+ Reply to Thread
Results 1 to 5 of 5

Thread: Event Viewer

  1. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #1

    Default Event Viewer

    Sorry about all of the questions. I have always been one to know the exact limits of things and I appreciate all the answers I have gotten so far.

    Lets say that I am a rogue employee, and I have been doing some things that I shouldn't be. HR has approached you and told you that they need to know every time that I logged in. Your job as a systems admin, is to find out all of the times I logged in and give that information to HR. Where do you look for this?

    You could look at the logs on my workstation, but being that I am up to no good (and somewhat intelligent) I might have logged into other machines to do my dirty work.

    You could check the DC's event viewer, but the company might have 6 or 7 of them and to check each one individually could be time consuming.

    So where do you look?

    (This scenario is loosly based off a Transcender question I got last night. I don't know that knowing this will be essential for me to pass the test, but it could be very good knowledge to have in a real enviornment.)

    Thanks for all the replies, both this question and my numerous others!
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member sidsanders's Avatar
    Join Date
    Nov 2008
    Posts
    214

    Certifications
    cne, mcse, scna, scsa, a+, net+, sec+
    #2
    if you dont have a product that does log consolidation on windows, you could script something (powershell, vbs, etc) or do it the manual way.

    manual way:--> if you know the id to look for you can filter for that to get thinngs to go faster.
    Reply With Quote Quote  

  4. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #3
    So without resorting to 3rd party tools, I'll be stuck sifting through various event logs?
    Reply With Quote Quote  

  5. Senior Member sidsanders's Avatar
    Join Date
    Nov 2008
    Posts
    214

    Certifications
    cne, mcse, scna, scsa, a+, net+, sec+
    #4
    depends on your point of view. you can try and automate the task...

    a few items to show how you can do this via scripts... tons more out there.
    Ezine 173 - PowerShell for Event Viewer | get-EventLog -logname
    ScriptingAnswers.com Forums: Script tp check Event Viewer for Certain Error

    im used to wmi so i would hit the vbs route first. still adjusting to pshell myself.

    a point to take away from this is if you arent sure what info to look for in the logs, automation, log consolidation, etc wont help much. if you do, automating a search of remote servers logs isnt impossible to complete and do it so that you can make reusable in the future --> search for diff items, or your own custom "alert/warning" process.
    Reply With Quote Quote  

  6. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #5
    Quote Originally Posted by Devilsbane View Post
    So without resorting to 3rd party tools, I'll be stuck sifting through various event logs?
    In a real environment you would certainly use PowerShell of VBS for this. But I think the important thing to know is that without auditing being enabled you'd be unable to find this information. So from the perpective of Windows Administrative Theory you need to know the following in the order of importance:

    1. What are the security requirements in my environment?
    2. How do I enable auditing?
    3. How do I view these event logs?
    4. What information can they give me?
    5.How can I quickly and efficiently extract the information I need to present it to those who require it? This is where scripting comes in!

    This is a perfect lab scenario.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks