Best Practice Ezine #90 – Litmus Tests for Event Logs
This week I feature Litmus tests for event logs.
Guy’s Litmus Tests
My vision of a Litmus Test is of a simple question that instantly separates amateurs from professionals. Here are three examples of simple Litmus tests that will tell you about the abilities of a techie.
1) There is a problem with a server hanging. Professionals start by identifying then restarting the problem service. Amateurs solve the problem by rebooting the server and thus suffer unnecessary downtime.
2) Professionals always rename ‘Administrator’ to a name that blends with the other users. Amateurs leave the most powerful account open to hacking, because everyone knows that Windows systems have an account called Administrator.
3) People’s attitude to Organizational Units polarises them into professionals who create OUs to manage their people and group policies and amateurs who create all their accounts in the default Users containers.
Just as a blood test reveals all kinds of information about my health, so event logs reflect the wellbeing of a server. Consequently, whenever I visit a company in my capacity of consultant, it’s not long before I have a peek at their event logs. By launching the Event Viewer I can quickly run through my rich collection of Litmus tests and thus discover if I am dealing with amateurs or professionals. My hidden agenda is this, if the company is run by amateurs then the problem maybe simple, but if they are professionals, then they will have already tried all the obvious solutions.
Ever since I can remember, Windows Servers have event logs which we can interrogate via the Event Viewer. Typical error messages would be ‘Win32Time’, Backup failed or Printer offline. Back in NT days, there were just three logs, but with each generation of Windows there seem to be more logs, for example Server 2003 has a log for DNS and File Replication Service. Even clients such as XP have the basic three logs, System, Security and Application.
What I want to do today is share my Event Log Litmus tests with you. I hope that one or two tests will give you ideas to amend the settings on your servers or XP machines.
LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.
Litmus Tests for Event Logs
Before we look at specifics, merely people’s attitude to event log entries labels them, as Amateurs or Professionals – at least in my eyes.
Professionals a) Trace the error message in TechNet and if that fails, they enter the Event ID in their favourite search engine, confident that someone somewhere will have seen it before and have the answer.
Amateurs a) Cannot understand what the red dots in the log mean. b) Always blame Microsoft.
Signs that you are a Professional (Any 5 of 7)
Characteristics of Amateurs (and 3 of 4)
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
Off the wall idea
Mad Mick’s boss went on a course entitled ‘Motivate your workforce with performance related pay’. When he returned he put into practice a bonus system based on red dots in the event logs. His ‘off the wall’ idea, was to start with a bank of $100 for each log. For every red dot, meaning error, he deducted $1, what ever was left the techies received as a monthly bonus.
At the end of the first month Mick just deleted the logs and claimed the bonus in full. Half way through the next month, when the boss reviewed Mad Mick’s server, his best log showed a deficit of -$594 dollars and his worst was -$3187. Shortly after, both the boss and Mick left that firm.
On a more realistic note, if you take the above challenge as a fun way of learning, then reducing the red dots will improve your knowledge of Windows Server 2003, moreover, as a direct result your servers will run more smoothly and reliably. Alternatively, if you don’t have the time to check the logs yourself, this task could be job for a student, or if the boss insists on sending his son / nephew to work with you over the summer, investigating the logs could keep them out of mischief.
Summary of Litmus tests
Basic Litmus tests: Size of the log file. Set to overwrite as needed. No backup errors. Check all five logs.
Advanced Litmus tests: Presence of Audit entries, Alerts, VBScript for specific event ID.
See more interesting Litmus Tests