New Security Log Illuminates Windows Events

The simplest way to attach a task to an event is to select the desired event in Event Viewer and then click the Attach Task To This Event option in the task pane, which starts the Create Basic Task wizard. The wizard asks you to name the task and prompts you to define the program, email message, or display message you desire when that event ID is logged. After you finish the wizard, you can view the event, its properties, and its history by opening the MMC Task Scheduler snap-in found on the Start Menu under All Programs\Accessories\System Tools.

Often, though, you'll need to be a little more specific with your trigger criteria than simply specifying an event ID. The good news is that any criteria you can specify in a custom view filter you can also specify in an event trigger, including advanced filters written in XML. The bad news is that you can't use Event Viewer to create the trigger—you must use Task Scheduler instead. Open Task Scheduler and click Create Task. Specify the name and description of the event as well as what account the task should execute under on the General tab.

Then select the Trigger tab and click New. In the New Trigger dialog box, select On an event from the Begin the task drop-down list. Select Custom in the Settings drop-down box, and click New Event Filter. Now you're shown the same dialog box as when you create a custom view in Event Viewer. You can either use the Filter tab to specify the filter criteria or use the XML tab to specify an advanced filter in XML syntax. After you finish the trigger criteria, you can go to the Actions tab to specify one or more actions for Task Scheduler to execute.

A final thing I like about Event Viewer is the revamped log retention policy options you see when you open the properties of the Security log. The old Overwrite events older than _ days has been replaced by Archive the log when full, do not overwrite events, which for the first time exposes a feature that's been around for a long time but was configurable only via the registry by using the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ Service\AutoBackupLogFiles setting. If you select the Archive the log when full option, Windows will automatically archive the Security log to C:\Windows\System32\winevt\Logs.

A word of caution, though: Windows will continue logging and archiving events until it fills the drive, so you need some kind of automated process for moving the logs. In the end, there's no good substitute for a real log management solution from an ISV. "Event Response," November 2004, InstantDoc ID 44093, compares three such tools. The Security Pro VIP article "Enterprise Event Logging for SMBs," InstantDoc ID 95511, describes six enterprise log collection and management tools.

Get Going
As you can see, a lot has changed and a lot has stayed the same in Windows auditing and security logging, but in general, there are many improvements. The new more granular audit policy will help you eliminate some but not all the noise that Windows writes to the Security log. The automatic task execution capability might help you automate responses or be alerted to important events when they occur. And the custom filter views will certainly help administrators that don't have a full-featured log management solution.

All the new event IDs and their changed formats will definitely mean a steep learning curve and lots of report and alert criteria redesign before you can start monitoring and analyzing Windows 2008 and Vista logs. Ultimately, though, the new formats are an improvement, especially in the area of consistency.

One other major new feature associated with event logs in Windows 2008 and Vista is the new event-forwarding capability, which for the first time allows Windows systems to automatically send events to other servers on which you can theoretically do centralized event management. But collecting logs from multiple computers is a gargantuan task, and Windows 2008's HTTP-based method for event forwarding is only intended for small volumes of events defined with very specific criteria. "Windows Eventing 6.0" describes Windows 2008 and Vista's centralized event-collection capabilities.

Get to know the new event log in Windows 2008 as soon as possible so that your security monitoring and compliance activities can continue unimpaired as you start migrating to the new platform.