Windows System log File analysis

Log file, which records every detail of the Windows system and its various services running, and plays a very important role in enhancing Windows stability and security.
　　But many users do not pay attention to it protection, some "uninvited" very easy to empty the log file, to the system to bring serious security risks. First, what is the log file log file is a special file in Windows system, it records everything that happens in Windows system, such as the start, run, shutdown and other information of various system services. The Windows log includes applications, security, systems, and so on, where the path is "%systemroot%system32config", and the application log, security log, and system log correspond to the file name Appevent.evt, Secevent.evt and Sysevent.evt.
　　These files are protected by the event Log service and cannot be deleted, but can be emptied. Ii. How to view log files It is easy to view log files in a Windows system. Click "start → settings → control panel → admin tools → Event Viewer" to list the log types included in this machine in the left column of the Event Viewer window, such as application, security, system, and so on. It is also easy to view a log record by selecting a type of log in the left column. Like an application, and then list all the records for that type of log in the right column, double-click on one of the records, pop up the event Properties dialog box, display the details of the record, so we can get a good grasp of exactly what's going on in the system,
　　Whether it affects the normal operation of windows, and if there is a problem, find out immediately.
　　Third, the Windows log File Protection log file is so important to us, so we can not ignore the protection of it, prevent some "outlaws" to clean the log files empty.
　　1, modify log file storage directory Windows log file default path is "%systemroot%system32config", we can modify the registry to change its storage directory, to enhance the protection of the log. Click "Start → run", enter "Regedit" in the dialog box, eject Registry Editor after carriage return, expand "Hkey_local_machine/system/currentcontrolset/services/eventlog" in sequence,
　　The following application, security, and system several subkeys correspond to the application log, the safety log, and the systems log, respectively. Take the application log as an example and transfer it to the "D:cce" directory. Select the Application subkey (figure), and in the right column, locate the file key whose key value is the path to the application log file.%systemroot%system32configappevent.evt ", modify it to" d:cceappevent.evt ". Then in D disk New "CCE" directory, the "appevent.evt" copy to the directory, restart the system to complete the application log file storage directory changes.
　　Other types of log file paths are modified in the same way, and are only manipulated under different subkeys. 2.
　　Set file access permissions after modifying the storage directory of the log file, the log can still be emptied, and the following changes the log file access to prevent this from happening, provided that the Windows system is formatted with the NTFS file system. Right-click the CCE directory on the D disk, select Properties, and switch to the Security tab, first uncheck the "Allow inheritable permissions from parent to propagate to this object" option. Then select the "Everyone" account in the Account list box. Give it only read permission, then click the "Add" button, add the "System" account to the Account list box, give all the permissions except Full Control and modify, and then click OK.
　　This will eject the error dialog box when the user clears the Windows log.
　　Iv. Windows log Instance analysis a number of action events are recorded in the Windows log, and for the convenience of the user, each type of event is given a unique number, which is the event ID. 1. View the normal switch log on a Windows system, we can view the computer's open and shut down records through the Event Viewer's system log, because the log service will start or close with the computer and leave records in the log. Here we will introduce two event IDs "6006 and 6005". 6005 indicates that the event Log service was started, and if a day event ID number 6005 is found in Event Viewer, the Windows system is started correctly on that day.
　　6006 indicates that the event Log service has stopped, and if the event ID number 6006 is not found in Event Viewer, it means that the computer did not shut down properly on that day, either because of a system reason or because the power was cut off directly, resulting in the failure to perform a normal shutdown operation. 2. View DHCP configuration warning information in larger networks, the DHCP server is generally used to configure client IP address information, and if the client cannot find a DHCP server, it automatically configures the client with an internal IP address. And an event with an event ID number of 1007 is generated in the Windows log.
　　If the user discovers the number event in the log, the machine is unable to obtain information from the DHCP server to see if it is a machine network failure or a DHCP server problem.
　　V. Web log file AnalysisFor example, the following log records are analyzed: #Software: Microsoft Internet Information Services 6.0 #Version: 1.0 #Date: 2006-09-24 07:19:27 #F Ields:date time S-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username C-IP cs (User-Agent) sc-status Sc-su Bstatus sc-win32-status 2006-09-24 07:19:27 w3svc1 192.168.99.173 get/index.asp-80-192.168.99.236 Mozilla/4.0+ (Comp  ATIBLE;+MSIE+6.0;+WINDOWS+NT+5.1;+SV1) 0 0 2006-09-24 07:19:27 w3svc1 192.168.99.173 get/sxjyzx/sxjyzx/css.css-80 -192.168.99.236 mozilla/4.0+ (COMPATIBLE;+MSIE+6.0;+WINDOWS+NT+5.1;+SV1) 0 0 2006-09-24 07:19:27 w3svc1. 173 get/sxjyzx/sxjyzx/1.gif-80-192.168.99.236 mozilla/4.0+ (COMPATIBLE;+MSIE+6.0;+WINDOWS+NT+5.1;+SV1) 200 0 0 2006- 09-24 07:19:27 w3svc1 192.168.99.173 get/sxjyzx/sxjyzx/home_top_new2.jpg-80-192.168.99.236 mozilla/4.0+ (compatible; +MSIE+6.0;+WINDOWS+NT+5.1;+SV1) 0 0 2006-09-24 07:19:27 w3svc1 192.168.99.173 get/sxjyzx/sxjyzx/2.gif-80-192.16 8.99.236 mozilla/4.0+ (CompATIBLE;+MSIE+6.0;+WINDOWS+NT+5.1;+SV1) 200 0 0 Analysis: Date indicates the access date of the record, Time access times, S-sitename represents your virtual host.
　　S-IP service-side IP Cs-method to represent access methods, there are two common, one is get, is usually we open a URL to access the action, the second is post, the form of the action, Cs-uri-stem is to visit which file; Cs-uri-query refers to the access to the address of the accompanying parameters, such as the string id=12 after the ASP file, and so on, if no parameters are used-to represent; S-port Access Port Cs-username Visitor name C-ip Visitor IP cs (user-agent) Access source; Sc-status state, 200 for success, 403 for no permissions, 404 for no page, 500 for program error, byte size for Sc-substatus server delivery to client, byte size for Cs–win32-statu client to server 1**: Request received, continue processing 2**: Operation received, analyzed, accepted 3**: This request must be further processed 4**: The request contains an error syntax or cannot be completed 5**: The server failed to perform a fully valid request 100--the customer must continue to issue a request 10 1--customer requires the server to convert HTTP protocol version on request 200--transaction success 201--prompt to know new file URL 202--accept and process, but processing incomplete 203--return information is uncertain or incomplete 204--request received, but return information is empty 205-- The server completes the request and the user agent must reset the currently browsed files 206--server has completed some of the user's get requests 300--the requested resources can be obtained in multiple locations 301--Delete request data 302--found the request data at other addresses 303--advised customers to access other URL or access method 304--the client has executed a GET, but the file has not changed 305--the requested resource must obtain the code used in the previous version of HTTP from the address specified by the server, and no longer uses the 307--to declare the requested resource temporarily delete 400--error in the current version request, such as syntax error 401--request authorization failure 402--reserved valid Chargeto header response 403--request not allowed
　　404--did not find a file, query, or URL 405--the method defined by the user in the Request-line field does not allow 406--to request resources inaccessible according to accept sent by the user 407--is similar to 401, the user must first be authorized on the proxy server 408 --The client does not complete the request 409--the current resource state within the time specified by the user, the request cannot be completed 410--no longer has this resource on the server and no further reference address 411--server rejects a user-defined content-length attribute request 412--one or more requests Header field error in current request 413--requested resource is greater than server allowed size 414--requested resource URL is longer than server allowed length 415--request resource does not support request Project format 416--request contains range request header field, no range within current request resource range Indicates a value, and the request does not contain the If-range request header field 417--server does not meet the expected expectations specified by the request Expect header field, if it is a proxy server, it may be that the next level server does not meet the request 500--server generates internal error 501--server does not support requested function 502- -Server temporarily unavailable, sometimes to prevent system overload 503--server overload or suspend maintenance 504--Gateway overload, the server uses another gateway or service to respond to users, waiting time set value longer 505--server does not support or reject the HTTP version of FTP log points specified in the support request header Analysis of FTP logs and WWW logs by default, a log file is generated daily that contains all the records for that day, usually the name of ex (year) (month) (date). For example, ex040419, the April 19, 2004-generated log, can be opened directly with Notepad, common intrusion behavior of the log is generally the case: #Software: Microsoft Internet Information Services
　　5.0 (Microsoft IIS5.0) #Version: 1.0 (Version 1.0) #Date: 20040419 0315 (service start date) #Fields: Time CIP Csmethod Csuristem scstatus 0315 127.0.0.1 [1]user administator 331 (IP address 127.0.0.1 User name is administator attempt to log on) 0318 127.0.0.1 [1] pass–530 (Login failed) 032:04 127.0.0.1 [1]user NT 331 (user with IP address 127.0.0.1 User name NT attempting to log on) 032:06 127.0.0.1 [1]pass–530 (Login failed) 0 32:09 127.0.0.1 [1]user cyz 331 (user with IP address of 127.0.0.1 attempting to log on) Cyz 0322 [127.0.0.1 (Logon failed) 1]pass–530 0322 [127.0.0.1 R Administrator 331 (IP address is 127.0.0.1 user name is administrator attempting to log in) 0324 127.0.0.1 [1]pass–230 (login succeeded) 0321 127.0.0.1 [1]MKD NT 5
　　50 (new directory failed) 0325 127.0.0.1 [1]quit–550 (Exit FTP program) From the log can see that the IP address for 127.0.0.1 users have been trying to log on to the system, changed the username and password four times to succeed, the administrator immediately know that this IP has at least an intrusion attempt. His intrusion time, IP address, and the user name of the probe are clearly recorded in the log. If the previous intruder is eventually entered with the administrator username, consider whether the username is a password theft. or be taken advantage of by others. The next thing to think about is what's going on with the system.