Windows NT includes a native facility for the central storage and retrieval of event reporting information. This article explains how this tool works and where the information in it comes from.
Making Sense of NT Events
Windows NT includes a native facility for the central storage and retrieval of event reporting information. This article explains how this tool works and where the information in it comes from.
An event is any type of detectable change that occurs
within a system. A process starts or stops, a file opens
or closes, a print job is paused or deleted. These are
all examples of routine system events that may be reported.
Exceptions and abnormal behavior are also causes of events.
An event is considered significant if its occurrence is
of interest to a system or security administrator.
When a process running on a Windows NT system detects
a significant event, it may collect information on this
event and report its occurrence to the event logging service.
This service is a central collection and distribution
point for all reported system event information. This
service itself doesn’t monitor the NT system and
its processes for reportable events. Instead, the event
logging service only logs (or persistently stores) events
reported it by other processes running on the local system.
Event reporting occurs behind the scenes and goes unnoticed
by system users and administrators. It’s only when
there’s a hint of a problem with the operation of
the system that the event logs become the focal point
of attention.
Event Viewer
Event Viewer is a standard NT tool for discovering and
diagnosing problems on NT systems. It's a client application
that views event logs recorded on both the local and remote
NT systems.
You’ll find Event Viewer tucked away under Start
| Administrative Tools (Common). Because it’s fairly
out of sight, administrators often forget about it when
diagnosing a system problem. If you use Event Viewer a
lot, I suggest you add a desktop shortcut to EVENTVWR.EXE
on your task bar or start it automatically by adding it
to your Startup folder.
Figure 1 shows the main window of Event Viewer displaying
the system log on my NT server. Each row in the list is
a single event report. Each column is a specific piece
of information that describes the event.
 |
| Figure 1. Event Viewer displaying
the system log. |
Each event log entry begins with an icon indicating the
event type. The type may indicate the severity of the
event (error, warning, or informational) or if an audited
security event was successful or not. Each entry also
contains a timestamp indicating when it was written to
the log file. A process reporting an event must identify
itself using an event source name registered to use the
specific event log. The optional category name allows
an event source to group its events into logical categories.
Each event reported is identified by an event ID unique
to each event source. The user column indicates the user
that reported the event based on the SID of the user account
under which the process reporting the event was running.
The final column contains the name of the computer where
the event log resides. It’s also possible to drill
down into any event report and see an additional plain-English
event description and any associated binary data (Figure
2).
 |
| Figure 2.
Event Viewer displaying event detail information. |
Event Viewer contains an assortment of other features
that let you search, filter, clear, and save an event
log as a backup file. However, there’s no feature
that alerts an administrator that a specific event has
just occurred. (You have to use a third-party product
for that capability. More on that shortly.) Only through
the diligent browsing of the event logs will an administrator
become aware of significant events.
Event Log Files
Event Viewer views and maintains three event logs: the
security log, the system log, and the application log.
There is no provision for the support of additional logs.
The security log records the activity users, printers,
and registry keys flagged for auditing by the system administrator.
Security applications developed by third-party vendors
also report events to this log. Only user accounts belonging
to the Administrators group have permission to view, backup,
and clear the security log.
Kernel-mode device drivers and low-level user-mode services
use the system log for reporting events. These types of
processes typically lack a user interface and are unable
to interact with the desktop. The system event log is
therefore its primary means of communicating error and
informational messages.
The application log is used to store event information
reported by high-level, user-mode processes. You probably
won’t find many different messages in this log, since
most applications report error events using message boxes.
However, the application log makes a good alternative
to writing error events to a log file. Moreover, on a
single-user workstation, the application log makes a great
place to write time-stamped application debugging information.
The information found in each event log is stored in
a separate .EVT file in the %SystemRoot%\SYSTEM32\CONFIG
subdirectory of each NT machine. Each event report is
written as a separate record to one of these log files.
The EVENTLOGRECORD data type definition found in WINNT.H
defines the format of an event log file record. (See Figure
2 for an example of event details.)
The Event Logging Service
Local and remote processes don’t access the event
log files directly. Instead, they must make requests of
the event logging service to read from and write to the
event logs. User-mode processes use the event logging
API (implemented in ADVAPI32.DLL) to report events, query
information in the event logs, and monitor the event logs
for any changes. Kernel-mode processes must communicate
with the event logging service via NT’s I/O Manager
and through the use of I/O Error Log Packets.
The event logging service is one of the many services
controlled by the NT Service Control Manager (SCM). The
SCM runs under the context of the System Account and provides
the System security privilege to the event logs. The SCM
is also a Remote Procedure Call (RPC) server that allows
the event logging service on the local system to communicate
with the event logging service running on remote NT systems.
Applications, such as Event Viewer, may view and back
up the event logs of remote NT systems using the event
logging API.
All configuration information for the event logs and
the event logging service is stored in the registry under
the HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\EventLog key. Three additional
subkeys store the configurations for each event log, including
the location of the event log file, maximum allowed log
file size, the retention (event wrapping) policy setting,
and the listing of event sources registered to report
to the log. Many of these settings are changeable using
Event Viewer.
The ancestor of Event Viewer and the event logging service
is the NetWatcher utility included with Windows for Workgroups.
NetWatcher is used to monitor, control, and audit the
activity of network hosts connected to a Windows for Workgroups
server. The occurrence of up to 10 predefined events may
be monitored and written to the AUDIT.LOG file by NetWatcher.
The utility—similar in appearance to Event Viewer—is
used to view the log file.
The modern version of NetWatcher, NetWatch, is available
for both Windows 95 and NT and is distributed in the Windows
NT Resource Kit—although it doesn’t include
an event logging facility. An Event Viewer client application
that allows the event logs of remote Windows NT systems
to be viewed from a Windows 95 system is included with
the Windows NT 4.0 Server Tools. You can find the server
tools distributed on the Windows NT Server CD-ROM and
the TechNet Client Utilities CD-ROM. Unfortunately, neither
Windows 95 nor 98 have any native event logging facility.
Security Auditing
The NT security auditing facility is disabled by default.
This explains why the security log on your NT system is
currently blank. If you clear the security log, a single
event is written to the log indicating that it was cleared,
but that’s all. How an administrator enables security
auditing depends on the type of events that the system’s
security policy requires to be audited. The User Manager
enables the auditing of user and system events (logon/logoff,
system restart and shutdown, changes to security policy,
etc.). Windows NT Explorer controls the auditing of files
and folders on NTFS volumes. And the Print Manager is
used to enable the auditing of printer and pint spooler
events.
But which events should be audited? Is there any harm
in auditing all events that occur? Is it necessary to
audit any events at all?
The bottom line: The more
security-critical a system is, the greater the security
auditing should be. An isolated single-user workstation
may need little or no auditing, a file server moderate
auditing, and NT systems acting as routers, gateways,
and authentication servers the most auditing of all. The
greater the chance of a system being misused or even coming
under direct attack, the greater the need for security
auditing.
At minimum, you need to log all successful and unsuccessful
logon/logoff attempts made by users on the local system
and from remote systems, including NULL session logons.
Failed file and object access events are rare, but often
significant. Tracking changes made to the system’s
security policy configuration and auditing policy should
also be enabled.
| 10
Things You Should Know About Event Logging |
- By default, the event logging service
is configured to start automatically
when the system boots. Once started,
you can’t pause or stop the event
logging service, although it may be
configured for manual startup or be
disabled on system boot-up using the
Services applet in Control Panel.
- Selecting the "Overwrite Events
Older than N Days" event log
wrapping option will degrade system
performance as the event logging service
searches the log files for older events
to overwrite. The system will experience
severe performance degradation whenever
many events are reported in a very
short period.
- The event log files are theoretically
limited to 4G in size. The actual
limit is equal to the amount of free
space on the volume where the log
files are stored. The practical limit
is the size at which the files become
too large for the event logging service
to efficiently handle (about 300M).
The size of each event log is configurable
using Event Viewer.
- The event logging service is susceptible
to denial of service attacks by flooding
it with too many event reports. (This
flooding could occur during deliberate
hacker attacks launched to disable
a system. Sometimes it’s accidental
and caused by a software bug.) System
performance will degrade as the service
attempts to log every event report
sent to it. Such attacks also threaten
to use up all the free space on the
volume if the event logs aren’t
configured to a reasonable maximum
size. Microsoft Knowledge Base article
Q164938 indicates that very heavy
event reporting activity can cause
the service to hang.
- The user names displayed by Event
Viewer in the event logs are read
directly from the SAM database. If
you remove a user account from the
local system, the user name will disappear
from the account's event reports in
the event logs. Therefore, if you
archive your event log files, back
them up before removing any user accounts.
- The event log files are opened by
the event logging service when it’s
started at system boot-up. They’re
not shared for writing, and the security
event log file also isn’t shared
for reading.
- Event reports are localized to the
default language used by an NT system
by storing event messages in a set
of resource-only DLLs called message
files. Event Viewer will read event
category names and event descriptions
from a message file based on the locale
of the system.
- Event description information may
appear to be missing from event logs
of a remote system if an event source
isn’t registered on the local
system. The local event logging service
uses the local registry to find an
event source’s message files.
If an event source that has reported
events in the remote system’s
logs isn’t deployed on the local
system, then you won’t be able
to find the source’s message
files, and its event reports won’t
contain an event description.
- You can’t restore a backup
of an event log file made by Event
Viewer into the event logs. When an
event log is cleared, the information
is permanently removed from the log.
A new, blank event log 64K in size
is created in its place in an attempt
to reduce physical fragmentation of
the log file and overwrite any previous
event log records on disk.
- You may wonder what secrets are
contained within the operation and
source code of Event Viewer. Well,
you may be disappointed, but Event
Viewer has no special knowledge or
privileges, and must access the event
logs using the event logging API,
just like any other application. On
the upside, you can fire up your favorite
Win32 solution development platform
and write your own bigger, better,
and more useful event log viewing
application.
—James D. Murray
|
|
|
From the Third Party
Both Event Viewer and the event logging service is often
the object of scorn and ridicule. Administrators puzzled
and panicked by abnormal system behavior are often frustrated
by cryptic event logging messages that neither tell exactly
what the problem is nor what a possible solution may be,
or what’s worse: an impaired system with no mention
of any problems appearing in the event logs at all.
However, you can’t blame Event Viewer. Would you
criticize Microsoft Word just because you were using it
to view a document whose contents were sparse or unhelpful?
Word didn’t create the contents of the document;
it’s just displaying the information that the document
contains. The same is true for Event Viewer; it only displays
the information that other processes have reported to
the event logs.
Many system administrators feel that the NT event logging
service falls far short of the features they really need
to monitor and troubleshoot both stand-alone NT workstations
and a network filled with NT hosts. That’s led third-party
companies to pick up the slack by creating utilities to
augment the capabilities of NT’s event logging service—or
replace it entirely.