Detailing Windows 2000 system logs and deletion methods

Window Windows 2000 log files usually have application logs, security logs, system logs, DNS server logs, FTP logs, www logs, and so on, depending on the services that the server opens. When we use streamer detection, such as IPC detection, will be in the security log quickly recorded streamer detection in the user name, time, etc., with FTP detection, will immediately in the FTP log note IP, time, the user name and password used to detect and so on. Even when the stream shadow start need to msvcp60.dll this library link, if the server does not have this file will be recorded in the log, this is why not take the domestic host to detect the reason, they write down your IP will easily find you, as long as he wants to find you!! and scheduler logs. This is also an important log, and you should know that the frequently used Srv.exe is initiated through this service, which records all the actions initiated by the Scheduler service, such as the start and stop of the service.

Log file default location:

Application log, security log, System log, DNS log default location:%SystemRoot%\System32\Config,
The default file size is 512KB, and administrators will change this default size.

Security log files:%systemroot%\system32\config\secevent.evt

System log File:%systemroot%\system32\config\sysevent.evt

Application log file:%systemroot%\system32\config\appevent.evt

Internet Information Services FTP log default location:%systemroot%\system32\logfiles\msftpsvc1\, default one log per day

Internet Information Services www log default location:%systemroot%\system32\logfiles\w3svc1\, default one log per day

Scheduler service Log default location:%systemroot%\schedlgu.txt

Keys for the above log in the registry:

Application logs, security logs, system logs, DNS server logs, which log files in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog

Some administrators are likely to relocate these logs. There are a lot of eventlog below, which can be traced to the above log location directory.

Schedluler Service Log In Registry

Hkey_local_machine\software\microsoft\schedulingagent

FTP and WWW log detailed:

FTP Log and WWW log defaults, generate a daily log file, containing all the records of that day, the file name is usually ex (year) (month) (date), such as ex001023, is the October 23, 2000 generated log, with Notepad can be opened directly, the following example:

#Software: Microsoft Internet Information Services 5.0 (Microsoft IIS5.0)

#Version: 1.0 (Version 1.0)

#Date: 20001023 0315 (service start time date)

#Fields: Time CIP Csmethod Csuristem scstatus

0315 127.0.0.1 [1]user administator 331 (IP address 127.0.0.1 user named Administator attempting to log in)

0318 127.0.0.1 [1]pass–530 (Login failed)

032:04 127.0.0.1 [1]user NT 331 (IP address 127.0.0.1 user named NT tries to log in)

032:06 127.0.0.1 [1]pass–530 (Login failed)

032:09 127.0.0.1 [1]user cyz 331 (IP address 127.0.0.1 user named Cyz attempting to log in)

0322 127.0.0.1 [1]pass–530 (Login failed)

0322 127.0.0.1 [1]user Administrator 331 (IP address 127.0.0.1 User name is administrator attempting to log in)

0324 127.0.0.1 [1]pass–230 (Login successful)

0321 127.0.0.1 [1]MKD NT 550 (new directory failed)

0325 127.0.0.1 [1]quit–550 (Exit FTP program)

From the log you can see that the IP address for 127.0.0.1 users have been trying to log on to the system, changed four times username and password to be successful, the administrator immediately can know the administrator's intrusion time, IP address and the user name of the probe, such as the intruder in the end is the user name into the administrator, Consider changing the password for this username, or renaming the administrator user.


www log:

WWW service the same as the FTP service, the resulting log is also in the%SYSTEMROOT%\SYSTEM32\LOGFILES\W3SVC1 directory, the default is a daily log file, the following is a typical WWW log file

#Software: Microsoft Internet Information Services 5.0

#Version: 1.0

#Date: 20001023 03:091

#Fields: Date Time CIP Csusername SIP sport Csmethod csuristem csuriquery scstatus cs (useragent)

20001023 03:091 192.168.1.26 192.168.1.37 get/iisstart.asp mozilla/4.0+ (compatible;+msie+5.0;+windows+98;+ Digext)

20001023 03:094 192.168.1.26 192.168.1.37 get/pagerror.gif mozilla/4.0+ (compatible;+msie+5.0;+windows+98;+ Digext)

Through the analysis of line sixth, you can see October 23, 2000, the IP address for 192.168.1.26 users through the Access IP address for the 192.168.1.37 machine 80 port, view a page iisstart.asp, The user's browser is Compatible;+msie+5.0;+windows+98+digext, and experienced administrators can determine the intruder's IP address and intrusion time through security logs, FTP logs, and WWW logs.

