JSI Tip 6688. How do I use the Performance Logs and Alerts service to create counter logs and alerts to monitor unauthorized attempts to access Microsoft Windows 2000 Server?

Jerold Schulman

May 11, 2003

5 Min Read
ITPro Today logo

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article 300504Q contains:

IN THIS TASK

  • SUMMARY

  • MOREINFORMATION

  • Configure a Counter Log toMonitor Unauthorized File Access and Logon Attempts

  • Configure Alerts to toMonitor Unauthorized File Access and Logon Attempts

  • REFERENCES

SUMMARY

This step-by-step article describes how to use the Performance Logs and Alerts service to create counter logs and alerts to monitor unauthorized attempts to access your computer in Microsoft Windows 2000 Server.

back to the top

MORE INFORMATION

You can configure counter logs in the Performance Logs and Alerts service to monitor the number of failed logon attempts and the number of failed attempts to access files on your computer. When you regularly examine counter logs, you may by able to detect some types of security violations before they succeed. You can also configure alerts to send a message and notify you if a potential security violation occurs. Alerts are critical security controls that help you perform real-time monitoring.

Note To perform the procedures that are described in this article, you must log on as Administrator or as a member of the Administrators group.

back to the top

Configure a Counter Log to Monitor Unauthorized File Access and Logon Attempts

  1. Click Start, point toPrograms, point to Administrative Tools, andthen click Performance Logs and Alerts.

  2. Expand Performance Logs and Alerts, andthen click Counter Logs.

  3. Right-click an empty area of the right pane, and thenclick New Log Settings.

  4. In the Name box, type a name for the log,and then click OK.

  5. Click the General tab, clickAdd, and then click Use local computercounters.

  6. In the Performance object box, clickServer, click Select counters from list,click Errors Access Permissions, and then clickAdd.

  7. Click Errors Granted Access, clickAdd, click Errors Logon, clickAdd, and then click Close.

  8. Click the Log Files tab, and then do thefollowing:

    1. In the Location box, specify the location where you want to store the log files, for example, C:PerfLogs.

    2. In the File name box, type the name that you want for the log file.

    3. Click to select the End file names with check box, and then click yyyymmdd.

    4. In the Log file type box, click Text File - CSV.

    5. Under Log file size, click Maximum limit.

  9. Click the Schedule tab, specify the startand stop times for the counter log, and then clickOK.

  10. Right-click the log file that you just created, and thenclick Save Settings As.

  11. In the File name box, specify a name andlocation where you want to save the .htm file, and then clickSave.

back to the top

Configure Alerts to Monitor Unauthorized File Access and Logon Attempts

  1. Click Start, point toPrograms, point to Administrative Tools, andthen click Performance Logs and Alerts.

  2. In the console tree, expand Performance Logs andAlerts, and then click Alerts.

  3. Right-click an empty area of the right pane, and thenclick New Alert Settings From.

  4. In the Open box, click the .htm file thatyou created and saved earlier, and then click Open.

  5. Click OK if you receive the message thatyou are creating an alert from a counter log.

  6. In the Name box, type a name for thealert, and then click OK.

  7. Click the General tab, and then configurethe following settings for each counter that is listed in theCounters box:

    1. In the Alert when the value is box, click Over.

    2. In the Limit box, type the number of errors that can occur before an alert is generated.

  8. Click the Action tab, and then specify theaction that you want to occur when an alert is triggered:

    • If you want the Performance Logs and Alerts service to create an entry in the Application log of Event Viewer when an alert occurs, click to select the Log an entry in the application event log check box.

    • If you want the Performance Logs and Alerts service to trigger the Messenger service to send a message, click to select the Send a network message to check box, and then type the Internet Protocol (IP) address or name of the computer on which the alert message should appear.

    • To start a counter log when an alert occurs, click to select the Start performance data log Send a network message to check box, and then specify the counter log that you want to run.

    • To run a command or program when an alert occurs, click to select the Run this program check box, and then type the file path and name of the program or command that you want to run, or click Browse to locate the file. When an alert occurs, the service creates a process and runs the specified command file. The service also copies any command-line arguments you define to the command line that is used to run the file. Click Command Line Arguments, and then click to select the appropriate check boxes to include the arguments that you want when the program is run.

  9. Click the Schedule tab, specify the startand stop times for the scan, and then click OK.

back to the top

REFERENCES

For more information about the Performance Logs and Alerts service, see Performance Logs and Alerts Help. To do this, follow these steps:

  1. Click Start, and then point toPrograms.

  2. Point to Administrative Tools, and thenclick Performance.

  3. On the Action menu, clickHelp.

back to the top



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like