One of the most important things in the security field is being able to act quickly when there is a problem. One of the easiest (and cheapest) things you can do to prepare yourself for an incident when using a Windows 2000 or later system is to customize your views in the Event Viewer
One of the easiest (and cheapest) things you can do to prepare yourself for an incident when using a Windows 2000 or later system is to customize your views in the Event Viewer application. Do this by opening the Event Viewer application and right-click on the Security Log. Select "New Log View".
This creates a second "view" of the same log. Now, right-click that log, which probably says "Security Log (2)" now, and select Filter from the View sub-menu. Next, select an appropriate Event Source, such as SAM, or NetLogon or RemoteAccess. You can also select a category, indicate whether you want to view failures or successes, etc.
Once you press "OK" or "Apply" you will see only the entries you selected in your filter. Last, rename this view to something a little more descriptive. Now repeat this process for whatever event sources you feel are appropriate to the security of your environment.
What this allows you to do is quickly sift through the mountain of information that is logged on heavily utilized production servers. When auditing is turned on, it can be almost impossible to find information quickly, but by configuring separate views, with different filters, with the click of a mouse, you can go right to the information you're looking for.
Also, you can open multiple instances of Event Viewer, so if you have a dedicated console used to monitor your Windows servers, you can leave several Event Viewers open, each displaying a different view, for even faster access.
About the author:
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in March 2002