0
Event log/Event viewer<br />Understanding Event log for a more secured environment.<br />
Overview<br />Introducing… the Event Log<br />Why Monitor Logs<br />Enabling Event Logging<br />Different Event Logs<br />
Introducing…Event Log<br />Centralized log service to allow applications and the operating system to report events that ha...
Why Should We Monitor Logs...<br />Organizations are obligated by regulations to gather and audit systems activity logs.<b...
Audit and analysis
Archiving</li></ul>The event log should also enable the organization to implement internal security policies.<br />Each po...
Each event category is controlled by Audit Policies:<br /><ul><li>	Account management (group and account events)
   Account logon events (for domain accounts)
   Logon events (local machine events)
	Object access (user accessing an object such as file, 	folder, printer)
	Policy change (changes in the audit, user rights and 	trust policies)
	Process tracking (detailed tracking information)
	System events (events that affect the system 	security or log) </li></li></ul><li>   Possible issues:<br /><ul><li>Volume...
Lack of security policies to help and identify events and processes to be audited (e.g. Messenger)
The event logs are just a portion of the “chain of evidence”.
Logs are a “detective” measure and are not an IPS (Intrusion prevention system) on their own.</li></li></ul><li>Different ...
Event Viewer/ Event logs<br />
Event Properties …<br />
 Application  Log<br />The application log file contains events that are logged by the applications used on a computer sys...
 System Log<br />The system log file contains events that are logged by the operating system components. These events are ...
Security Log<br />Events  related to resource use, such as creating, opening, or deleting files or other objects.<br />Rec...
 Setup Log<br />Each execution of Setup creates log files with a new time stamped log folder.<br />Gives information about...
Events<br />Information event<br />Success event<br />Failure event<br />Warning event<br />Error event<br />
Managing Event logs in C#<br />Class EventLog <br />Class EventLogEntries<br />Class EventLogEntryCollection<br />Class Ev...
EventLog:<br />Static Members:							CreateEventSource();					Source Exists();						Exists();							Delete();							Delete...
CreateEventSource()<br />It creates a new log<br />The log that you specified in a call to this method not exist then Syst...
Overloads of CreateEventSource()<br />CreateEventSource(SourceName,LogName);<br />CreateEventSource(SourceName,LogName,<br...
SourceExist()<br />It will check Whether specified source exist or not<br />bool SourceExist(string SourceName);				 Check...
Exists():-<br />It will Check whether Specified Log is Exist or not<br />public static bool Exists( string logName )<br />...
Delete():-<br />Removes EventLog from Local/Specified computer<br />public static void Delete( string logName )<br />publi...
Upcoming SlideShare
Loading in...5
×

Eventlog

350

Published on

Will give clear discription of Event log and applying to your code

By
Shashikanth

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
350
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Eventlog"

  1. 1. Event log/Event viewer<br />Understanding Event log for a more secured environment.<br />
  2. 2. Overview<br />Introducing… the Event Log<br />Why Monitor Logs<br />Enabling Event Logging<br />Different Event Logs<br />
  3. 3. Introducing…Event Log<br />Centralized log service to allow applications and the operating system to report events that have taken place.<br />Introduced with Windows NT 4 (1993).<br />Main Windows <br />Logs Application (example: Database message)<br />System (example: driver failure)<br />Security (example: Logon attempt, file access)<br />A Windows 2003 domain controller will also include<br />Directory Service (example: Active Directory connection problem)<br />File Replication (example: domain controller information updates)<br />DNS<br />Vista has introduced a lot of changes<br />
  4. 4. Why Should We Monitor Logs...<br />Organizations are obligated by regulations to gather and audit systems activity logs.<br />To comply with the regulations organizations require the following forms of log monitoring<br /><ul><li>Real-time monitoring
  5. 5. Audit and analysis
  6. 6. Archiving</li></ul>The event log should also enable the organization to implement internal security policies.<br />Each policy can be set to audit success events only, failure events only, success/failure events, or no auditing at all.<br />
  7. 7. Each event category is controlled by Audit Policies:<br /><ul><li> Account management (group and account events)
  8. 8. Account logon events (for domain accounts)
  9. 9. Logon events (local machine events)
  10. 10. Object access (user accessing an object such as file, folder, printer)
  11. 11. Policy change (changes in the audit, user rights and trust policies)
  12. 12. Process tracking (detailed tracking information)
  13. 13. System events (events that affect the system security or log) </li></li></ul><li> Possible issues:<br /><ul><li>Volume of events (can reach several million events a day from a busy server).
  14. 14. Lack of security policies to help and identify events and processes to be audited (e.g. Messenger)
  15. 15. The event logs are just a portion of the “chain of evidence”.
  16. 16. Logs are a “detective” measure and are not an IPS (Intrusion prevention system) on their own.</li></li></ul><li>Different Event Logs<br />Application log<br />System log<br />Security log<br />Setup log<br />Custom Logs<br />
  17. 17. Event Viewer/ Event logs<br />
  18. 18. Event Properties …<br />
  19. 19. Application Log<br />The application log file contains events that are logged by the applications used on a computer system. <br />Events that are written to the application log are determined by the developers of the software program, not the operating system.<br />Unfortunately not all applications are programmed to write logs. <br />Examples:<br />failure of MS SQL to access a database.<br />when your virus scanner encounters a problem, it could bring this to your attention through the application log.<br />
  20. 20. System Log<br />The system log file contains events that are logged by the operating system components. These events are often predetermined by the operating system itself. <br />System log files may contain information about device changes, device drivers, system changes, events, operations and more.<br />Example:<br />Failure of a service to start at boot up.<br />
  21. 21. Security Log<br />Events related to resource use, such as creating, opening, or deleting files or other objects.<br />Records events you've set for auditing with local or global group policies.<br />It is used to bring valid and invalid logon attempts to your attention. <br />We need to have an account with administrative privileges to enable, use and specify which events are logged in the security log.<br />
  22. 22. Setup Log<br />Each execution of Setup creates log files with a new time stamped log folder.<br />Gives information about the successful or unsuccessful execution of any setup files.<br />
  23. 23. Events<br />Information event<br />Success event<br />Failure event<br />Warning event<br />Error event<br />
  24. 24. Managing Event logs in C#<br />Class EventLog <br />Class EventLogEntries<br />Class EventLogEntryCollection<br />Class EventSourceCreationData<br />
  25. 25. EventLog:<br />Static Members: CreateEventSource(); Source Exists(); Exists(); Delete(); DeleteEventSource(); GetEventLogs(); LogNameFromSourceName(); WriteEntry();<br />
  26. 26. CreateEventSource()<br />It creates a new log<br />The log that you specified in a call to this method not exist then System Creates a custom log and Register your application as Source<br />The Source register your application with Event log as a valid Source of Entries<br />You can only use Source to write one Log at a time<br />Source can be any string but must be distinct on computer <br />
  27. 27. Overloads of CreateEventSource()<br />CreateEventSource(SourceName,LogName);<br />CreateEventSource(SourceName,LogName,<br />MachineName);<br />CreateEventSource(EventSourceCreationData obj);<br />
  28. 28. SourceExist()<br />It will check Whether specified source exist or not<br />bool SourceExist(string SourceName); Check Whether specified source exist or not in <br /> Current machine<br />Bool SourceExist(SourceName,MachineName); Check Whether specified source exist or not in specified machine.<br />
  29. 29. Exists():-<br />It will Check whether Specified Log is Exist or not<br />public static bool Exists( string logName )<br />Checks on local Computer<br />public static bool Exists( string logName, string machineName ) Checks on Specified Computer.<br />
  30. 30. Delete():-<br />Removes EventLog from Local/Specified computer<br />public static void Delete( string logName )<br />public static void Delete( string logName, string machineName )<br />
  31. 31. DeleteEventSource():-<br />Removes the event source registration from the event log of the local/Specified computer.<br />public static void DeleteEventSource( string source )<br />public static void DeleteEventSource( string source, string machineName )<br />
  32. 32. GetEventLogs():-<br />Searches for all event logs on the local/Specified computer and creates an array of EventLog objects that contain the list.<br />public staticEventLog[] GetEventLogs()<br />public static EventLog[] GetEventLogs( <br />string machineName )<br />
  33. 33. LogNameFromSourceName():-<br />Gets the name of the log to which the specified source is registered on specified computer<br />public static string LogNameFromSourceName( <br />string Source, string machineName )<br />
  34. 34. WriteEntry():-<br />Writes a new record in the specified log where the Source was registered <br />Entry may consist of:-<br /> Message text to the event log.<br /> EnentLogEntryType<br /> EventId<br /> Category<br /> rawData(byte[])<br />
  35. 35. Overloads of WriteEntry():-<br />public static void WriteEntry( string source, string message )<br />public static void WriteEntry( string source, string message, EventLogEntryType type )<br />public static void WriteEntry( string source, string message, EventLogEntryType type, int eventID )<br />public static void WriteEntry( string source, string message, EventLogEntryType type, int eventID, short category )<br />
  36. 36. Properties:-<br />Log:- Gets or sets the name of the log to read from or write to.<br />LogDisplayName:- Gets the event log's friendly name.<br />MachineName :-Gets or sets the name of the computer on which to read or write events.<br />Source :-Gets or sets the source name to register and use when writing to the event log.<br />Entries :-Gets the contents of the event log.<br />
  37. 37. Constructor:-<br />EventLog():-Initializes a new instance of the EventLog class. Does not associate the instance with any log.<br />EventLog(String LogName):- Initializes a new instance of the EventLog class. Associates the instance with a log on the local computer.<br />EventLog(String Logname, String machine):- Initializes a new instance of the EventLog class. Associates the instance with a log on the specified computer.<br />EventLog(String log, String computer, String source):- Initializes a new instance of the EventLog class. Associates the instance with a log on the specified computer and creates or assigns the specified source to the EventLog.<br />
  38. 38. Non Static Members:-<br />Programmatic Explanation..<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×