Full interpretation of Windows Log Files

From: http://blog.cfan.com.cn

Log File, which records every detail of running Windows systems and various services, plays a very important role in enhancing the stability and security of Windows. However, many users do not pay attention to its protection. Some "uninvited users" can easily clear log files, posing a serious security risk to the system.

1. What is a log file?

A log file is a special file in Windows. It records everything that happens in Windows, such as the startup, running, and shutdown of various system services. Windows logs include application, security, and system. The storage path is "% systemroot % system32config", and the file name corresponding to application logs, security logs, and system logs is AppEvent. evt, SecEvent. evt and SysEvent. evt. These files are protected by the Event Log service and cannot be deleted, but can be cleared.

Ii. How to view log files
It is easy to view log files in Windows. Click Start> Settings> Control Panel> Management Tools> Event Viewer. in the left column of the Event Viewer window, list the log types contained in the local machine, such as applications, security, and systems. It is also easy to view a log record. In the left column, select a type of log, such as an application, and then list all the logs of this type in the right column. Double-click a record, the "event properties" dialog box is displayed, showing the detailed information of the record, so that we can accurately understand what happened in the system and whether the normal operation of Windows is affected, in case of any problems, you can immediately find and eliminate them.

Iii. Windows Log File Protection

Because log files are so important to us, we cannot ignore the protection to prevent some "bad guys" from clearing log files.

1. Modify the log file storage directory

The default path for Windows Log Files is "% systemroot % system32config". We can modify the Registry to change its storage directory to enhance log protection.
Click "Start> Run", enter "Regedit" in the dialog box, press enter to bring up the Registry Editor, and expand "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Eventlog" in sequence, the following Application, Security, and System subitems correspond to Application logs, Security logs, and System logs respectively.
Take the application log as an example to transfer it to the "d: cce" directory. Select the Application subitem and find the File key in the right column. The key value is "% SystemRoot % system32configAppEvent" in the Application Log File Path. evt, change it to d: cceAppEvent. evt ". Create a "CCE" directory on drive D, copy "AppEvent. Evt" to this directory, restart the system, and modify the directory where the application log files are stored. The path modification method for other types of log files is the same, but only for different sub-items.
2. Set File Access Permissions

After the log file storage directory is modified, the log can still be cleared. Modify the access permission of the log file below to prevent this problem, provided that the Windows system adopts the NTFS file system format.

Right-click the CCE directory of disk D, select "properties", switch to the "Security" tab, and deselect the "allow propagation of inherited permissions from parent" option. Then, select the "Everyone" account in the account list box and grant it the "read" permission. Then, click the "add" button to add the "System" account to the account list box, grant all permissions except "full control" and "modify", and click "OK. In this way, an error dialog box is displayed when you clear Windows logs.

Iv. Analysis of Windows Log instances

Many operation events are recorded in Windows logs. To facilitate user management, each type of event is assigned a unique ID, which is the event ID.

1. View normal switch records

In Windows, we can use the system logs of the Event Viewer to view the computer's on/off records. This is because the Log service starts or closes with the computer and leaves a record in the log. Here we will introduce two event IDs: 6006 and 6005 ". 6005 indicates that the event log service has been started. If the event ID 6005 event is detected in the event viewer, the Windows system is started normally on this day. 6006 indicates that the event log service has stopped. If the event ID 6006 event is not found in the event viewer, it indicates that the computer has not been properly shut down on this day, it may be because of a system problem or the power supply is directly cut off, and the normal shutdown operation is not performed.
2. View DHCP configuration warning information

In a large network, DHCP servers are usually used to configure the IP address of the client. If the client cannot find the DHCP server, it will automatically use an internal IP address to configure the client, in addition, an event with the event ID 1007 is generated in Windows logs. If the user finds this serial number event in the log, it indicates that the machine cannot obtain information from the DHCP server. Check whether the machine is faulty over the network or the DHCP server.

This article from the CSDN blog, reprinted please indicate the source: aspx "> http://blog.csdn.net/cnbird2008/archive/2009/08/20/4466825.aspx