Here's a good surprise: the Event Viewer has had a complete reengineering. The new Event Viewer:
• Can collect events from many systems to one system's log, allowing you to centralize event logs.
• Lets you easily tell it what to do if particular events occur, like telling it to send you an e-mail, run a program, reboot a system, or the like.
• Allows you to create custom queries so you can essentially tweak Event Viewer to show you just the things that you want to see.
• Event Viewer Reports its data in XML.
There are several ways to start Event Viewer
• If you reenabled the Start Run… command as I suggested earlier in this chapter, just click Start/Run… and then fill in eventvwr and click OK.
• If you restored Administrative Tools to your Start menu, then just click Start Administrative Tools --> Event Viewer.
• Alternatively you'll need to do a little spelunking in Control Panel: click Start --> Control Panel --> System and Maintenance and, under "Administrative Tools," click "View event logs."
XML Format Comes to Event Viewer
Yes, I know, you've heard the abbreviation "XML" far too often, but here's a case where you'll like it. Let's take an example event, a simple security event that reports that the system's time was successfully changed.
Note at first that Event Viewer presents the event in a different format than the one that we've seen since NT 3.1. Notice that there's a button that's actually labeled "Copy" instead of hoping that you just somehow know that the button on the XP Event Viewer that looks like two pieces of paper means "click this and the relevant stuff from this event will be copied in ASCII text format to the Clipboard."
Custom Queries Lets You Customize Event Viewer
It's always been possible to filter items in Event Viewer in a simple way by right-clicking in the Event Log, choosing New Log View, and then adjusting its filter properties. But Vista's Event Viewer takes it a bit further.
Like the old Event Viewer, you get a pane down the left-hand side listing the logs that you can peruse. But instead of the standard Application, System and Security, Vista's Event Viewer fine-tunes your events into dozens of smaller "sub-logs." You can see in its right-hand pane a summary of entries and, you'll note, there are more levels of event than Information, Warning, Error, Audit Success, and Audit Failure; now there's also Critical. But look in the upper left-hand corner and you'll notice a folder called "Custom Views" and, inside that, a folder named "Administrative Events."
Generating Actions from Events
XP and 2003 brought a really nice feature called "event triggers." The idea was that you could use a command-line tool called "eventtriggers.exe" to instruct the Event Log service that if a particular kind of event occurred then the Event Log service would start the application of your choosing. Not many people seemed to discover it, but I wrote about it in a few magazine articles and suggested that you could build a pretty neat system for alerting you to problems in the network. There were three ingredients:
You'd need a cell phone that could receive text messages via e-mail. For example, my cell carrier is Verizon Wireless, and you can send an SMS text message to any Verizon cell phone by sending e-mail to cellphonenumber@vtext.com. You need a program that can send simple e-mails from the command line. There's a free one called "blat" at http://www.blat.org. You need XP or 2003, as they support event triggers.
I put this all together by suggesting that if there were particular events that you were concerned about-say, an account lockout happened-then you could use eventtriggers.exe to tell the Event Log service, “if an account lockout happens, run such-and-such blat command line to send me an alert on my phone as a text message. It worked pretty nicely but was, admittedly, cumbersome. So the new "Attach task to event…" option is a real blessing.
Source of Information : Sybex Administering Windows Vista Security
No comments:
Post a Comment