Shulou(Shulou.com)05/31 Report--

How to achieve windows system log analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

I. Protection of Windows log files

The log file is so important to us that we cannot ignore its protection to prevent some "outlaws" from cleaning the log file out.

1. Modify the log file storage directory

The default path of the Windows log file is "% systemroot%system32config", and we can enhance log protection by modifying the registry to change its storage directory.

Click "start → run", enter "Regedit" in the dialog box, enter and pop up the registry editor. After expanding "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Eventlog" in turn, the following Application, Security and System subkeys correspond to application log, security log and system log respectively.

The author takes the application log as an example and transfers it to the "d:\ cce" directory. Select the Application subkey (shown in the figure), find the File key in the right column, whose key value is the path to the application log file "% SystemRoot%system32configAppEvent.Evt", and change it to "d:cceAppEvent.Evt". Then create a new "CCE" directory on disk D, copy "AppEvent.Evt" to this directory, restart the system, and complete the modification of the directory where the application log files are stored. Other types of log files have the same method of path modification, but operate under different subentries, or create a series of deep directories to store new log files, such as D:\ 01\ 02\ 03\ 04\ 05\ 06\ 07, the principle of naming is "the more inconspicuous, the better".

2. Set file access permissions

After modifying the storage directory of the log file, the log can still be emptied. The following is to prevent this from happening by modifying the access permission of the log file, as long as the Windows system adopts the NTFS file system format.

Right-click the CCE directory of disk D, select Properties, and after switching to the Security tab, first uncheck the option "allow inheritable permissions from the parent to be propagated to the object". Then select the "Everyone" account in the account list box and give it only "read" permission; then click the "add" button to add the "System" account to the account list box, giving all permissions except "full control" and "modify", and * click the "OK" button. This way, when the user clears the Windows log, an error dialog box pops up.

Second, Windows log example analysis

Many action events are recorded in the Windows log, and each type of event is assigned a unique number, which is the event ID, in order to facilitate the user's management of them.

1. Check the normal switch record

In the Windows system, we can view the turn-on and shutdown records of the computer through the system log of the event Viewer, because the log service starts or shuts down with the computer and leaves a record in the log. Here we will introduce two events ID "6006 and 6005". 6005 indicates that the event log service has been started. If an event with ID number 6005 is found in the event Viewer, the Windows system is started normally on that day. 6006 means that the event log service has stopped. If you do not find an event with ID number 6006 in the event Viewer, it means that the computer did not shut down normally on that day. It may be due to system reasons or the failure to perform a normal shutdown operation due to power cut off directly.

2. View DHCP configuration warning messages

In larger networks, the DHCP server is usually used to configure the client IP address information. If the client cannot find the DHCP server, it will automatically configure the client with an internal IP address, and an event ID number 1007 will be generated in the Windows log. If the user finds the numbered event in the log, which means that the machine cannot get the information from the DHCP server, it is necessary to check whether it is a network failure of the machine or a problem with the DHCP server.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.