SlideShare a Scribd company logo

Merged document

sreeja_16
sreeja_16

Log analysis in windows using log parser and windows event logs

Engineering
1 of 14
Download to read offline
LOG ANALYSIS ON WINDOWS EVENT LOG FILES ASSIGNMENT SUBMITTED BY- Sreeja Swaminathan Puthan REG NO -RA1512023010015 BRANCH&SPECIFICATION - II M.TECH ISCF
1 LOG ANALYSIS ON WINDOWS EVENT LOG FILES Log Analysis: Log files are used to maintain a record of activities, e.g. activities of the operating system, certain applications, etc. Log files come in various formats, in general these formats can be divided in the following categories:  Binary formats  Text-based formats  in-database Event Viewer: On Windows the event logs can be managed with "Event Viewer" (eventvwr.msc) or "Windows Events Command Line Utility" (wevtutil.exe). Event Viewer can represent the EVTX files in both “general view” (and formatted view) and "details view" (which has both a "friendly view" and "XML view"). Note that the formatted view can hide significant event data that is stored in the event record and can be seen in the detailed view. If you export an event log from Event Viewer additional "display information" can be exported. This display information is stored in a corresponding file named: LocaleMetaData%FILENAME%_%LCID%.MTA Where LCID is the "locale identifier". To view the Windows Setup event logs 1. Start the Event Viewer, expand the Windows Logs node, and then click System. 2. In the Actions pane, click Open Saved Log and then locate the Setup.etl file. By default, this file is available in the %WINDIR%Panther directory. 3. The log file contents appear in the Event Viewer.
2 Fig-1: using open saved log in even viewer to display the saved log file for analysis To Export the log to a file From the command line, use the Wevtutil or Tracerpt commands to save the log to an .xml or text file. For information about how to use these tools, see the command-line Help. The following commands show examples of how to use the tools: Tracerpt /l C:windowspanthersetup.etl Fig-2: To dump the contents displayed in the event viewer using tracerpt into summary.txt
3 Fig-3: Summary.txt path and file opened Fig-4: For convenience the file is analyzed using notepad++
4 LOG ANALYSIS USING LOG PARSER LIZARD AND LOG PARSER 2.2 Download and Install Log Parser lizard and Log Parser 2.2 from https://www.microsoft.com/en-us/download/details.aspx?id=2465 Fig-5: Querying for event types from System Fig-6: Displaying the result table for event type from System ERROR EVENTS: Below figure shows the list of error events occurred in event viewer
5 Fig-5: Query to display all the error event type log from system Fig-6: Displaying the error event log from System Fig-7: Query to display the event type 10010 from system
6 Fig-8: Displaying the result for the 10010 event type DCOM- 10010 event Id error usually causes due to incorrect permissions. To solve the DCOM-10010 following steps will help. 1. In the %windir%/registration folder, make sure that the Everyone group has Read permissions. 2. In the %windir%/registration folder, make sure that the SYSTEM account has Full Control permissions. 3. In the %windir%/registration folder, make sure that the Administrators group has Full Control permissions. 4. In the advanced security properties of the .clb files in the %windir%/registration folder, make sure that the Allow inheritable auditing entries from the parent to propagate to this object and all objects. Include these with entries explicitly defined here option is selected. 5. Make sure that the Everyone group has one of the following permissions: •Traverse permissions (“List Folder Contents”) on all parent directories, including %systemdrive%, %windir%, and %windir%registration •The Bypass traverse checking user right To assign the Bypass traverse checking user right to the Everyone group, follow these steps: 1. Click Start, click Run, type gpedit.msc, and then click OK. 2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand User Rights Assignment. 3. Right-click Bypass traverse checking, and then click Properties. 4. Click Add User or Group. 5. Type Everyone and click ok Fig 9: time generated when dcom error occurred in the system
7 Event type-1001, BugCheck System reboots itself showing A BLUE SCREEN due to KERNEL CRASH in Windows.  We can change some settings to let the system show the error message.  Right click the My Computer icon on the desktop and choose Properties. On the Advanced table, click Startup and Recovery. In that dialog uncheck "Automatically reboot".  Make sure you check "Write an event to the system log" and "send an administrative alert".  In the Write Debugging Information section, choose "Complete Memory Dump" from the drop list. Then the file path is: %SystemRoot%MEMORY.DMP Fig 10- Event id 17, source BTHUSB The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver had been unloaded.
8 Fig 11- Event I D – 2505, server error display The server could not bind to the transport Device<device name> because another computer on the network has the same name. The server could not start. Fig 12- Event ID -6008 and it’s a event log error This occurs due to unexpected shutdown of the device previously. Fig 13- Error occurred due to service control manager and event id-7023. Service Control Manager (SCM) stops services and driver services. It also reports when services terminate unexpectedly or fail to restart after it takes corrective action.
9 Fig 13-The system detected an address conflict for IP address 192.168.1.10 with the system having network hardware address E0-2C-B2-F2-50-CA. Network operations on this system may be disrupted as a result. Fig 14- Service control manager failure log on service. The SSDP Discovery service failed to start due to the following error: %%1069 When a service does not start because of a logon failure or when you uninstall Windows XP Service Pack 3 from your computer, you may receive either of the following error messages in the system event log after you restart the computer. This behavior can occur if you configure the service to log on to a user account, and any of the following conditions are true:  The right to log on as a service is revoked for the specified user account.  The password is changed on the user account that the service uses to log on.  The password data in the registry is damaged.
10 Warning events: Fig 15- Obtaining all the warning events from system using event viewer Fig 16- Querying for warning events using Log parser Lizard . Fig 17- Displaying 10 warning events from system for Event ID -1
11 This Problem seem to be logged in the case that a VMWare software solution (like VMWare Workstation or VMWare Server) is installed on a host inside a network where there is already a DHCP-server configured. In most cases you can safely stop the VMWare DHCP- service and use your own DHCP-service. Fig 18- Event ID -1014, Microsoft windows dns client –Source  TCP/IP Offload is enabled for a network adapter  TCP/IP v6 is enabled and their ISP does not yet support TCP/IP v6.  The spanning tree “portfast" setting is not enabled on your servers switch ports.  Router and PC communicating on different channel or standard. Method one: Disable RSS, Autotuning, and Taskoffload 1. Run the following command in an elevated command prompt in Windows 7: netsh interface tcp set global rss=disabled netsh interface tcp set global autotuninglevel=disabled netsh int ip set global taskoffload=disabled 2. Disable the Scalable Networking Pack (SNP) in Windows 7 by changing the registry settings as follows: Perform a full-system backup before you disable the SNP. [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters] EnableTCPChimney=dword:00000000 EnableTCPA=dword:00000000 EnableRSS=dword:00000000
12 If the registry keys do not exist, create them, and then assign the previous values. Method two : Disable TCP/IP v6 To disable TCP/IP v6 1. Click Start, click Control Panel, click Network and Internet, and then click View network status and tasks. 2. In the left pane, click Manage Network Connections. 3. Right-click Local Area Connection, and then click Properties. 4. In the pop-up box, clear the Internet Protocol Version 6 (TCP/IPv6) check box. 5. Click OK, and then restart your computer. To enable Tcp IP 1. Follow steps 1 through 3 in the previous procedure. 2. In the pop-up box, select the Internet Protocol Version 6 (TCP/IPv6) check box. 3. Click OK, and then restart your computer. Method three: Enable the spanning tree portfast setting in your router This action varies depending on your infrastructure router. Consult your manufacturer for further details. Method four: Set you router and PC to communicate on same channel and standard manually 1. Go to your router admin page which should be 192.168.1.1 (confirm with router manufacturer). 2. Navigate to Wi-Fi settings and choose a channel which should comply with your location, for ex: 11. Save. 3. Choose Standard to broadcast Wi-Fi signal as G only not abgn, bgn, gn (If your router is N capable and any PC in your home/office is only G ready). Save. 4. Go to your PC Network and Sharing Center (Windows 7) and Click on Change Adapter Settings, select you Wi-Fi adapter, right click and choose Properties. 5. In pop up window select Configure, in next window click on Advance tab and browse
13 settings there and choose same channel you choose in you router for ex: 11 and the same standard as G not abgn, bgn or gn. Save and Exit. Fig 19- An error was detected on device DeviceHarddisk1DR2 during a paging operation. Fig 20- Event Id – 4229 and warning occurred from source – Tcp I P TCP/IP when detects high memory utilization it terminates some existing system connections to maintain stability. Fig 21- Warning event occurred due to event id- 1073 from source- User 32 This is a warning event occurred due to user’s attempt to shut down or restarting the computer has been failed. This issue occurs because the ExitWindowsEx function does not handle the EWX_LOGOFF flag correctly.

Recommended

Fcm rapid-install-11122-1634210
Fcm rapid-install-11122-1634210Fcm rapid-install-11122-1634210
Fcm rapid-install-11122-1634210raman pattanaik
 
Readme
ReadmeReadme
ReadmeMarcus Zinn
 
SysInfoTools Eml to PST Converter
SysInfoTools Eml to PST ConverterSysInfoTools Eml to PST Converter
SysInfoTools Eml to PST ConverterSysInfoTools Software
 
SysInfoTools MSG to PST Converter
SysInfoTools MSG to PST ConverterSysInfoTools MSG to PST Converter
SysInfoTools MSG to PST ConverterSysInfoTools Software
 
SysInfoTools DBF File Repair
SysInfoTools DBF File RepairSysInfoTools DBF File Repair
SysInfoTools DBF File RepairSysInfoTools Software
 
SysInfoTools MBOX Converter
SysInfoTools MBOX ConverterSysInfoTools MBOX Converter
SysInfoTools MBOX ConverterSysInfoTools Software
 
SysInfoTools MSG to EML Converter
SysInfoTools MSG to EML ConverterSysInfoTools MSG to EML Converter
SysInfoTools MSG to EML ConverterSysInfoTools Software
 
SysInfoTools Merge NSF
SysInfoTools Merge NSFSysInfoTools Merge NSF
SysInfoTools Merge NSFSysInfoTools Software
 

Recommended

Fcm rapid-install-11122-1634210
Fcm rapid-install-11122-1634210Fcm rapid-install-11122-1634210
Fcm rapid-install-11122-1634210raman pattanaik
 
Readme
ReadmeReadme
ReadmeMarcus Zinn
 
SysInfoTools Eml to PST Converter
SysInfoTools Eml to PST ConverterSysInfoTools Eml to PST Converter
SysInfoTools Eml to PST ConverterSysInfoTools Software
 
SysInfoTools MSG to PST Converter
SysInfoTools MSG to PST ConverterSysInfoTools MSG to PST Converter
SysInfoTools MSG to PST ConverterSysInfoTools Software
 
SysInfoTools DBF File Repair
SysInfoTools DBF File RepairSysInfoTools DBF File Repair
SysInfoTools DBF File RepairSysInfoTools Software
 
SysInfoTools MBOX Converter
SysInfoTools MBOX ConverterSysInfoTools MBOX Converter
SysInfoTools MBOX ConverterSysInfoTools Software
 
SysInfoTools MSG to EML Converter
SysInfoTools MSG to EML ConverterSysInfoTools MSG to EML Converter
SysInfoTools MSG to EML ConverterSysInfoTools Software
 
SysInfoTools Merge NSF
SysInfoTools Merge NSFSysInfoTools Merge NSF
SysInfoTools Merge NSFSysInfoTools Software
 
Windows firewall
Windows firewall Windows firewall
Windows firewall sameer farooq
 
SysInfoTools PST to NSF Converter
SysInfoTools PST to NSF ConverterSysInfoTools PST to NSF Converter
SysInfoTools PST to NSF ConverterSysInfoTools Software
 
SysInfoTools Exchange to Lotus Notes Converter
SysInfoTools Exchange to Lotus Notes ConverterSysInfoTools Exchange to Lotus Notes Converter
SysInfoTools Exchange to Lotus Notes ConverterSysInfoTools Software
 
SysInfoTools Add Outlook PST
SysInfoTools Add Outlook PSTSysInfoTools Add Outlook PST
SysInfoTools Add Outlook PSTSysInfoTools Software
 
Pws altboot
Pws altbootPws altboot
Pws altbootEanes Sabino
 
Toyotaotcvimgtssoftwareoverview 160525025652
Toyotaotcvimgtssoftwareoverview 160525025652Toyotaotcvimgtssoftwareoverview 160525025652
Toyotaotcvimgtssoftwareoverview 160525025652Chatchai Nuanhing
 
Windows Firewall & Its Configuration
Windows Firewall & Its ConfigurationWindows Firewall & Its Configuration
Windows Firewall & Its ConfigurationSoban Ahmad
 
Project Pt1
Project Pt1Project Pt1
Project Pt1Emmanuel McCain
 
manual vvtk camera_st7501
manual vvtk camera_st7501manual vvtk camera_st7501
manual vvtk camera_st7501TSOLUTIONS
 
GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...
GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...
GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...TSOLUTIONS
 
Installation & Initial Configuration
Installation & Initial ConfigurationInstallation & Initial Configuration
Installation & Initial ConfigurationSyAM Software
 
TekSMTP Manual
TekSMTP ManualTekSMTP Manual
TekSMTP ManualYasin KAPLAN
 
Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3ranjeetsg
 
To pass ite chapter 5 exam
To pass ite chapter 5 examTo pass ite chapter 5 exam
To pass ite chapter 5 examAhmed Abdullah
 
Look trough your windows 10 privacy settings
Look trough your windows 10 privacy settingsLook trough your windows 10 privacy settings
Look trough your windows 10 privacy settingsKlaus Drosch
 
Como usar Order Specific Files
Como usar Order Specific FilesComo usar Order Specific Files
Como usar Order Specific Filesfaqrelion
 
WSUS30SP2StepbyStep
WSUS30SP2StepbyStepWSUS30SP2StepbyStep
WSUS30SP2StepbyStepFahad Noaman
 
Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?
Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?
Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?Thomas-Krenn.AG
 
Root-Server absichern - Webinar-Präsentation
Root-Server absichern - Webinar-PräsentationRoot-Server absichern - Webinar-Präsentation
Root-Server absichern - Webinar-PräsentationThomas-Krenn.AG
 
Пример индивидуального проекта
Пример индивидуального проектаПример индивидуального проекта
Пример индивидуального проектаЮлия Середина
 
Scaffolding thinking through design
Scaffolding thinking through designScaffolding thinking through design
Scaffolding thinking through designLeslie Eaves
 
Peligros en las redes sociales
Peligros en las redes socialesPeligros en las redes sociales
Peligros en las redes socialesJuancho Serra
 

More Related Content

What's hot

SysInfoTools Exchange to Lotus Notes Converter
SysInfoTools Exchange to Lotus Notes ConverterSysInfoTools Exchange to Lotus Notes Converter
SysInfoTools Exchange to Lotus Notes ConverterSysInfoTools Software
 
Toyotaotcvimgtssoftwareoverview 160525025652
Toyotaotcvimgtssoftwareoverview 160525025652Toyotaotcvimgtssoftwareoverview 160525025652
Toyotaotcvimgtssoftwareoverview 160525025652Chatchai Nuanhing
 
Windows Firewall & Its Configuration
Windows Firewall & Its ConfigurationWindows Firewall & Its Configuration
Windows Firewall & Its ConfigurationSoban Ahmad
 
manual vvtk camera_st7501
manual vvtk camera_st7501manual vvtk camera_st7501
manual vvtk camera_st7501TSOLUTIONS
 
GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...
GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...
GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...TSOLUTIONS
 
Installation & Initial Configuration
Installation & Initial ConfigurationInstallation & Initial Configuration
Installation & Initial ConfigurationSyAM Software
 
Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3ranjeetsg
 
To pass ite chapter 5 exam
To pass ite chapter 5 examTo pass ite chapter 5 exam
To pass ite chapter 5 examAhmed Abdullah
 
Look trough your windows 10 privacy settings
Look trough your windows 10 privacy settingsLook trough your windows 10 privacy settings
Look trough your windows 10 privacy settingsKlaus Drosch
 
Como usar Order Specific Files
Como usar Order Specific FilesComo usar Order Specific Files
Como usar Order Specific Filesfaqrelion
 
WSUS30SP2StepbyStep
WSUS30SP2StepbyStepWSUS30SP2StepbyStep
WSUS30SP2StepbyStepFahad Noaman
 

What's hot (17)

Windows firewall
Windows firewall Windows firewall
Windows firewall
 
SysInfoTools PST to NSF Converter
SysInfoTools PST to NSF ConverterSysInfoTools PST to NSF Converter
SysInfoTools PST to NSF Converter
 
SysInfoTools Exchange to Lotus Notes Converter
SysInfoTools Exchange to Lotus Notes ConverterSysInfoTools Exchange to Lotus Notes Converter
SysInfoTools Exchange to Lotus Notes Converter
 
SysInfoTools Add Outlook PST
SysInfoTools Add Outlook PSTSysInfoTools Add Outlook PST
SysInfoTools Add Outlook PST
 
Pws altboot
Pws altbootPws altboot
Pws altboot
 
Toyotaotcvimgtssoftwareoverview 160525025652
Toyotaotcvimgtssoftwareoverview 160525025652Toyotaotcvimgtssoftwareoverview 160525025652
Toyotaotcvimgtssoftwareoverview 160525025652
 
Windows Firewall & Its Configuration
Windows Firewall & Its ConfigurationWindows Firewall & Its Configuration
Windows Firewall & Its Configuration
 
Project Pt1
Project Pt1Project Pt1
Project Pt1
 
manual vvtk camera_st7501
manual vvtk camera_st7501manual vvtk camera_st7501
manual vvtk camera_st7501
 
GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...
GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...
GeoVision : Video Management Solutions : Open Windows Firewall to allow Webca...
 
Installation & Initial Configuration
Installation & Initial ConfigurationInstallation & Initial Configuration
Installation & Initial Configuration
 
TekSMTP Manual
TekSMTP ManualTekSMTP Manual
TekSMTP Manual
 
Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3
 
To pass ite chapter 5 exam
To pass ite chapter 5 examTo pass ite chapter 5 exam
To pass ite chapter 5 exam
 
Look trough your windows 10 privacy settings
Look trough your windows 10 privacy settingsLook trough your windows 10 privacy settings
Look trough your windows 10 privacy settings
 
Como usar Order Specific Files
Como usar Order Specific FilesComo usar Order Specific Files
Como usar Order Specific Files
 
WSUS30SP2StepbyStep
WSUS30SP2StepbyStepWSUS30SP2StepbyStep
WSUS30SP2StepbyStep
 

Viewers also liked

Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?
Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?
Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?Thomas-Krenn.AG
 
Root-Server absichern - Webinar-Präsentation
Root-Server absichern - Webinar-PräsentationRoot-Server absichern - Webinar-Präsentation
Root-Server absichern - Webinar-PräsentationThomas-Krenn.AG
 
Пример индивидуального проекта
Пример индивидуального проектаПример индивидуального проекта
Пример индивидуального проектаЮлия Середина
 
Scaffolding thinking through design
Scaffolding thinking through designScaffolding thinking through design
Scaffolding thinking through designLeslie Eaves
 
Peligros en las redes sociales
Peligros en las redes socialesPeligros en las redes sociales
Peligros en las redes socialesJuancho Serra
 
середовища передачі даних
середовища передачі данихсередовища передачі даних
середовища передачі данихToaderi Kelbea
 
Normas de etiqueta en internet
Normas de etiqueta en internetNormas de etiqueta en internet
Normas de etiqueta en internetnataliatdc
 
ADEKOYA OLUMAYOWA OLUFEMI CV
ADEKOYA OLUMAYOWA OLUFEMI CVADEKOYA OLUMAYOWA OLUFEMI CV
ADEKOYA OLUMAYOWA OLUFEMI CVadekoya olumayowa
 

Viewers also liked (13)

Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?
Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?
Die Energiewende – Traum oder Trauma für die IT-Stromversorgung?
 
Root-Server absichern - Webinar-Präsentation
Root-Server absichern - Webinar-PräsentationRoot-Server absichern - Webinar-Präsentation
Root-Server absichern - Webinar-Präsentation
 
Пример индивидуального проекта
Пример индивидуального проектаПример индивидуального проекта
Пример индивидуального проекта
 
Scaffolding thinking through design
Scaffolding thinking through designScaffolding thinking through design
Scaffolding thinking through design
 
Peligros en las redes sociales
Peligros en las redes socialesPeligros en las redes sociales
Peligros en las redes sociales
 
середовища передачі даних
середовища передачі данихсередовища передачі даних
середовища передачі даних
 
Caballos finos presentacion
Caballos finos presentacionCaballos finos presentacion
Caballos finos presentacion
 
4497.full
4497.full4497.full
4497.full
 
After
AfterAfter
After
 
Violencia de genero
Violencia de generoViolencia de genero
Violencia de genero
 
Normas de etiqueta en internet
Normas de etiqueta en internetNormas de etiqueta en internet
Normas de etiqueta en internet
 
ADEKOYA OLUMAYOWA OLUFEMI CV
ADEKOYA OLUMAYOWA OLUFEMI CVADEKOYA OLUMAYOWA OLUFEMI CV
ADEKOYA OLUMAYOWA OLUFEMI CV
 
Virus
VirusVirus
Virus
 

Similar to Merged document

Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federpfederpmatc
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyMichael Gough
 
3 App Compat Win7
3 App Compat Win73 App Compat Win7
3 App Compat Win7llangit
 
Monitoring of computers
Monitoring of computers Monitoring of computers
Monitoring of computers carlosrudy_45
 
VMS Troubleshooting Guide
VMS Troubleshooting GuideVMS Troubleshooting Guide
VMS Troubleshooting GuideMichael Dotson
 
Network Administration
Network AdministrationNetwork Administration
Network Administrationbutest
 
Manual BASE Insight Lite Edition (En)
Manual BASE Insight Lite Edition (En)Manual BASE Insight Lite Edition (En)
Manual BASE Insight Lite Edition (En)BeAnywhere
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Smart Printing Technical Presentation
Smart Printing Technical PresentationSmart Printing Technical Presentation
Smart Printing Technical PresentationJohnTileyITQ
 
Server-410_RatanMohapatra
Server-410_RatanMohapatraServer-410_RatanMohapatra
Server-410_RatanMohapatraRatan Mohapatra
 
Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningAcend Corporate Learning
 
Forti gate troubleshooting_guide_v0.10
Forti gate troubleshooting_guide_v0.10Forti gate troubleshooting_guide_v0.10
Forti gate troubleshooting_guide_v0.10Phong Nguyễn
 
Training Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xTraining Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xAbdelilah CHARBOUB
 
SOP - 2013 Server Build
SOP - 2013 Server BuildSOP - 2013 Server Build
SOP - 2013 Server BuildRobert Jones
 
HP ArcSight Logger Forwarding Connector for HP NNMI Configuration Guide 5.2.1...
HP ArcSight Logger Forwarding Connector for HP NNMI Configuration Guide 5.2.1...HP ArcSight Logger Forwarding Connector for HP NNMI Configuration Guide 5.2.1...
HP ArcSight Logger Forwarding Connector for HP NNMI Configuration Guide 5.2.1...Protect724manoj
 
Operating System & Utility Programme
Operating System & Utility ProgrammeOperating System & Utility Programme
Operating System & Utility Programmebbp2067
 

Similar to Merged document (20)

Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
 
Handson1 6 federp
Handson1 6 federpHandson1 6 federp
Handson1 6 federp
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
 
3 App Compat Win7
3 App Compat Win73 App Compat Win7
3 App Compat Win7
 
Monitoring of computers
Monitoring of computers Monitoring of computers
Monitoring of computers
 
PRTG
PRTGPRTG
PRTG
 
VMS Troubleshooting Guide
VMS Troubleshooting GuideVMS Troubleshooting Guide
VMS Troubleshooting Guide
 
Network Administration
Network AdministrationNetwork Administration
Network Administration
 
Manual BASE Insight Lite Edition (En)
Manual BASE Insight Lite Edition (En)Manual BASE Insight Lite Edition (En)
Manual BASE Insight Lite Edition (En)
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Smart Printing Technical Presentation
Smart Printing Technical PresentationSmart Printing Technical Presentation
Smart Printing Technical Presentation
 
Server-410_RatanMohapatra
Server-410_RatanMohapatraServer-410_RatanMohapatra
Server-410_RatanMohapatra
 
Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate Learning
 
John
JohnJohn
John
 
Forti gate troubleshooting_guide_v0.10
Forti gate troubleshooting_guide_v0.10Forti gate troubleshooting_guide_v0.10
Forti gate troubleshooting_guide_v0.10
 
Aruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guideAruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guide
 
Training Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xTraining Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183x
 
SOP - 2013 Server Build
SOP - 2013 Server BuildSOP - 2013 Server Build
SOP - 2013 Server Build
 
HP ArcSight Logger Forwarding Connector for HP NNMI Configuration Guide 5.2.1...
HP ArcSight Logger Forwarding Connector for HP NNMI Configuration Guide 5.2.1...HP ArcSight Logger Forwarding Connector for HP NNMI Configuration Guide 5.2.1...
HP ArcSight Logger Forwarding Connector for HP NNMI Configuration Guide 5.2.1...
 
Operating System & Utility Programme
Operating System & Utility ProgrammeOperating System & Utility Programme
Operating System & Utility Programme
 

Recently uploaded

S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxSCMS School of Architecture
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityMorshed Ahmed Rahath
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Servicemeghakumariji156
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilVinayVitekari
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"mphochane1998
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Introduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdfIntroduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdfsumitt6_25730773
 
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptxrouholahahmadi9876
 
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...Amil baba
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Digital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxDigital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxpritamlangde
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksMagic Marks
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdfAldoGarca30
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxJIT KUMAR GUPTA
 

Recently uploaded (20)

S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech Civil
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Introduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdfIntroduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdf
 
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Digital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxDigital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptx
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic Marks
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 

Merged document

  • 1. LOG ANALYSIS ON WINDOWS EVENT LOG FILES ASSIGNMENT SUBMITTED BY- Sreeja Swaminathan Puthan REG NO -RA1512023010015 BRANCH&SPECIFICATION - II M.TECH ISCF
  • 2. 1 LOG ANALYSIS ON WINDOWS EVENT LOG FILES Log Analysis: Log files are used to maintain a record of activities, e.g. activities of the operating system, certain applications, etc. Log files come in various formats, in general these formats can be divided in the following categories:  Binary formats  Text-based formats  in-database Event Viewer: On Windows the event logs can be managed with "Event Viewer" (eventvwr.msc) or "Windows Events Command Line Utility" (wevtutil.exe). Event Viewer can represent the EVTX files in both “general view” (and formatted view) and "details view" (which has both a "friendly view" and "XML view"). Note that the formatted view can hide significant event data that is stored in the event record and can be seen in the detailed view. If you export an event log from Event Viewer additional "display information" can be exported. This display information is stored in a corresponding file named: LocaleMetaData%FILENAME%_%LCID%.MTA Where LCID is the "locale identifier". To view the Windows Setup event logs 1. Start the Event Viewer, expand the Windows Logs node, and then click System. 2. In the Actions pane, click Open Saved Log and then locate the Setup.etl file. By default, this file is available in the %WINDIR%Panther directory. 3. The log file contents appear in the Event Viewer.
  • 3. 2 Fig-1: using open saved log in even viewer to display the saved log file for analysis To Export the log to a file From the command line, use the Wevtutil or Tracerpt commands to save the log to an .xml or text file. For information about how to use these tools, see the command-line Help. The following commands show examples of how to use the tools: Tracerpt /l C:windowspanthersetup.etl Fig-2: To dump the contents displayed in the event viewer using tracerpt into summary.txt
  • 4. 3 Fig-3: Summary.txt path and file opened Fig-4: For convenience the file is analyzed using notepad++
  • 5. 4 LOG ANALYSIS USING LOG PARSER LIZARD AND LOG PARSER 2.2 Download and Install Log Parser lizard and Log Parser 2.2 from https://www.microsoft.com/en-us/download/details.aspx?id=2465 Fig-5: Querying for event types from System Fig-6: Displaying the result table for event type from System ERROR EVENTS: Below figure shows the list of error events occurred in event viewer
  • 6. 5 Fig-5: Query to display all the error event type log from system Fig-6: Displaying the error event log from System Fig-7: Query to display the event type 10010 from system
  • 7. 6 Fig-8: Displaying the result for the 10010 event type DCOM- 10010 event Id error usually causes due to incorrect permissions. To solve the DCOM-10010 following steps will help. 1. In the %windir%/registration folder, make sure that the Everyone group has Read permissions. 2. In the %windir%/registration folder, make sure that the SYSTEM account has Full Control permissions. 3. In the %windir%/registration folder, make sure that the Administrators group has Full Control permissions. 4. In the advanced security properties of the .clb files in the %windir%/registration folder, make sure that the Allow inheritable auditing entries from the parent to propagate to this object and all objects. Include these with entries explicitly defined here option is selected. 5. Make sure that the Everyone group has one of the following permissions: •Traverse permissions (“List Folder Contents”) on all parent directories, including %systemdrive%, %windir%, and %windir%registration •The Bypass traverse checking user right To assign the Bypass traverse checking user right to the Everyone group, follow these steps: 1. Click Start, click Run, type gpedit.msc, and then click OK. 2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand User Rights Assignment. 3. Right-click Bypass traverse checking, and then click Properties. 4. Click Add User or Group. 5. Type Everyone and click ok Fig 9: time generated when dcom error occurred in the system
  • 8. 7 Event type-1001, BugCheck System reboots itself showing A BLUE SCREEN due to KERNEL CRASH in Windows.  We can change some settings to let the system show the error message.  Right click the My Computer icon on the desktop and choose Properties. On the Advanced table, click Startup and Recovery. In that dialog uncheck "Automatically reboot".  Make sure you check "Write an event to the system log" and "send an administrative alert".  In the Write Debugging Information section, choose "Complete Memory Dump" from the drop list. Then the file path is: %SystemRoot%MEMORY.DMP Fig 10- Event id 17, source BTHUSB The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver had been unloaded.
  • 9. 8 Fig 11- Event I D – 2505, server error display The server could not bind to the transport Device<device name> because another computer on the network has the same name. The server could not start. Fig 12- Event ID -6008 and it’s a event log error This occurs due to unexpected shutdown of the device previously. Fig 13- Error occurred due to service control manager and event id-7023. Service Control Manager (SCM) stops services and driver services. It also reports when services terminate unexpectedly or fail to restart after it takes corrective action.
  • 10. 9 Fig 13-The system detected an address conflict for IP address 192.168.1.10 with the system having network hardware address E0-2C-B2-F2-50-CA. Network operations on this system may be disrupted as a result. Fig 14- Service control manager failure log on service. The SSDP Discovery service failed to start due to the following error: %%1069 When a service does not start because of a logon failure or when you uninstall Windows XP Service Pack 3 from your computer, you may receive either of the following error messages in the system event log after you restart the computer. This behavior can occur if you configure the service to log on to a user account, and any of the following conditions are true:  The right to log on as a service is revoked for the specified user account.  The password is changed on the user account that the service uses to log on.  The password data in the registry is damaged.
  • 11. 10 Warning events: Fig 15- Obtaining all the warning events from system using event viewer Fig 16- Querying for warning events using Log parser Lizard . Fig 17- Displaying 10 warning events from system for Event ID -1
  • 12. 11 This Problem seem to be logged in the case that a VMWare software solution (like VMWare Workstation or VMWare Server) is installed on a host inside a network where there is already a DHCP-server configured. In most cases you can safely stop the VMWare DHCP- service and use your own DHCP-service. Fig 18- Event ID -1014, Microsoft windows dns client –Source  TCP/IP Offload is enabled for a network adapter  TCP/IP v6 is enabled and their ISP does not yet support TCP/IP v6.  The spanning tree “portfast" setting is not enabled on your servers switch ports.  Router and PC communicating on different channel or standard. Method one: Disable RSS, Autotuning, and Taskoffload 1. Run the following command in an elevated command prompt in Windows 7: netsh interface tcp set global rss=disabled netsh interface tcp set global autotuninglevel=disabled netsh int ip set global taskoffload=disabled 2. Disable the Scalable Networking Pack (SNP) in Windows 7 by changing the registry settings as follows: Perform a full-system backup before you disable the SNP. [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters] EnableTCPChimney=dword:00000000 EnableTCPA=dword:00000000 EnableRSS=dword:00000000
  • 13. 12 If the registry keys do not exist, create them, and then assign the previous values. Method two : Disable TCP/IP v6 To disable TCP/IP v6 1. Click Start, click Control Panel, click Network and Internet, and then click View network status and tasks. 2. In the left pane, click Manage Network Connections. 3. Right-click Local Area Connection, and then click Properties. 4. In the pop-up box, clear the Internet Protocol Version 6 (TCP/IPv6) check box. 5. Click OK, and then restart your computer. To enable Tcp IP 1. Follow steps 1 through 3 in the previous procedure. 2. In the pop-up box, select the Internet Protocol Version 6 (TCP/IPv6) check box. 3. Click OK, and then restart your computer. Method three: Enable the spanning tree portfast setting in your router This action varies depending on your infrastructure router. Consult your manufacturer for further details. Method four: Set you router and PC to communicate on same channel and standard manually 1. Go to your router admin page which should be 192.168.1.1 (confirm with router manufacturer). 2. Navigate to Wi-Fi settings and choose a channel which should comply with your location, for ex: 11. Save. 3. Choose Standard to broadcast Wi-Fi signal as G only not abgn, bgn, gn (If your router is N capable and any PC in your home/office is only G ready). Save. 4. Go to your PC Network and Sharing Center (Windows 7) and Click on Change Adapter Settings, select you Wi-Fi adapter, right click and choose Properties. 5. In pop up window select Configure, in next window click on Advance tab and browse
  • 14. 13 settings there and choose same channel you choose in you router for ex: 11 and the same standard as G not abgn, bgn or gn. Save and Exit. Fig 19- An error was detected on device DeviceHarddisk1DR2 during a paging operation. Fig 20- Event Id – 4229 and warning occurred from source – Tcp I P TCP/IP when detects high memory utilization it terminates some existing system connections to maintain stability. Fig 21- Warning event occurred due to event id- 1073 from source- User 32 This is a warning event occurred due to user’s attempt to shut down or restarting the computer has been failed. This issue occurs because the ExitWindowsEx function does not handle the EWX_LOGOFF flag correctly.