Event Management

Windows keeps a system log that is a record of events that take place on the computer. Examples of such events include:

  • Device driver problems

  • Hardware errors

  • Logins and logouts

  • Reboots

  • Service startups and shutdowns

  • Creation of, and changes of, user accounts

  • Program errors

These events and more are kept in the event log and are viewable with the Event Viewer. But before I talk about that, let's go into more detail on auditing, which also results in event log entries.

Manage Auditing

Auditing gives you the ability to watch certain types of events even more closely.

Note

Microsoft uses the terms "events" and "audit" in the same context. Audit log entries and event log entries are the same thing.

Turn on auditing

Follow these steps to turn on auditing:

  1. Go to Control Panel → System and Maintenance → Administrative Tools.

  2. Double-click 'Local Security Policy.' The 'Local Security Policy' window appears, as in Figure 15.

    The 'Local Security Policy' window is the path to many security policy functions including auditing

    Figure 15. The 'Local Security Policy' window is the path to many security policy functions including auditing

  3. Open Local Policies → Audit Policies. Click 'Audit Policies.' The window should now appear like Figure 16.

    Viewing and setting Audit Policies

    Figure 16. Viewing and setting Audit Policies

  4. Double-click the Audit Policy you wish to change. For instance, you may wish to turn on auditing for privilege use. ...

Get Securing the Vista Environment now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial