Detailed Windows 2000 system log and its deletion method

                  Windows 2000 log files usually have application logs, security logs, system logs, DNS server logs, FTP logs, WWW logs, etc., which may vary depending on the services that the server is running. When we use streamer detection, such as IPC detection, we will quickly record the user name, time, etc. used in streamer detection in the security log. After FTP detection, it will immediately record the IP in the FTP log. Time, username and password used for probing, etc. Even the stream upload requires the msvcp60.dll mobile library link library. If the server does not have this file, it will be recorded in the log. This is why you should not take the domestic host detection. It is easy for them to write down your IP. Find you, as long as he wants to find you! ! There is also the Scheduler log. This is also an important LOG. You should know that the frequently used srv.exe is started by this service, which records all the behaviors initiated by the Scheduler service, such as the start and stop of the service. The default location of the log file: Application log, security log, system log, DNS log default location: %systemroot%system32config, the default file size is 512KB, the administrator will change this default size. Security log file: %systemroot%system32configSecEvent.EVT System log file: %systemroot%system32configSysEvent.EVT Application log file: %systemroot%system32configAppEvent.EVT Internet Information Service FTP log default location: %systemroot%system32logfilesmsftpsvc1, default one log Internet information per day Service WWW log default location: %systemroot%system32logfilesw3svc1, default one log per day Scheduler service log default location: %systemroot%schedlgu.txt The above logs are in the registry key: application log, security log, system log, DNS server log, These LOG files are in the registry:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog Some administrators are likely to relocate these logs. There are a lot of sub-tables under EVENTLOG, which can find the location directory of the above logs. The Schedluler service log is in the registry 
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSchedulingAgentFTP and WWW log details: FTP log and WWW log default, a log file is generated every day, including all records of the day, the file name is usually ex (year) (month) ( Date), such as ex001023, is the log generated on October 23, 2000. It can be opened directly with Notepad, as in the following example: 
#Software: Microsoft Internet Information Services 5.0 (Microsoft IIS5.0) #Version: 1.0 ( Version 1.0) #Date: 20001023 0315 (Service start date and time) #Fields: time cip csmethod csuristem scstatus 0315 127.0.0.1 [1] USER administator 331 (IP address is 127.0.0.1 User name is administator attempted to log in) 0318 127.0.0.1 [1] PASS – 530 (login failed) 032:04 127.0.0.1 [1] USER nt 331 (User with the IP address 127.0.0.1 username nt tried to log in) 032:06 127.0.0.1 [1]PASS – 530 (Login failed) 032:09 127.0.0.1 [1]USER cyz 331 (User with IP address 127.0.0.1 username cyz tried to log in) 0322 127.0.0.1 [1]PASS – 530 (Login lost 0322 127.0.0.1 [1] USER administrator 331 (IP address is 127.0.0.1 username is administrator attempt to log in) 0324 127.0.0.1 [1] PASS – 230 (login successful) 0321 127.0.0.1 [1]MKD nt 550 ( New directory failed) 0325 127.0.0.1 [1]QUIT – 550 (Exit FTP program) It can be seen from the log that the user with IP address 127.0.0.1 has been trying to log in to the system, and the user name and password are changed four times. The administrator can immediately know the administrator's intrusion time, IP address, and detected user name. In the above example, the intruder is finally entered with the administrator user name. Then consider replacing the password of the username or renaming the administrator user. WWW log: The WWW service is the same as the FTP service. The generated log is also in the %systemroot%System32LogFilesW3SVC1 directory. The default is one log file per day. The following is a typical WWW log file 
#Software: Microsoft Internet Information Services 5.0 #Version : 1.0 #Date: 20001023 03:091 #Fields: date time cip csusername sip sport csmethod csuristem csuriquery scstatus cs(UserAgent) 20001023 03:091 192.168.1.26 192.168.1.37 80 GET /iisstart.asp 200 Mozilla/4.0+(compatible; +MSIE+5.0;+Windows+98;+DigExt) 20001023 03:094 192.168.1.26 192.168.1.37 80 GET /pagerror.gif 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt) By analyzing the sixth line, it can be seen that on October 23, 2000, a user with an IP address of 192.168.1.26 accessed a page iisstart.asp by accessing port 80 of the 192.168.1.37 machine. The device is compatible; +MSIE+5.0; +Windows+98+DigExt, an experienced administrator can use the security log, FTP log and WWW log to determine the intruder's IP address and intrusion time. Even