An event is any significant occurrence in the system (or in an application) that requires notification. Some critical events are noted in on-screen messages. An event that does not require immediate attention is noted in an audit entry in an event log file. An audit entry shows the activity that occurred, the user who performed the action, and the date and time of the activity. You can audit both successful and failed attempts. The audit trail can show who actually performed actions on the network and who tried to perform actions that are not permitted.
You can use the information in an event log to troubleshoot various hardware and software problems, and to monitor the ASU server for security events. You can view an event log by using the following:
The Windows-based Event Viewer graphical user interface
The Tru64 UNIX
elfread
command
This chapter describes how to monitor and view events by using
the Event Viewer.
See
elfread
(8)elfread
command.
This chapter discusses the following topics:
The ASU server records events and entries in the following types of logs:
The system log contains events logged by ASU server system components. For example, the failure of an ASU service to start when the ASU starts is recorded in the system log. The types of events that are logged by system components are determined by the ASU server.
The security log contains valid and invalid logon attempts and events related to resource use, such as creating, opening, or deleting files or other objects. For example, if you use User Manager for Domains to enable logon and logoff auditing, attempts to log on to the system are recorded in the security log.
The application log contains events logged by applications. For example, a database program might record a file error in the application log. Application developers decide which events to log.
System and application logs can be viewed by all users; security logs
can be viewed only by system administrators.
6.2 Enabling Auditing
Event logging starts automatically when the ASU server starts; however, events are not audited by default. Administrators can use the User Manager for Domains to specify an Audit policy. The Audit policy determines the amount and type of events that are logged. Because the event logs are limited in size, carefully select the events to be audited and consider the amount of disk space you are willing to devote to the logs. The maximum size of the security log is defined in Event Viewer.
When you audit a file or folder, an entry is written to the Security log whenever the file or folder is accessed in a certain way. You determine which files and folders to audit, whose actions to audit, and exactly which types of actions are audited.
To audit a file or folder, use User Manager for Domains and enable
auditing of File and Object Access, then use Explorer to specify which files
to audit and which type of file access events to audit.
Table 6-1
describes the directory and file actions that you can audit.
Table 6-1: Auditing Directories and Files
Auditing Directories | Auditing Files |
Displaying names of files in the directory | Displaying file data |
Displaying directory attributes | Displaying file attributes |
Changing directory attributes | Displaying file owner and permissions |
Creating subdirectories and files | Changing the file |
Going to the directory's subdirectories | Changing file attributes |
Displaying the directory's owner and permissions | Running the file |
Deleting the directory | Deleting the file |
Changing directory permissions | Changing file permissions |
Changing directory ownership | Changing file ownership |
Logging stops when an event log becomes full and cannot overwrite itself either because you set it for manual clearing or because the first event in the log is not old enough. When a log is full, you can free the log by clearing it.
Use the Log Settings command on the Log menu to define logging parameters for each type of log. You can set the maximum size of the log and specify whether the events are overwritten or stored for a certain period of time. Although you can increase (to the capacity of the disk and memory) or decrease the maximum log size, each log file has an initial maximum size of 512 KBytes. Before decreasing a log's size, you must clear the log.
The Event Log Wrapping option lets you define how events are retained
in the log selected in the Change Settings For dialog box.
(The default logging
policy is to overwrite logs older than seven days.) You can customize this
option for different logs.
Table 6-2
describes
event logging options.
Table 6-2: Event Logging Options
Use | To |
Overwrite Events As Needed | Have new events continue to be written when the log is full. Each new event replaces the oldest event in the log. This option is a good choice for low-maintenance systems. |
Overwrite Events Older Than [ ] days | Retain the log for the number of days you specify before overwriting events. This option is the best choice if you want to save log files weekly. This strategy minimizes the chance of losing important log entries and at the same time keeps log sizes reasonable. |
Do Not Overwrite Events | Clear the log manually rather than automatically. Select this option only if you cannot afford to miss an event, for example, for the security log at a site where security is extremely important. |
See To Manage the Audit Policy in User Manager for Domains Help for
information on how to set the Audit policy.
6.4 Interpreting Events
Event logs consist of a header, a description of the event (based on the event type), and optionally additional data. Most security log entries consist of the header and a description.
The Event Viewer displays events from each log separately.
Each line
shows information about one event, including date, time, source, category,
Event ID, user account, and computer name.
6.4.1 Event Header
Table 6-3 describes the contents of an event header.
