Logs and Logging
Enable DHCP Logging Windows
- Open DHCP console
- In the console tree, open the applicable DHCP server, (for 2008r2 later) and click either IPV4 or IPv6.
- On the Action menu, click Properties.
- On the General tab, select Enable DHCP audit logging, and then click OK
Enable DNS Logging Windows
Enable DNS Request Logging for Windows 2003/2008.
- Open the Domain Name System Microsoft Management Console (DNS MMC) snap-in.
- Click Start, Programs, Administrative Tools, and then DNS
- From the DNS Server, right-click the server and select the Properties submenu.
- The Properties pop-window will appear on your screen.
- Select the Debug Loggingtab and the Log packets debuggingcheck box, respectivley.
- Ensure that the Incoming, UDP, Queries/Transfers, and Request check boxes are selected.
- Click the OK button.
The version of Netlogon.dll that has tracing included is installed by default. To enable debug logging, set the debug flag that you want in the registry and restart the service by using the following steps:
- Start the Regedt32 program.
- Delete the Reg_SZ value of the following registry entry, create a REG_DWORD value with the same name, and then add the 2080FFFF hexadecimal value.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
- At a command prompt, type net stop netlogon, and then type net start netlogon. This enables debug logging.
- To disable debug logging, change the data value to 0x0in the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
- Quit Regedt32.
- Stop Net Logon, and then restart Net Logon.
- After you restart Net Logon, Net Logon-related activity may be logged to %windir%\debug\netlogon.log.
- The MaximumLogFileSize registry entry can be used to specify the maximum size of the Netlogon.log file. By default, this registry entry does not exist, and the default maximum size of the Netlogon.log file is 20 MB. When the file reaches 20 MB, it is renamed to Netlogon.bak, and a new Netlogon.log file is created. This registry entry has the following parameters:
- Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
- Value Name: MaximumLogFileSize
- Value Type: REG_DWORD
- Value Data: <maximum log file size in bytes>
- On Windows Server 2003-based computers, you can use the following Group Policy to configure the log file size: \Computer Configuration\Administrative Templates\System\Net Logon\Maximum Log File Size
NoteAs an alternate method, you can set the dbflag without using the registry. To do this run the following command from a command prompt: nltest /dbflag:0x2080ffffNltest is included as part of Windows Server 2008 and is also available as part of the Support Tools packages on the installation media for Windows Server 2003, Windows XP, and Windows 2000.
Security Event Log IDS
- 528 Successful Logon
- 529 Unknown user name or bad password
- 538 User Logoff
- 540 Successful Network Logon
- 560 Object Open
- 562 Handle Closed
- 567 Object Access Attempt -- The Security 567 event is logged only when the corresponding Security 560 event indicates success.
- 576 Special privileges assigned to new logon
- 680 Clients were using Kerberos, which failed and caused the 680 event, then failed over to NTLM with success. Usually IIS