Information Technology Reference
In-Depth Information
Table 3-31.
Audit Policy Change Settings
Computer Configuration\Windows Settings\Security Settings\
Local Policies\Security Options
Path
Policy name
Audit Policy Change
Success
,
Failure
Value
■
Note
If you are not in an Active Directory environment, you can enable auditing on an individual Windows
Server 2003 computer by using the Local Security Policy MMC snap-in available in the Administrative
Tools folder.
Using a Command-Line Interface
The following command uses the logparser.exe command-line utility to parse the
Security
log
for events relating to the Windows Firewall:
> LogParser "SELECT TimeGenerated, SourceName,
EventCategoryName, Message INTO report.txt FROM Security WHERE
EventID > 847 AND EventID < 862" -resolveSIDs:ON
■
Note
Notice that logparser.exe doesn't support the “greater than or equal to” or “less than or equal to”
operators (
<=
and
>=
), so instead we're searching for event IDs that are greater than 847 and less than 862.
How It Works
One of the greatest challenges of system administration is the maintenance and analysis of the
auditing data that is generated by a network or domain full of Windows computers. In the spirit
of the “tree falling in the forest” question, many administrators find themselves wondering if a
security breach or configuration error has actually taken place somewhere on their network
and they simply haven't spotted the event log entry that will alert them to it.
To help combat this, Microsoft has released a number of free utilities to help you to analyze
and monitor event log data. One of these tools, EventCombMT, has been around since the days
of Windows NT 4.0 and is used to collect Event Viewer entries from numerous computers into
a single location to allow you to monitor and view them more efficiently. EventCombMT is now
available within a larger bundle of free tools called the Account Lockout and Management
Tools, available for download from
http://www.microsoft.com/downloads/details.aspx?
FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
.
Another free tool that hasn't received quite the same publicity as EventCombMT is the
Microsoft Log Parser. This was first released as a free Resource Kit utility with very little supporting
documentation, but it has developed a large grassroots following with strong Internet commu-
nity support. In a nutshell, the Microsoft Log Parser allows you to use a SQL-like query engine
to extract data from any number of common log file sources, including Windows event logs,
