suck anyway) is not practical when you have thousands of servers to tend to and 20 times more workstations.
Thanks,
-Spy
hrm, that comment is a little disingenuous thehorse13 . You are indeed viewing them, just not personally. You have a centralized script that parses the information out and provides you with need to see information. I'm guessing you do this daily, or perhaps it is live... who knows besides you. But you /are/ viewing them, especially when you have a problem that needs to be seen by live eyes ;)
I'm in that same boat too.We have way too many servers to go through the logs personally, so we have scripts that crawl the central log servers for us and alert us to information that we need to see. I also choose a random log from time to time to go through to make sure that things are running the way we want them to and they the scripts have not been subverted.
As far as my personal machine(s), I check the logs from time to time. There is nothing on those machines that I'm concerned with and if something goes south with them I will just format/reinstall anyway.
The solution we use here is not cheap by any stretch of the imagination. We use Cisco MARS to cull information for us.Quote:
Originally posted here by Spyrus
What application(s) are you using, I would be interested to look into something along these lines. While I am only responsible for 30 windows server (mighty small in comparison) I would be interested in finding a decent application for a fairly inexpensive price
Thanks,
-Spy
At my previous job I wrote a perl script that parsed the information from a central server. We SCPd logs from the Windows side to a central server, ran a cron job that moved files around, tar'd stuff and deleted things that we didn't need any more. There was another cron job that ran the perl script that went through the log files and emailed out information that needed to be seen by someone. This was not a live system though, and we were always a day behind in log review.
I know some of you are thinking this guy must wash his hands until they bleed too! Checking those logs for the home comp like I do. It's not like I have ever found something and then had it save me. But all my stuff is automated. I just happen to have it incorporated with my clear useless files-bat on boot. I don't really need to refine my quick n' dirty bats I make, that's my prerogative.
[code]@echo off
@cd\
@set usrpath="C:\Documents and Settings\%Username%\
@set usrpath2="C:\Documents and Settings\%Username%\Local Settings\
@echo.
@echo.
@IF EXIST %usrpath%Cookies\" @del %usrpath%Cookies\*.*" /F /Q /S
@IF EXIST %usrpath%Cookies\" @rd %usrpath%Cookies\" /Q /S
@IF NOT EXIST %usrpath%Cookies\" @md %usrpath%Cookies\"
::
@del %usrpath%temp\*.*" /F /Q /S
@rd %usrpath%temp\" /Q /S
@md %usrpath%temp\"
::
@del %usrpath%recent\*.*" /F /Q /S
@rd %usrpath%recent\" /Q /S
@md %usrpath%recent\"
::
@del %usrpath2%History\*.*" /F /Q /S
@rd %usrpath2%History\" /Q /S
@IF NOT EXIST %usrpath2%History\" @md %usrpath2%History\"
::
@del %usrpath2%Temp\*.*" /F /Q /S
@rd %usrpath2%Temp\" /Q /S
@md %usrpath2%Temp\"
::
@del %usrpath2%Temporary Internet Files\*.*" /F /Q /S
@rd %usrpath2%Temporary Internet Files\" /Q /S
@IF NOT EXIST %usrpath2%Temporary Internet Files\" @md %usrpath2%Temporary Internet Files\"
::
@del %usrpath%My Recent Documents\*.*" /F /Q /S
@rd %usrpath%My Recent Documents\" /Q /S
@md %usrpath%My Recent Documents\"
::
@del %usrpath2%History\History.IE5\*.*" /F /Q /S
@rd %usrpath2%History\History.IE5\" /Q /S
@IF NOT EXIST %usrpath2%History\History.IE5\" @md %usrpath2%History\History.IE5\"
::
@del "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\*.*" /F /Q /S
@rd "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\" /Q /S
@IF EXIST "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\" GOTO C1 @IF NOT EXIST "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\" @md "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\"
:C1
@IF EXIST C:\WINDOWS\Temp\ @del C:\WINDOWS\Temp\*.* /F /Q /S
@rd C:\WINDOWS\Temp\ /Q /S
@IF NOT EXIST C:\WINDOWS\Temp\ @md C:\WINDOWS\Temp\
::
@del "C:\WINDOWS\Temporary Internet Files\*.*" /F /Q /S
@rd "C:\WINDOWS\Temporary Internet Files\" /Q /S
@IF NOT EXIST "C:\WINDOWS\Temporary Internet Files\" @md "C:\WINDOWS\Temporary Internet Files\"
::
@del C:\WINDOWS\Cookies\*.* /F /Q /S
@rd C:\WINDOWS\Cookies\ /Q /S
@IF NOT EXIST C:\WINDOWS\Cookies\ @md C:\WINDOWS\Cookies\
::
@del C:\TEMP\*.* /F /Q /S
@rd C:\Temp\ /Q /S
@IF NOT EXIST C:\Temp\ @md C:\Temp\
::
@del C:\WINDOWS\Prefetch\*.* /F /Q /S
@rd C:\WINDOWS\Prefetch\ /Q /S
@IF NOT EXIST C:\WINDOWS\Prefetch\ @md C:\WINDOWS\Prefetch\
::
@del index.dat /s /f /q
::
@del *.tmp *.temp *.chk *.trc *.old *.scr *.$$$ *.~ *.~~~ /s /q /f
::
start eventvwr.exe
@exit
I can't view the security on boot with a limited account, unless I want to edit this bat a little and run task scheduler, which I don't want to.
I don't know about you guys and gals but the event log should be clean. So checking them daily (unless you have say 1000) isn't a big deal. For instance I have one entry in mine today over and over.... disk has bad sector. That means in a bout a week or month this server will fail. So looking at those logs is critical when you get down to it. Unless you like those days when you get "OS not detected ...." :p
You will not persuade me with appeals to my intellectual vanity. ;)Quote:
Doctor, this question wasn't directed at the network gods.....it's just Microsoft security awareness month for the mere mortals.
Who cares he couldn't even pronounce Chianti right.Quote:
I don't have event Viewer. I do however have all logs email to me each night so I can look them over. Nothing is sent unless it meets certain criteria.
I was making fun of Silence of the Lambs :)
Beneath the yellow folder, you'll find your latest rejection slip from the archives. It was brought to me by mistake with some of my archives mail. I'm afraid I opened it without looking. Sorry.
I'm using Snare Agent for Windows by Intersect Alliance http://www.intersectalliance.com/projects/SnareWindows/ - it's free :) They also make a Windows-based syslog server but we're running syslog on RedHat Linux ES.Quote:
Originally posted here by Tedob1
ric-o what syslog agent are you using? gfi has an app that looks rather good but its awful pricey for my budget, for right now anyway. im kinda thinking thay whatever TH13 is using is way outa range...is it TH?
So, you'll be wanting lots of these little chinwags, I take it.Quote:
im kinda thinking thay whatever TH13 is using is way outa range...is it TH?
EventReporter by Adiscon. Cheap as all hell. It sends all kinds of goodies from the event viewer logs in many formats to your syslog server. From there, we have in house written parsers (written and maintained by yours truly) which crawl for alerts.
We also have a SIM product that costs more than my house that gives us a RT view of everything we collect. Guarded.net's NeuSecure.
Then by implication, you think you're smarter than I am...Quote:
hrm, that comment is a little disingenuous thehorse13 . You are indeed viewing them, just not personally.
:p