Event Viewer

Sorry about all of the questions. I have always been one to know the exact limits of things and I appreciate all the answers I have gotten so far.

Lets say that I am a rogue employee, and I have been doing some things that I shouldn't be. HR has approached you and told you that they need to know every time that I logged in. Your job as a systems admin, is to find out all of the times I logged in and give that information to HR. Where do you look for this?

You could look at the logs on my workstation, but being that I am up to no good (and somewhat intelligent) I might have logged into other machines to do my dirty work.

You could check the DC's event viewer, but the company might have 6 or 7 of them and to check each one individually could be time consuming.

So where do you look?

(This scenario is loosly based off a Transcender question I got last night. I don't know that knowing this will be essential for me to pass the test, but it could be very good knowledge to have in a real enviornment.)

Thanks for all the replies, both this question and my numerous others!

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

sidsanders

if you dont have a product that does log consolidation on windows, you could script something (powershell, vbs, etc) or do it the manual way.

manual way:--> if you know the id to look for you can filter for that to get thinngs to go faster.

Devilsbane

So without resorting to 3rd party tools, I'll be stuck sifting through various event logs?

sidsanders

depends on your point of view. you can try and automate the task...

a few items to show how you can do this via scripts... tons more out there.
Ezine 173 - PowerShell for Event Viewer | get-EventLog -logname
ScriptingAnswers.com Forums: Script tp check Event Viewer for Certain Error

im used to wmi so i would hit the vbs route first. still adjusting to pshell myself.

a point to take away from this is if you arent sure what info to look for in the logs, automation, log consolidation, etc wont help much. if you do, automating a search of remote servers logs isnt impossible to complete and do it so that you can make reusable in the future --> search for diff items, or your own custom "alert/warning" process.

RobertKaucher

Devilsbane wrote: »

So without resorting to 3rd party tools, I'll be stuck sifting through various event logs?

In a real environment you would certainly use PowerShell of VBS for this. But I think the important thing to know is that without auditing being enabled you'd be unable to find this information. So from the perpective of Windows Administrative Theory you need to know the following in the order of importance:

1. What are the security requirements in my environment?
2. How do I enable auditing?
3. How do I view these event logs?
4. What information can they give me?
5.How can I quickly and efficiently extract the information I need to present it to those who require it? This is where scripting comes in!

This is a perfect lab scenario.