Hi, my name is Avril Salter and welcome to this short video. Today what we are going to take a look at is log files and how I can filter those log files and create custom views that will make it easier for my administrator to look for specific events. What I want to do today is to actually look for a specific event. What I have done is I have setup this folder called Avril_Secrets and every time someone opens that folder or attempts to access that folder it will create a security event.
To see what is happening in our security log we are going to come here and go into our Event Viewer and if we scroll down we can see the different logs and of course we looking at the security log. That is the one I am going to give an example of how we can filter that. You can see that its size is set up to 40 MB and over here you can see that I am archiving this log and it is full and to make sure none of my events are overwritten so I won’t lose anything.
Let’s click on that and take a look at the contents of my security log file. Here you can see I have got many events going into here, you can see some logons and some logoffs, some files shares. Here you can see some files system entries and it is the files system entries that I want to search on and capture. Now, to do that I am going to come over here into Custom Views and I am going to right click and select Create Custom Views. You can see here that I can select the time so I could be filtering my log for just the last hour, the last 12 hours, or the last 24 hours. Here we are going to select in this example 24 hours and I am going select the Event level Information and if you want more detail then you would also select Verbose.
On the Event logs I can actually search on multiple logs, here I am just looking at my security logs so I select that. Here I can select Event sources. I am simply going to say All in this example. Here, if I want I can select the Event ID or I can go into the Task category. So here I happen to know the Event ID is 4663 for the file system and here I can then go on to select key words. Now, in this case I have got it set to select both Audit Success and Audit Failures, but I just want to see who is successfully accessing this file. I am going to select Audit Successes. Down here I can look for a specific User or a specific Computer. In this case I am just going to leave it as the default which means it would generate all events that occurred from all users and all computers that were accessing this file system.
I click OK, I now need to give it a name. I also have an option her to create a new folder, so I could keep this in the custom view or I can actually create a new folder. I am going to call this Avril Custom views. Click OK. Click OK. Now here you can see that I have now created a new folder called Avril Custom views and in there is a custom view called Event_4663_log. If you look over here on the right, is that this folder now contains all the events that are accessing the file system. The problem is that I still do not know which of these events were specific for Avril_Secrets folder. What I need to do is, is need to export this custom log and do a search on it.
To do that I am going to select Actions and then Save All Events in Custom View. I am going to save the and I am going to call it Event_4663_log. Notice here that I have got different formats that I can save this event file in, so I could continue to save it in .evtx so that it means I would display that in the event viewer. I have an option for .xml, an option .txt, also an option for .csv. .csv would save it into an Excel spreadsheet. In this example I am going to save it as a text file and the reason I am going to do that is because I want to open it up in Notepad. I have now saved my event log file and I can now come in and you can see that it has created this text document, here. Now I am going to open Notepad and open the text file which was created. I have quite an extensive log file, lots of different events.
Now I can actually search on Avril_Secrets. You can see I am now able to successfully find the specific events where people have been accessing Avril_Secrets folder. I brought this up in Notepad, of course you could have brought that up into a tool, you could have automated those searches. So, If wanted to search on that folder on a regular basis I could use my tool to display that information, rather than actually going through and filtering it and then searching for it in the Notepad.
I hope you found this video to be useful. Just to summarize, my security log and other log files have a tremendous amount of data in them. I can create filters and custom views in Event Viewer that helps me filter down the actual audit events that I am looking for. But sometimes it is still not enough so in that case I have to export that information. I can export it in my example to text file that I can search. In other cases you might want to pull it out in other formats that you input into a tall and automate some of those searches. Thank you for joining me and I look forward to you joining me on the next video.