Windows NT Event Logging

Event logging is a facility used by computer systems to record the occurrence of significant events. An "event" is any change that occurs in a system -- for example, a user logon, an addition to a file, or a change to a user's privileges. Because a computer system may experience hundreds or thousands of events each second, it is important to distinguish which events require the immediate attention of a system administrator, which should be recorded as entries in the system's event log for later analysis, and which can be safely ignored.Event logs provide a centralized collection point for all kinds of error reports, system alerts, diagnostic messages, and status messages generated by a system. This book describes the characteristics of these messages, why they are important, and how you can access them and act upon them. Event logs are particularly important to system security and problem troubleshooting. Windows NT systems generate three distinct types of event logs:

• Security log. Stores reports of security-related events -- for example, a user has written to a file or there has been a change in a user's privileges.
• System log. Stores reports generated by system components, including drivers and services -- for example, a device failed, a driver failed to load, or a memory allocation or I/O error occurred.
• Application log. Stores reports on all other events -- for example, an internal application error (such as a failure to allocate memory) occurred, or a file download aborted.

This book is aimed at several specific audiences:For system administrators, event logging is a tool for analyzing system and user activities and performance and for troubleshooting system problems. For this audience, the book explains how to view and maintain the event logs via the system's Event Viewer and how to interpret the results.For programmers, event logging helps in diagnosing system or network problems. For this audience, the book describes the event logging API (Application Programming Interface) and the internals of the system's message files. It also provides instructions for and examples of accessing (reading, backing up, clearing, monitoring, and writing to) the event logs from C, Visual Basic 5, Perl 5 for Win32, Visual J++, and a C++ class for MFC (Microsoft Foundation Classes).For security administrators, event logging is an important tool in auditing security-related events and tracking down the source of security breaches. For this audience, the book provides help in specifying the events to be audited and in analyzing auditing results; it also discusses the security auditing requirements imposed on a C2-level secure system (one approved by the U.S. government's National Computer Security Center).The book comes with a CD-ROM containing examples from the book and many contributed event logging and auditing software packages. A brief table of contents follows:Preface 1. About Event Logging2. The Event Logging Service3. Even Viewer4. Windows NT Security Auditing5. The Event Logging API6. Message Files7. Accessing the Event Logs8. Reporting EventsA. References and ResourcesB. Event Logging under Windows for WorkgroupsC. NT Security Auditing EventsD. DumpEl: Event Logging Dump UtilityE. Kernel-mode Event LoggingF. What's on the CD-ROM?