Introducing…Event Log<br />Centralized log service to allow applications and the operating system to report events that have taken place.<br />Introduced with Windows NT 4 (1993).<br />Main Windows <br />Logs Application (example: Database message)<br />System (example: driver failure)<br />Security (example: Logon attempt, file access)<br />A Windows 2003 domain controller will also include<br />Directory Service (example: Active Directory connection problem)<br />File Replication (example: domain controller information updates)<br />DNS<br />Vista has introduced a lot of changes<br />
Why Should We Monitor Logs...<br />Organizations are obligated by regulations to gather and audit systems activity logs.<br />To comply with the regulations organizations require the following forms of log monitoring<br /><ul><li>Real-time monitoring
Archiving</li></ul>The event log should also enable the organization to implement internal security policies.<br />Each policy can be set to audit success events only, failure events only, success/failure events, or no auditing at all.<br />
Each event category is controlled by Audit Policies:<br /><ul><li> Account management (group and account events)
Object access (user accessing an object such as file, folder, printer)
Policy change (changes in the audit, user rights and trust policies)
Process tracking (detailed tracking information)
System events (events that affect the system security or log) </li></li></ul><li> Possible issues:<br /><ul><li>Volume of events (can reach several million events a day from a busy server).
Lack of security policies to help and identify events and processes to be audited (e.g. Messenger)
The event logs are just a portion of the “chain of evidence”.
Logs are a “detective” measure and are not an IPS (Intrusion prevention system) on their own.</li></li></ul><li>Different Event Logs<br />Application log<br />System log<br />Security log<br />Setup log<br />Custom Logs<br />
Application Log<br />The application log file contains events that are logged by the applications used on a computer system. <br />Events that are written to the application log are determined by the developers of the software program, not the operating system.<br />Unfortunately not all applications are programmed to write logs. <br />Examples:<br />failure of MS SQL to access a database.<br />when your virus scanner encounters a problem, it could bring this to your attention through the application log.<br />
System Log<br />The system log file contains events that are logged by the operating system components. These events are often predetermined by the operating system itself. <br />System log files may contain information about device changes, device drivers, system changes, events, operations and more.<br />Example:<br />Failure of a service to start at boot up.<br />
Security Log<br />Events related to resource use, such as creating, opening, or deleting files or other objects.<br />Records events you've set for auditing with local or global group policies.<br />It is used to bring valid and invalid logon attempts to your attention. <br />We need to have an account with administrative privileges to enable, use and specify which events are logged in the security log.<br />
Setup Log<br />Each execution of Setup creates log files with a new time stamped log folder.<br />Gives information about the successful or unsuccessful execution of any setup files.<br />
CreateEventSource()<br />It creates a new log<br />The log that you specified in a call to this method not exist then System Creates a custom log and Register your application as Source<br />The Source register your application with Event log as a valid Source of Entries<br />You can only use Source to write one Log at a time<br />Source can be any string but must be distinct on computer <br />
Overloads of CreateEventSource()<br />CreateEventSource(SourceName,LogName);<br />CreateEventSource(SourceName,LogName,<br />MachineName);<br />CreateEventSource(EventSourceCreationData obj);<br />
SourceExist()<br />It will check Whether specified source exist or not<br />bool SourceExist(string SourceName); Check Whether specified source exist or not in <br /> Current machine<br />Bool SourceExist(SourceName,MachineName); Check Whether specified source exist or not in specified machine.<br />
Exists():-<br />It will Check whether Specified Log is Exist or not<br />public static bool Exists( string logName )<br />Checks on local Computer<br />public static bool Exists( string logName, string machineName ) Checks on Specified Computer.<br />
DeleteEventSource():-<br />Removes the event source registration from the event log of the local/Specified computer.<br />public static void DeleteEventSource( string source )<br />public static void DeleteEventSource( string source, string machineName )<br />
GetEventLogs():-<br />Searches for all event logs on the local/Specified computer and creates an array of EventLog objects that contain the list.<br />public staticEventLog GetEventLogs()<br />public static EventLog GetEventLogs( <br />string machineName )<br />
LogNameFromSourceName():-<br />Gets the name of the log to which the specified source is registered on specified computer<br />public static string LogNameFromSourceName( <br />string Source, string machineName )<br />
WriteEntry():-<br />Writes a new record in the specified log where the Source was registered <br />Entry may consist of:-<br /> Message text to the event log.<br /> EnentLogEntryType<br /> EventId<br /> Category<br /> rawData(byte)<br />
Properties:-<br />Log:- Gets or sets the name of the log to read from or write to.<br />LogDisplayName:- Gets the event log's friendly name.<br />MachineName :-Gets or sets the name of the computer on which to read or write events.<br />Source :-Gets or sets the source name to register and use when writing to the event log.<br />Entries :-Gets the contents of the event log.<br />
Constructor:-<br />EventLog():-Initializes a new instance of the EventLog class. Does not associate the instance with any log.<br />EventLog(String LogName):- Initializes a new instance of the EventLog class. Associates the instance with a log on the local computer.<br />EventLog(String Logname, String machine):- Initializes a new instance of the EventLog class. Associates the instance with a log on the specified computer.<br />EventLog(String log, String computer, String source):- Initializes a new instance of the EventLog class. Associates the instance with a log on the specified computer and creates or assigns the specified source to the EventLog.<br />
Non Static Members:-<br />Programmatic Explanation..<br />
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.