Beginners grasp the different types of Windows logs, how to generate security and system logging, and how the Microsoft Event Viewer displays these activities. Also, learners manage and maintain logs by knowing where to find a log’s properties and checking the maximum log size and overflow conditions. This hands-on lab equips participants with two different techniques researching logs: The GUI system and service manager and the Powershell.
Before beginning the lab, learners should set aside a complete 45-minute block as they cannot stop working mid-way and then return. Those users familiar with Windows operating systems and its graphical and command-line interfaces have the preparation necessary to succeed in this log finder challenge. Learners work on a virtual machine provisioned with a Windows Server 2016.
Windows event logs supply critical information about the system’s health, activities, and problems. Cyber Defense Analysts use the security event logs to detect unusual activities and to test out potential security risks. Network Operations Specialists and System Administrators rely on Powershell to configure and run fundamental management tasks, including retrieving event logs. Understanding how to generate system events and where to find them logged underlies a critical skill IT professionals need to have.
Understand the scenario:
For this lab scenario, you are responsible for a server that runs Windows Server 2016. You need to maintain the Event Viewer log files on the server. First, you check the maximum log file size. Next, you generate log file entries by performing common administrative tasks. Finally, you use Windows PowerShell to gather Event Viewer information.
Lab participants do some everyday administrative tasks to create events. The first step, in this module, has the learner record the default maximum log size and the contingency in place (to overwrite older events as needed). The system, security, and application logs contain the same default configurations, helpful to know in maintaining and managing logs. Then participants create a new user, log in and log out as different users, assign a user to a group, and change the system time. These activities provide data needed for the subsequent lab modules.
Search Event Viewer:
Trainees practice finding events in the Security and System event logs about the activities created in the previous sections. Also, participants record and check the event ID. Event IDs identify different events. The same event ID could be seen multiple times across corresponding to many iterations of the same activity repeated on the machine. Knowing the event ID helps an administrator identify and fix issues or monitor the system for potential security threats. At the end of this exercise, learners see how log entries read, providing another way to check their work.
Audit Event Viewer by Using Windows PowerShell:
This section instructs learners on executing PowerShell commands to display properties of Windows’ logs and view recent log files. The user also practices listing error messages using the ‘-EntryType error’ parameter. Learners uncover PowerShell syntax and usage, as well as a different strategy to find log information.
The learner who completes this lab comes away with essential skills using the administrative tools GUI and working with the PowerShell commands by auditing the Event Viewer. Foremost, lab participants know how to generate, retrieve, and read Windows event logs and apply that information in their information technology roles.
Users wishing to advance their windows security and logging understanding should consider other challenges.
- GUIDED CHALLENGE: Secure Information by Using Encryption
- ADVANCED CHALLENGE: Can You Configure Alerts and Archiving for Log Files in Linux?