Field | Displays |
Date | The date the event occurred. |
Time | The time the event occurred. |
User | The username of the user on whose behalf the event occurred. If the event is not logged by a user, then the Security ID of the logging entity is displayed. |
Computer | The name of the computer on which the event occurred. |
Event ID | A number identifying the particular event type. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event log service is started. The first line of the description of such an event is "The Event log service was started." The Event ID and the Source can be used by product support representatives to troubleshoot system problems. |
Source | The software module that logged the event, which can be either an application name or a component of the system or of a large application, such as a service name. |
Type | A classification of the event severity: Error, Information, or Warning in the system and application logs; Success Audit or Failure Audit in the security log. In the Event Viewer's normal list view, these are represented by symbols. |
Category | A classification of the event by the event source. This information is used primarily in the security log. For example, for security audits, this corresponds to one of the event types for which success or failure auditing can be enabled in the User Manager for Domains Audit Policy dialog box. |
The format and contents of the event description vary, depending on the event type. The description is often the most useful information, indicating what happened or the significance of the event.
Table 6-4
describes types of events.
Table 6-4: Event Types
Event Type | Indicates |
Error |
Significant problems, such as a loss of data or loss of functions. For example, an Error event might be logged if an ASU service was not started when the ASU server started. |
Warning |
Events that are not necessarily significant but that indicate possible future problems. For example, a Warning event might be logged that the ASU server is low on key resources. |
Information |
Infrequent significant events that describe successful operations of major ASU server services. For example, when an ASU service starts successfully, it might log an Information event. |
Success Audit |
Audited security access attempts that were successful. For example, a user's successful attempt to log on to the system might be logged as a Success Audit event. |
Failure Audit |
Audited security access attempts that failed. For example, if a user tried to access a network drive and failed, the attempt might be logged as a Failure Audit event. |
The optional data field, if used, contains binary data which can be
displayed in bytes or words.
This information is generated by the application
that was the source of the event record.
Because the data appears in hexadecimal
format, its meaning can be interpreted only by someone who is familiar with
the source application.
6.5 Using the Event Viewer
You determine which event log to view by switching between the system,
security, and application logs.
You also can use the Event Viewer to view
logs on other computers.
6.5.1 Selecting a Log
Although the system log of the local computer appears the first time
you start the Event Viewer, you can choose to view the security or application
log.
Use the Log menu to select a log for viewing.
6.5.2 Selecting a Computer
When you first start the Event Viewer, the events for the local computer appear.
To view events for another computer, click Select Computer on the Log menu. (It can be a Windows NT Workstation, an ASU server, a Windows NT server, or a LAN Manager 2.x server.)
If the computer you select is across a link with slow transmission rates, select Low Speed Connection. If this option is selected, the ASU server does not list all of the computers in the default domain, thereby minimizing network traffic across the link. (If slow transmission rates are normal, click Low Speed Connection on the Options menu.)
If you select a LAN Manager 2.x server for viewing, the Event Viewer can display its error (system) log and its audit (security) log.
See Select Computer in Event Viewer Help for information on how to select
a computer for event viewing.
6.5.3 Refreshing the View
When you first open a log file, the Event Viewer displays the current information for that log. This information is not updated automatically. To see the latest events and to remove overwritten entries, choose the Refresh command.
See Refresh in Event Viewer Help for more information.
6.5.4 Changing the Font
You can change the font used in the Event Viewer. Changing this font affects only the display of the list of events in the main Event Viewer window.
See Changing the Font Selection in Event Viewer Help for more information.
6.5.5 Saving Log Files
You can save an event log in log-file format so that you can reopen it later in the Event Viewer. The log can also be saved in text format or comma-delimited text format so that you can use the information in other applications.
For example, you can save security logs so that you can monitor security events over a period of time. You can also save application logs so that you can track the Warning and Error events that occur for specific applications.
When you save a log file, the entire log is saved, regardless of any filtering options specified in the Event Viewer. If you changed the sort order in the Event Viewer, event records are saved exactly as displayed if you save the log in a text or comma-delimited text file.
A log file can be saved in the following formats:
Log file format, which enables you to view the information again in the Event Viewer.
Text file format, which enables you to use the information in an application, such as a word processor or electronic mail.
Comma-delimited text file format, which enables you to use the information in an application, such as a spreadsheet or a flat-file database.
The binary event data is saved if you save a log in log file format but it is discarded if you save the log in text file format or in comma-delimited text file format. The event description is saved in all saved logs.
When you save a sorted log, the sort order affects the order in which event records are saved in a text file format or comma-delimited text file format. However, sort order does not affect the order of event records in a log saved in log file format. In either case, the sequence of data within each individual event record is record in the following order:
Date (depends on the sort order specified on the View menu)
Time
Source
Type
Category
Event
User
Computer
Description
Saving a log file has no effect on the current contents of the active log. To clear the original log, you must select Clear All Events on the Log menu. To remove a saved log file, delete the file as you would other kinds of files.
