System Daquan teaches you to analyze windows system log

First, the protection of Windows log files

The log file is so important to us, so we can not ignore the protection of it, to prevent certain "lawless" ; The case where the log file is cleaned up.

1. Modify the log file storage directory

The default path of the Windows log file is “%systemroot%system32config”, we can modify the registry to change its storage directory to enhance the protection of the log.

Click “Start →Run”, enter “Regedit” in the dialog box, press Enter to pop up the Registry Editor, and then expand “HKEY_LOCAL_MACHINE/SYSTEM /CurrentControlSet/Services/Eventlog” The following Application, Security, and System sub-items correspond to the application log, security log, and system log.

The author takes the application log as an example and transfers it to the directory of “d:\\cce”. Select the Application sub-item (as shown), and find the File key in the right column. The key value is the path of the application log file <;%SystemRoot%system32configAppEvent.Evt”, modify it to “d:cceAppEvent.Evt”. Then create a new directory in the D drive "CCE" directory, copy "AppEvent.Evt" to the directory, restart the system, complete the modification of the application log file storage directory. Other types of log file path modification methods are the same, but operate under different sub-items, or create a series of deep directories to store new log files, such as D:\\01\\02\\03 \\04\\05\\06\\07, named The principle is to "look less, the better".

2. Set file access permissions

After modifying the log file storage directory, the log can still be emptied. The following is to prevent this from happening by modifying the log file access rights. The premise is that the Windows system should adopt the NTFS file system format. .

Right-click on the CCE directory of the D drive and select "Properties" to switch to the "Security" tab page. First, cancel the "Allow the inheritable permissions from the parent to be propagated to the object". Option check. Then select the “Everyone” account in the account list box, and give it the “read” permission; then click the “add” button to add the "System” account to the account list box, giving the exception to &ldquo Full control & rdquo; and “modify all permissions except ” and finally click the “OK” button. This will bring up an error dialog when the user clears the Windows log.

Second, Windows log instance analysis

A lot of operational events are recorded in the Windows log. For the convenience of users to manage them, each type of event is given a unique number. Is the event ID.

1. View normal switch history

On Windows systems, we can view the computer's open and shutdown records through the system log of the event viewer. This is because the log service is started or shut down with the computer and is in the log. Leave a record. Here we are going to introduce two event IDs < 6006 and 6005”. 6005 indicates that the event log service has been started. If an event ID number of 6005 is found in the event viewer, it indicates that the Windows system is started normally on this day. 6006 indicates that the event log service has been stopped. If the event ID number of 6006 is not found in the event viewer, it means that the computer did not shut down normally on this day. It may be due to system reasons or the power is cut off directly. Shutdown operation.

2. View DHCP Configuration Warning Messages

In larger networks, the DHCP server is used to configure the client IP address information. If the client cannot find the DHCP server, it will automatically use an internal IP address configuration. The client generates an event with event ID number 1007 in the Windows log. If the user finds the number event in the log, indicating that the machine cannot obtain information from the DHCP server, it is necessary to check whether the machine is faulty or the DHCP server is faulty.