Even if you delete the FTP and WWW logs, however, it will still be recorded in the system log and security log, but it is better to display only your machine name, and do not have your IP, for example, after the above several probes, the system log will produce the following record: At a glance can be seen October 23, 2000, 16:17, System because of a warning for some events, double-click the first one to open its properties:

The reason for the warning is recorded in the attribute because an attempt was made to log in with the Administator user name and an error occurred, originating from the FTP service. While the security record will be written down at the same time, we can see two icons: The key (indicating success) and the lock (which means the system stops when the user is doing something). Four consecutive lock icons, indicating four failure audits, the event type is account logon and logon, logoff failed, date is October 18, 2000, Time is 1002, this needs to focus on observation.

Two-point first failure audit event, that is, to get a detailed description of this event, we can learn that there is a cyz workstation, with the Administator user name to log on to the computer, but because the user name is unknown or the password error (the actual password error) failed.

There is also a DNS server log, not too important to skip (in fact, I have not seen it)

Knowing the details of the Windows2000 log, learn how to delete these logs:

Through the above, learned that log files usually have a service in the background protection, in addition to the system log, security log, application log, and so on, their service is a key process of Windos2000, and with the registry file, when the Windows2000 started, start the service to protect these files, So it's hard to delete, and FTP and WWW logs and Scedlgu logs can be easily deleted.

First try to get the admnistrator password or one of the members of the Administrators group, and then telnet to the remote host, first attempt to delete the FTP log:

D:\server>del SchedLgU.txt

D:\SERVER\SchedLgU.Txt

The process cannot access the file because it is being used by another program.

Said, backstage has the service protection, first stops the service!

D:\server>net Stop "Task Scheduler"

The following services depend on the Task Scheduler service.

Stopping the Task Scheduler service also stops these services.

Remote Storage Engine

Do you want to continue with this operation? (y/n) [N]: Y

Remote Storage Engine service is stopping ....

Remote Storage Engine Service has successfully stopped.

Task Scheduler service is stopping.

The Task Scheduler service has stopped successfully.

OK, its service stops, and it also stops the service that has dependencies on it. Try to delete it again!

D:\server>del SchedLgU.txt

D:\server>

No response? It worked! The next is the FTP log and the WWW log, the principle is the same, first stop the relevant services, and then delete the log!

D:\server\system32\logfiles\msftpsvc1>del Ex*.log

D:\server\system32\logfiles\msftpsvc1>

The above operation successfully deleted the FTP log! Then come to the WWW log!

D:\server\system32\logfiles\w3svc1>del Ex*.log

D:\server\system32\logfiles\w3svc1>

Ok! Congratulations, the simple log is now deleted successfully. The following is a difficult security log and system log, the guardian of these log service is event log, try to stop it!

D:\server\system32\logfiles\w3svc1>net Stop EventLog

The service cannot accept the requested pause or stop operation.

No way, it's a key service. If you do not use third-party tools, there is no possibility of deleting the security log and the system log at all on the command line! So we still have to use the simple but slow speed of the way to panic: Open Event Viewer in Administrative Tools in Control Panel (98 No, you know the benefits of Win2K), there is a menu called "Connect to another Computer" in the menu "action", enter the IP of the remote computer, Then light a cigarette, wait 10 minutes, endure like a crash, select the security log for the remote computer, and right-click its properties:

Click the "Clear Log" button in the attribute, ok! Security log cleanup Complete! Suffer the same pain to clear the system log!

The former without the help of the third tool, can quickly, very smoothly to clear the FTP, www and schedlgu log, is the system log and security log belongs to the strict guardian of Windows2000, can only use the local Event Viewer to open it, because in the graphical interface, coupled with slow speed, If you have more money and time is free, you can still clear it. In summary, the Windows2000 log file and the deletion method are described, but you must be an administrator, note that you must be logged on as a member of the Administrators or administrative group to open security logging. This procedure applies to Windows Professional computers and also to Windows Server computers that run as stand-alone servers or member servers.

At this point, the Windows2000 Safety Knowledge Foundation Lecture finished, there are a few words to say, we also see that, although the FTP and so on log can be quickly cleared, but the system log and security log is not so fast, so smooth can be deleted, if you encounter a smart administrator, the log files to another place, That is even more difficult, so we advise you, do not take the domestic host to do the experiment.