You can view a saved file in the Event Viewer only if the log was saved in event log-file format. You cannot click the Refresh or Clear All Events commands to update the display or to clear a saved log.
Note
If you do not specify the correct log type (application, security, or system), the Description displayed for the saved log in the Event Detail dialog box will not be correct.
6.5.6 Viewing Specific Logged Events
After you select a log to view in the Event Viewer, you can do the following:
View descriptions and additional details that the event source logs.
Sort events from oldest to newest or from newest to oldest.
Filter events so that only events with specific characteristics are displayed.
Search for events based on specific characteristics or event descriptions.
6.5.6.1 Viewing Details About Events
For many events, you can view more information than is displayed in Event Viewer by double-clicking the event.
The Event Detail dialog box shows a text description of the selected
event and any available binary data for the selected event.
This information
is generated by the application that was the source of the event record.
Because the data appears in hexadecimal format, its meaning can be interpreted
only by someone who is familiar with the source application.
Not all events
generate such data.
6.5.6.2 Sorting Events
By default, the Event Viewer lists events by date and time of occurrence from the newest to the oldest. To change the order from oldest to newest, click Oldest First on the View menu. If the Save Settings On Exit command on the Options menu is checked when you quit, the current sort order is used the next time you start the Event Viewer.
When a log is saved, the sort order affects the order in which event
records are saved in a text format or comma-delimited text format file; sort
order does not affect the order of event records saved in log file format.
6.5.6.3 Filtering Events
By default, the Event Viewer lists all events recorded in the selected log. To view a subset of events that have specific characteristics, click Filter Events on the View menu. When filtering is on, a check mark appears by the Filter command on the View menu and (Filtered) appears on the title bar. If Save Settings On Exit on the Options menu is checked when you quit the Event Viewer, the filters remain in effect the next time you start the Event Viewer.
Filtering has no effect on the actual contents of the log: it changes only the view. All events are logged continuously whether the filter is active or not. If you save a log from a filtered view, all records are saved even if you select a text format or comma-delimited text format file.
Table 6-5
describes the options available in
the Filter dialog box.
Table 6-5: Event Filters
Filter | Filters |
View From | Events after a specific date and time. By default, this is the date of the first event in the log file. |
View Through | Events up to and including a specific date and time. By default, this is the date of the last event in the log file. |
Information | Infrequent significant events that describe successful operations of major server services. For example, when a service starts successfully, it may log an Information event. |
Warning | Events that are not necessarily significant but that indicate possible future problems. For example, a Warning event may be logged when the server is low on key resources. |
Error | Significant problems, such as a loss of data or loss of functions. For example, an Error event may be logged if an ASU service was not started when the ASU server started. |
Success Audit | Audited security access attempts that were successful. For example, a user's successful attempt to log on to the system may be logged as a Success Audit event. |
Failure Audit | Audited security access attempts that failed. For example, if a user tried to access a network drive and failed, the attempt may be logged as a Failure Audit event. |
Source | A source for logging events, such as an application, a system component, or a service. |
Category | A classification of events defined by the source. For example, the security event categories are Logon and Logoff, Policy Change, Privilege Use, System Event, Object Access, Detailed Tracking, and Account Management. |
User | A specific user that matches an actual user name. This field is not case-sensitive. |
Computer | A specific computer that matches an actual computer name. This field is not case-sensitive. |
Event ID | A specific number that corresponds to an actual event. |
To search for events that match a specific type, source, or category, click Find in the View menu. Searches can be useful when you are viewing large logs. For example, you can search for all Warning events related to a specific application or search for all Error events from all sources.
Your choices in the Find dialog box are in effect throughout the current
session.
If Save Settings On Exit on the Event Viewer Options menu is checked
when you quit, the current filter settings are available the next time you
start the Event Viewer.
6.6 Troubleshooting Using Event Logs
Careful monitoring of event logs can help you to predict and identify the sources of problems. Logs also can confirm problems with application software. If an application crashes, an application event log can provide a record of activity leading up to the event.
The following are guidelines for using event logs to identify problems:
Save logs in log format. The binary data associated with an event is discarded if you save data in text or comma-delimited format.
If a particular event seems related to system problems, try searching the event log to find other instances of the same event or to judge the frequency of an error.
Note Event IDs. These numbers match a text description in a source message file. This number can be used by product-support representatives to understand what occurred in the system.