EventID.Net Document

How should you view your events?

By Adrian Grigorof, B.Sc., MCSE

How should you view your events?

There are many ways and tools for viewing the Windows event logs. The most common one used for accessing the event logs is of course the Microsoft Event Viewer. It is quick, it is free and has some filtering capabilities. However, seeing what events have been recorded is just one step. More importantly is to understand what events are important and what you should do about them.

First, all "Errors", "Warnings" and "Audit Failures" are from start important. With just few exceptions, they indicate a problem with your system or one of the applications running on it or the fact that the security of the system is affected.

As with most of the free tools, what you pay is what you get so the free Event Viewer may not be the right tool for situations. From our experience, you should use Event Viewer for a quick view of the current events on systems that you troubleshoot. It can also be used for some raw monitoring - that is a network administrator connecting daily to each system that has to be monitored and checking each log to see if there are any errors, warnings or audit failures. This is time consuming and though the tool is free, the network administrator is not. Time that could be otherwise used to perform more urgent tasks is spend on performing the "not urgent" but still important monitoring.

Some other tools from Microsoft can be configured to query the logs for specific events (eventcombMT.vbs or eventquery.vbs for example) but again, one needs to know what to look for and it needs scripting experience. A large and dynamic network is hard to monitor using this type of scriptable tools. For those inclined on spending time tweaking this kind of tools it may still be a useful query utility. Some of these tools only work on certain versions of Windows (i.e. only on XP or 2003).

The tools mentioned above, are only providing a way of accessing your existing event logs. They will not "touch" your auditing policies so if your system is not configured to record the login failures for example, the Event Viewer will not show anything nor will it notify you about this. Also, without some (not negligible) effort to script it, these tool will not send any type of notification when certain events are recorded. They also lack any type of statistical reporting (i.e. Account Lockouts for yesterday). Even if you have just one server it is not a trivial task to compile this type of reports. In most cases, the administrators are not even looking for these type of activity unless something already happened and the server has been compromised.

The next type of tools are the ones that you have to pay for. There are quite a few products that claim to perform most of the Windows event logs-related tasks. Not many of them have specialized event viewers. The one we want to present is the GFI LANGuard S.E.L.M. Event Viewer. It comes as part of the LANGuard S.E.L.M (Security Event Log Monitor) a product that monitors the Windows security event logs. The interface is similar to MS Event Viewer in order to avoid the need of learning a new type of interface (see Fig. 1). While the MS Event Viewer connects to the native Windows event logs, the GFI LANGuard Event Viewer connects to the LANGuard database. The database contains the events recorded by LANGuard SELM from all the agents. From start it offers a centralized view of all the events these agents. Even if the agent is located over a slow network, the performance is not affected as the viewer is accessing the LANGuard SELM database and not the remote server.

Fig. 1 - LANGuard S.E.L.M. Event Viewer - Main view

The main view presents a list of the security events organized according to their importance. The "importance" is a criteria defined by GFI based on feedback from senior Windows administrators. The importance can be customized using the LANGuard SELM configuration interface. The view also presents the number of events for each category (as opposed to the size of the event log file in MS Event Viewer).

Clicking on one of the security categories in the left panel, provides a list of events that fall under that category (See Fig. 2).

Fig 2. - Medium security events category

These events can be further filtered based on the their sub-category (i.e. Accounts logon events). See Fig. 3:

Fig. 3 - Accounts logon sub-category

Under each sub-category, the events can be filtered again. For example, Fig. 4 indicates the "Failed account logon events for today" subcategory.

Fig. 4 - Failed account logon events for today

The event listed in the right panel provides detailed information in regards to this event as well as links the GFI knowledgebase and www.eventid.net

For example, in the High security events category, Account logon events, General account logon events there are two events listed:

Fig 5 - General account logon events

By accessing the details of the events on the right panel, one can get the following:

Fig. 6 - Event details

For this particular example, the full description is:

Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 6/9/2005
Time: 7:15:54 PM
User: NT AUTHORITY\SYSTEM
Computer: LEIBNIZ
Description:
Event Origin Details:
S.E.L.M. Event ID: 1118360980_000000000000003
User SID: S-1-5-18
Rule Name: Account Used for Logon - 680 - Outside NOT - Medium - Win2k/Win2003 Srv
In Work Hours: No

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: administrator
Source Workstation: LEIBNIZ
Error Code: N/A
More Information:
Possible causes of this event are:

(1) When Windows XP attempts a limited logon for each account that is displayed on the Welcome screen to determine whether to prompt the user for a password.
(2) Because auto-login was enabled and the password was changed, resulting in XP going to a login prompt

Common Kerberos 5 Hex Error Codes Legend:
0x6 - (KRB_ERR_C_PRINCIPAL_UNKNOWN) "Client not found in Kerberos database"
0x7 - (KRB_ERR_S_PRINCIPAL_UNKNOWN) "Server not found in Kerberos database" This
generally indicates a service principal name (SPN) has not been registered for the service.
0x9 - (KDC_ERR_NULL_KEY) "The client or server has a null key"
0xE - (KDC_ERR_ETYPE_NOTSUPP) "KDC has no support for the encryption type"
0x12 - indicates the logon failed because of time-of-day or workstation restrictions.
0x18 - (KDC_ERR_PREAUTH_FAILED) "Pre-authentication information was invalid" signifies that the
account was locked out because of failed logons, disabled by the administrator, or expired.
0x19 - (KDC_ERR_PREAUTH_REQUIRED) "Additional pre-authentication"
0x23 - Password has expired.
0x25 - (KRB_AP_ERR_SKEW) "Clock skew too great"
0x26 - (KRB_AP_ERR_BADADDR) ""Incorrect net address"
0x29 - (KRB_AP_ERR_MODIFIED) "Message stream modified"
0x32 - Ticket has expired.
0x33 - Ticket not yet valid.
0x34 - Request is a replay. Someone is trying to play back a Kerberos client''s response; you are possibly
being attacked.
0x37 - Clock skew too great, Kerberos is time-critical; make sure all clocks are synchronized.
0x3C - (KRB_ERR_GENERIC) "Generic Error"

GFI Knowledge Base article:
http://kbase.gfi.com/showarticle.asp?id=KBID001739

More information regarding this event might be documented at :
http://www.eventid.net/display.asp?eventid=680&source=Security

The reason why this event is considered as "High security" is that it was recorded outside the regular working hours (configurable through the LANGuard SELM interface)

Each sub-category can be further filtered using various criteria:

Fig. 7 - Filtering criteria