Keeping a close eye on a server's logs is one of the best ways to know when your network is under attack. Logs can show which ports are being opened, which files are being accessed, and which services are being run. Even more important, logs can show when someone has tried to log on with an incorrect password or access a resource. If your server or network is attacked, your log files are a good place to start investigating. Archive your logs on a regular basis so that the log files cannot be overwritten or erased by attackers who want to cover their tracks. If possible, configure your logs to automatically alert an IT staffer -- either by sending an email or generating a pager message -- if an attack is detected.
A computer running any version of Windows NT or later records events in three kinds of logs:
- Application log -- The Application log contains events logged by applications or programs. For example, a database program might record a file error in the Application log. Program developers decide which events to monitor.
- Security log -- The security log records events such as valid and invalid logon attempts as well as events related to resource use such as creating, opening, or deleting files or other objects. An administrator can specify which events are recorded in the Security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the Security log. Monitoring logon attempts is a good way to detect attacks and suspicious activity. Audit logon events generates logon events on the local system on which the logon occurs, whereas Audit account logon events generates events when someone tries to authenticate with an account that is stored on the computer on which the logon event is recorded. You can configure this setting through Local Security Policy by clicking Start, Run and typing Gpedit.msc.
- System log -- The System log contains events logged by system components. For example, the failure of a driver or other system component to load during startup is recorded in the System log. The event types logged by system components are predetermined.