Eventlog
30
Event log/Event viewer Understanding Event log for a more secured environment.
-
Upload
shashi-kanth -
Category
Education
-
view
349 -
download
1
description
Will give clear discription of Event log and applying to your codeBy Shashikanth
Transcript of Eventlog
Event log/Event viewerUnderstanding Event log for a more secured
environment.
OverviewIntroducing… the Event LogWhy Monitor LogsEnabling Event LoggingDifferent Event Logs
Introducing…Event LogCentralized log service to allow applications and the
operating system to report events that have taken place.Introduced with Windows NT 4 (1993).Main Windows
Logs Application (example: Database message)System (example: driver failure)Security (example: Logon attempt, file access)
A Windows 2003 domain controller will also includeDirectory Service (example: Active Directory connection
problem)File Replication (example: domain controller information
updates)DNS
Vista has introduced a lot of changes
Why Should We Monitor Logs...Organizations are obligated by regulations to gather
and audit systems activity logs.To comply with the regulations organizations
require the following forms of log monitoring Real-time monitoring Audit and analysis Archiving
The event log should also enable the organization to implement internal security policies.
Each policy can be set to audit success events only, failure events only, success/failure events, or no auditing at all.
Each event category is controlled by Audit Policies: Account management (group and account
events) Account logon events (for domain accounts) Logon events (local machine events) Object access (user accessing an object
such as file, folder, printer) Policy change (changes in the audit, user
rights and trust policies) Process tracking (detailed tracking
information) System events (events that affect the
system security or log)
Possible issues:
Volume of events (can reach several million events a day from a busy server).
Lack of security policies to help and identify events and processes to be audited (e.g. Messenger)
The event logs are just a portion of the “chain of evidence”.
Logs are a “detective” measure and are not an IPS (Intrusion prevention system) on their own.
Different Event LogsApplication logSystem logSecurity logSetup logCustom Logs
Event Viewer/ Event logs
Event Properties …
Application LogThe application log file contains events that are
logged by the applications used on a computer system.
Events that are written to the application log are determined by the developers of the software program, not the operating system.
Unfortunately not all applications are programmed to write logs.
Examples:failure of MS SQL to access a database.when your virus scanner encounters a problem, it
could bring this to your attention through the application log.
System LogThe system log file contains events that are
logged by the operating system components. These events are often predetermined by the operating system itself.
System log files may contain information about device changes, device drivers, system changes, events, operations and more.
Example:Failure of a service to start at boot up.
Security LogEvents related to resource use, such as
creating, opening, or deleting files or other objects.
Records events you've set for auditing with local or global group policies.
It is used to bring valid and invalid logon attempts to your attention.
We need to have an account with administrative privileges to enable, use and specify which events are logged in the security log.
Setup Log
Each execution of Setup creates log files with a new time stamped log folder.
Gives information about the successful or unsuccessful execution of any setup files.
EventsInformation eventSuccess eventFailure eventWarning eventError event
Managing Event logs in C#
Class EventLog Class EventLogEntriesClass EventLogEntryCollectionClass EventSourceCreationData
EventLog:Static Members:
CreateEventSource();Source Exists();Exists();Delete();DeleteEventSource();GetEventLogs();LogNameFromSourceName();
WriteEntry();
CreateEventSource()It creates a new logThe log that you specified in a call to this
method not exist then System Creates a custom log and Register your application as Source
The Source register your application with Event log as a valid Source of Entries
You can only use Source to write one Log at a time
Source can be any string but must be distinct on computer
Overloads of CreateEventSource()
CreateEventSource(SourceName,LogName);
CreateEventSource(SourceName,LogName, MachineName);
CreateEventSource(EventSourceCreationData obj);
SourceExist()It will check Whether specified source exist
or not
bool SourceExist(string SourceName); Check Whether specified source exist
or not in Current machine
Bool SourceExist(SourceName,MachineName);
Check Whether specified source exist or not in specified machine.
Exists():-It will Check whether Specified Log is Exist
or not
public static bool Exists( string logName )Checks on local Computer
public static bool Exists( string logName, string machineName )
Checks on Specified Computer.
Delete():-Removes EventLog from Local/Specified
computer
public static void Delete( string logName )
public static void Delete( string logName, string machineName )
DeleteEventSource():-Removes the event source registration from
the event log of the local/Specified computer.
public static void DeleteEventSource( string source )
public static void DeleteEventSource( string source, string machineName )
GetEventLogs():-Searches for all event logs on the
local/Specified computer and creates an array of EventLog objects that contain the list.
public static EventLog[] GetEventLogs()public static EventLog[] GetEventLogs( string machineName )
LogNameFromSourceName():-Gets the name of the log to which the
specified source is registered on specified computer
public static string LogNameFromSourceName(
string Source, string machineName )
WriteEntry():-Writes a new record in the specified log
where the Source was registered Entry may consist of:-
Message text to the event log.
EnentLogEntryType EventId Category rawData(byte[])
Overloads of WriteEntry():-public static void WriteEntry( string source,
string message )public static void WriteEntry( string source,
string message, EventLogEntryType type )public static void WriteEntry( string source,
string message, EventLogEntryType type, int eventID )
public static void WriteEntry( string source, string message, EventLogEntryType type, int eventID, short category )
Properties:-Log:- Gets or sets the name of the log to read
from or write to.LogDisplayName:- Gets the event log's
friendly name.MachineName :-Gets or sets the name of the
computer on which to read or write events.Source :-Gets or sets the source name to
register and use when writing to the event log.
Entries :-Gets the contents of the event log.
Constructor:-EventLog():- Initializes a new instance of the
EventLog class. Does not associate the instance with any log.
EventLog(String LogName):- Initializes a new instance of the EventLog class. Associates the instance with a log on the local computer.
EventLog(String Logname, String machine):- Initializes a new instance of the EventLog class. Associates the instance with a log on the specified computer.
EventLog(String log, String computer, String source):- Initializes a new instance of the EventLog class. Associates the instance with a log on the specified computer and creates or assigns the specified source to the EventLog.
Non Static Members:-
Programmatic Explanation..