if you delete the FTP and WWW logs, but still record them in the system log and security log, but it is better to display only your machine name, and not your IP, such as the above several probes, the system The log will produce the following record: At a glance, on October 23, 2000, at 16:17, the system warns of certain events, double-click on the first one, and open its properties: The attribute records the reason for the warning. Because someone tried to log in with the administator username, an error occurred, the source is the FTP service. At the same time, the security record will be recorded at the same time, we can see two icons: the key (indicating success) and the lock (indicating that the user is stopped when the user is doing something). Four consecutive lock icons indicate four failures. The event types are account login and login, and logout failure. The date is October 18, 2000, and the time is 1002. This requires important observation. Double-click the first failed audit event, that is, get a detailed description of this event, we can know that there is a CYZ workstation, log in to the machine with the administator username, but because the username is unknown or the password is incorrect (actually the password is incorrect) Unsuccessful. There is also a DNS server log, which is less important and is skipped. Know the details of Windows2000 logs, the following must learn how to delete these logs: Through the above, we know that log files usually have a service in the background protection, in addition to system logs, security logs, application logs, etc., their services are The key process of Windos2000, and the registry file, when Windows2000 starts, start the service to protect these files, so it is difficult to delete, and the FTP log and WWW log and Scedlgu log can be easily deleted. First get the Admnistrator password or one of the members of the Administrators group, then Telnet to the remote host, first try to delete the FTP log: 
D:SERVER>del schedlgu.txt D:SERVERSchedLgU.Txt process can not access the file because another This file is being used by the program. Having said that, there is service protection in the background, stop the service first! 
D:SERVER>net stop The service under "task scheduler" depends on the Task Scheduler service. Stopping the Task Scheduler service also stops these services. 
 Does the Remote Storage Engine continue this operation? (Y/N) [N]: y The Remote Storage Engine service is stopping.... The Remote Storage Engine service has stopped successfully. The Task Scheduler service is stopping. The Task Scheduler service has stopped successfully. OK, its service is stopped, and the service that has dependencies is also stopped. Try to delete it again! 
D:SERVER>del schedlgu.txt D:SERVER>No response? Successful! The next one is the FTP log and the WWW log. The principle is the same. Stop the related service first, then delete the log! 
D:SERVERsystem32LogFilesMSFTPSVC1>del ex*.log D:SERVERsystem32LogFilesMSFTPSVC1> The above operation successfully deleted the FTP log! Come back to the WWW log! 
D:SERVERsystem32LogFilesW3SVC1>del ex*.log D:SERVERsystem32LogFilesW3SVC1>OK! Congratulations, the simple logs have been successfully deleted. Here are the hard security logs and system logs. The service that guards these logs is Event Log, try to stop it! 
D:SERVERsystem32LogFilesW3SVC1>net stop eventlog This service cannot accept the requested "pause" or "stop" operation. No way, it is a key service. If you don't use third-party tools, there is no possibility to delete the security log and system log at all on the command line! So you still have to use a simple but slow way to crash: open the "Event Viewer" in the "Management Tools" of the "Control Panel" (98 no, know the benefits of using Win2k), in the menu "Operation" The item has a menu called "Connect to another computer", enter the IP of the remote computer, then click on the cigarette, wait for tens of minutes, endure the torture like a crash, select the security log of the remote computer, right click on it. Properties: Click the "Clear Log" button in the properties, OK! The security log is cleared! The same pains to clear the system log! Before using the third tool, you can quickly and smoothly clear FTP, WWW and Schedlgu logs. The system log and security log belong to the strict guardian of Windows2000. You can only open it with the local event viewer. Because in the graphical interface, plus the network speed is slow, if you have more money, time is free, you can still clear it. In summary, the Windows 2000 log file and the deletion method are introduced, but you must be an Administrator. Note that you must log in as an administrator or a member of the management group to open the security log record. This procedure applies to Windows 2000 Professional computers and to Windows 2000 Server computers running as stand-alone or member servers.