Windows NT/2000 Event Logs

Daily tasks of every security or network administrator involve reviewing the content of log files for suspicious entries indicating that a potential attack has occurred, or is in the process of occurring. Working with logs is a very time consuming and cumbersome task. Several servers generate log files every day with hundreds of entries to search through, but the network administrator seldom has enough time to properly review and interpret them. The goal of this paper is to address this issue by automating the process of gathering and filtering log files, and notifying the administrator when relevant events are found; while maintaining a very low implementation cost. It's also important to mention that this paper will only focus on a Microsoft based environment running Windows NT 4.0 and Windows 2000, or either one independently, and on a single log type, the 'Security Log'. This paper will help one to completely automate the process of gathering filtering and alerting when relevant events are found using inexpensive tools and resources already available. The goal is to prevent potential attacks or misusage by making it easy and cost effective to gather and review event logs. It is not an attempt to teach one how to read the logs nor what each type of event represents.