Windows Event Logging

This article documents a recent part-time curiosity of mine; the Event Logging facility as implemented on the Windows platform. It is based on the many notes that I have made while exploring the subject and should give you a good understanding of the whole facility that provides the logging service.

Once we've gained an understanding of the facility we will be able to examine it from other more interesting viewpoints. I wrote this article with the interactive reader in mind and you will get the most out of it if you read it that way. Some of what i've written may not apply to all versions of windows (especially XP Home) and this article does not pretend to address issues faced by larger domain-based networks or even anything beyond the local computer.

Event logging, and more specifically the ability to perform security auditing is an integral part of a secure computing environment. It is also a part that windows users tend to neglect as security auditing is not enabled by default. In the following section I will quickly walk you through the steps to enable security logging on your box. So, for you guys who already know, please allow me a moment to help our friends secure their machines.

Using the run command run secpol.msc, double click Local Policies >> Audit Policy. Finally, select the Audit policies you want to enable or disable. You may want to look at logon attempts (Audit Logon Events - success / fail), changes in accounts (Audit account management - success / fail), unsuccessful use of privileges (Audit Privilege Use - fail), attempts to alter security privileges (audit Policy Change - success / fail) and attempts to shut down your computer (Audit System Events - success / fail). You may also want to monitor specific or critical files on your system (Audit object access).

To monitor a specific files right click on the file or folder you want to monitor, choose properties >> Security >> Advanced >> Auditing >> Add. Here you will choose who u want to watch and what you want to watch for.

At this point it is necessary for me to give a word of caution. Do not audit everything. Only audit the minimum requirements to see what you want to see. Experiment with this and research before you implement an auditing policy on a system to avoid flooding yourself with useless events.

Your next step is to set a retention policy on the machine - Using the run command run 'eventvwr', Right click Security Log, choose properties. You will see that the default retention policy is to overwrite events older than seven days. You will also see the default location of the log %SystemRoot%\System32\config\SecEvent.Evt and the maximum log size of 512 kb. You can choose to either use one of the provided policies or choose to automagically backup your logs once they've reached the defined maximum size. To do this you should add and use the AutoBackupLogFiles registry key by following the instructions provided in MSKB article 312571.

Now that we've seen how to turn on the Security Auditing feature of the Logs we will turn our attention to the more interesting aspect of this article - what is the Event Log and how does it do what it does?

We begin by examining our service closely with psservice: