WINDOWS

EVENT LOGS
Windows Event Logging
Service started during boot to log warnings, exceptional
conditions and other administrative messages

Application or Operating System reports EVENTS

to the event logging service

Event logging service records EVENTS in log files

Report Event Event Log Recorded

Application Event Logging Service Log File

 Event Logs
The default Windows event log maximum file size is 20MB, and once it reach the maximum
size, new events will overwrite old events which is the default behaviour in any Windows
operating systems.
Can be set to Overwrite as Needed or set to Do Not Overwrite

*If Overwrite rule is not met when log file reaches max size, then new events will NOT get
recorded.
Default Storage Location %systemroot%\system32\config
For best practice or Microsoft recommended maximum event log size please
see:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server-2008-R2-and-2008/dd349798(v=ws.10)
Registry Information
HKLM\SYSTEM\CurrentControlSet\Services\EventLog

Location of Event Log Files

Event Sources

Application – Name of Software

logging events

Operating System – Name of Device

Drivers logging events
Registry Information…
• Properties for
Event Logging…
• Services.exe
• Why not stop the
process…

It can’t be stopped
At least NOT with
‘Task Manager’
Default Event Logs…
• Application Log…
• Event types…

• System Log…
• Event types…
• Preset OS events…

• Security Log…
• Event types
• Preset security events where
the success or failure is
reported
 Security - Event Logging
• Local Security Authority Subsystem Service (LSASS) runs at startup and log
events are recorded based on the ‘Audit Policy’
• Security Reference Monitor (SRM), which monitors objects, also reports to
the LSASS
• Windows 2K/XP NO LSASS logging by default
• Later OS versions (from Windows Server 2003, logging active
• LSASS has a preset number of events that can be logged
• SRM, security of objects (files, folders printers etc.) not part of this
presentation
 Security Event Log – Audit Policy
• Preset number of events
• Success and/or Failure event generates log entry
• Settings>Control Panel>Administrative Tools>Local Security Policy or Run the
program ‘gpedit.msc’
• Must have Administrators Account
 Security Event Log Auditing

• Each preset event can be set to success and/or failure

• Log entry generated for Success and/or failure of the event
• The log file, which is a binary file, contains a hash function
• If the hash function is incorrect the log file will not open
• This can happen where there’s a ‘hard’ shutdown – ‘Pull the Plug’
• To correct this problem load the image as a Virtual Machine and
shutdown normally
Setting LSASS log events…
• Set Success/Failure
• A/C logon
• Local and remote
• A/C Management
• Create or modify
• Logon Events
• Local Events
• System Events
• Restart and Shutdown
• Use ‘Event Viewer’ or ‘Log
Parser’ to view the log
events
‘Event Viewer’ Properties & Filtering…

• Events are
identified by their
‘Event ID’

• Properties….
• Filtering…
Some Event ID’s…
• Event ID 529 Logon
Failure
• Event ID 528 Logon
Success
• Event ID 551 User
Initiated Shutdown
• What about the URL…
• More event ID’s
Archived Event Logs

Created by User

Can be saved with different formats

EVT(X) – Event Log (for XP only EVT)
TXT – Tab delimited
CVS – Comma delimited

Built-in Event Viewer will only read EVT(X) files

Event Logs
There are some notable differences in event logging between
Windows XP and Windows Vista+

For example:
Storage Location
Log file structure and file extension
The number of log files
Event Logs
Event Logs
Event Logs
Event Logs
 Event Logs
The Event Log Viewer provides enhanced functionality in comparison to that supplied with XP

Including the ability to log events remotely!

Event Logs
QUESTIONS???