During the course of installing and maintaining Microsoft's Windows 2000, you may often find yourself wandering through the Event Viewer, looking for errors or some hint to help you understand a problem. The Event Viewer is a very useful tool for security checking too, but it isn't the only place to find helpful information. In fact, much more detailed information can often be found in log files in your Ssystemroot%Debug directory.
If you browse to this directory, you will likely find a number of files that can provide security-related information, but your list will vary depending on what services you've installed. Some popular files are listed below:
Netsetup.log shows what happened whenever you try to join domains.
Userenv.log shows user profile and Group Policy information.
PASSWD.log shows information about local accounts. This file can be interesting because it often shows automated changes to system accounts.
ipsecpa.log shows information about IPSec activity. More related key negotiation information can be found in Oakley.log as well.
Depending on what you have installed, you may also see several log files related to Active Directory. You may also have a number of these files but they may be empty, with a file size of zero bytes. If you are using a service heavily and still have a file size of zero bytes, you may need to enable debugging. You may have to search for individual instructions on how
Navigate to the HKLMSYSTEMCurrentControlSetServicesPolicyAgent and then create a key called Oakley. Inside that key, create an entry named EnableLogging and give it a REG_DWORD value of 1. You'll need to restart your IPSec service (or simply reboot) for this to take effect.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in June 2002