Windows 2000 logs and how to delete them

Log files for Windows 2000 typically have application logs, security logs, system logs, DNS server logs, FTP logs, www logs, and so on, depending on the services that the server opens. When we use streamer detection, such as IPC detection, will be in the security log quickly recorded streamer detection in the user name, time, etc., with FTP detection, will immediately in the FTP log note IP, time, the user name and password used to detect and so on. Even when the stream shadow start need to msvcp60.dll this library link, if the server does not have this file will be recorded in the log, this is why not take the domestic host to detect the reason, they write down your IP will easily find you, as long as he wants to find you!! and scheduler logs. This is also an important log, and you should know that the frequently used Srv.exe is initiated through this service, which records all the actions initiated by the Scheduler service, such as the start and stop of the service.

Log file default location:

Application log, security log, System log, DNS log default location:%SystemRoot%\System32\Config, default file size 512KB, admin will change this default size.

Security log files:%systemroot%\system32\config\secevent.evt
System log File:%systemroot%\system32\config\sysevent.evt
Application log file:%systemroot%\system32\config\appevent.evt
Internet Information Services FTP log default location:%systemroot%\system32\logfiles\msftpsvc1\, default one log per day
Internet Information Services www log default location:%systemroot%\system32\logfiles\w3svc1\, default one log per day
Scheduler service Log default location:%systemroot%\schedlgu.txt

Keys for the above log in the registry:

Application logs, security logs, system logs, DNS server logs, which log files in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog

Some administrators are likely to relocate these logs. There are a lot of eventlog below, which can be traced to the above log location directory.

Schedluler Service Log In Registry
Hkey_local_machine\software\microsoft\schedulingagent

FTP and WWW log detailed:

FTP Log and WWW log defaults, generate a daily log file, containing all the records of that day, the file name is usually ex (year) (month) (date), such as ex001023, is the October 23, 2000 generated log, with Notepad can be opened directly, the following example:

#Software: Microsoft Internet Information Services 5.0 (Microsoft IIS5.0)
#Version: 1.0 (Version 1.0)
#Date: 20001023 0315 (service start time date)
#Fields: Time CIP Csmethod Csuristem scstatus
0315 127.0.0.1 [1]user administator 331 (IP address 127.0.0.1 user named Administator attempting to log in)
0318 127.0.0.1 [1]pass–530 (Login failed)
032:04 127.0.0.1 [1]user NT 331 (IP address 127.0.0.1 user named NT tries to log in)
032:06 127.0.0.1 [1]pass–530 (Login failed)
032:09 127.0.0.1 [1]user cyz 331 (IP address 127.0.0.1 user named Cyz attempting to log in)
0322 127.0.0.1 [1]pass–530 (Login failed)
0322 127.0.0.1 [1]user Administrator 331 (IP address 127.0.0.1 User name is administrator attempting to log in)
0324 127.0.0.1 [1]pass–230 (Login successful)
0321 127.0.0.1 [1]MKD NT 550 (new directory failed)
0325 127.0.0.1 [1]quit–550 (Exit FTP program)

From the log you can see that the IP address for 127.0.0.1 users have been trying to log on to the system, changed four times username and password to be successful, the administrator immediately can know the administrator's intrusion time, IP address and the user name of the probe, such as the intruder in the end is the user name into the administrator, Consider changing the password for this username, or renaming the administrator user.

www log

WWW service the same as the FTP service, the resulting log is also in the%SYSTEMROOT%\SYSTEM32\LOGFILES\W3SVC1 directory, the default is a daily log file, the following is a typical WWW log file

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 20001023 03:091
#Fields: Date Time CIP Csusername SIP sport Csmethod csuristem csuriquery scstatus cs (useragent)
20001023 03:091 192.168.1.26 192.168.1.37 get/iisstart.asp mozilla/4.0+ (compatible;+msie+5.0;+windows+98;+ Digext)
20001023 03:094 192.168.1.26 192.168.1.37 get/pagerror.gif mozilla/4.0+ (compatible;+msie+5.0;+windows+98;+ Digext)

Through the analysis of line sixth, you can see October 23, 2000, the IP address for 192.168.1.26 users through the Access IP address for the 192.168.1.37 machine 80 port, view a page iisstart.asp, The user's browser is Compatible;+msie+5.0;+windows+98+digext, and experienced administrators can determine the intruder's IP address and intrusion time through security logs, FTP logs, and WWW logs.

Even if you delete the FTP and WWW logs, however, it will still be recorded in the system log and security log, but it is better to display only your machine name, and do not have your IP, for example, after the above several probes, the system log will produce the following record: At a glance can be seen October 23, 2000, 16:17, System because of a warning for some events, double-click the first one to open its properties:

The reason for the warning is recorded in the attribute because an attempt was made to log in with the Administator user name and an error occurred, originating from the FTP service. While the security record will be written down at the same time, we can see two icons: The key (indicating success) and the lock (which means the system stops when the user is doing something). Four consecutive lock icons, indicating four failure audits, the event type is account logon and logon, logoff failed, date is October 18, 2000, Time is 1002, this needs to focus on observation.

Two-point first failure audit event, that is, to get a detailed description of this event, we can learn that there is a cyz workstation, with the Administator user name to log on to the computer, but because the user name is unknown or the password error (the actual password error) failed.

There is also a DNS server log, not too important to skip (in fact, I have not seen it)

Knowing the details of the Windows2000 log, learn how to delete these logs:

Through the above, learned that log files usually have a service in the background protection, in addition to the system log, security log, application log, and so on, their service is a key process of Windos2000, and with the registry file, when the Windows2000 started, start the service to protect these files, So it's hard to delete, and FTP and WWW logs and Scedlgu logs can be easily deleted.