Actually, "logging" -- keeping a timestamped list of events (as in 
"Captain's Log, Stardate whatever") -- has very little to do with "login" -- 
authenticating yourself to the system as an user with specific 
authorizations.  Well, historically, when a new or transferred sailor joined 
a ship, their arrival and addition to the roster was recorded in the ship's 
log, so they were "logged aboard" or "logged on"....

  Anyway, the NT/2K/XP(/Vista, almost certainly) OS manages three databases 
of event records, the System Log, Application Log, and Security Log.  The 
System Log records things like reboots and services starting and stopping.  
The Application Log is available for applications to record items of 
interest, and a number of the utilities that come with the OS take advantage 
of that opportunity.  User logins are "security events", so they go in the 
Security Log.  All three can be reviewed using the "Event Manager" utility 
(which is reachable a couple of different ways under "Administrative 
Tools").

  So, if you go find the Event Manager and look in the Security Log, your 
next question is going to be "Why is it empty???"  The answer is simple:  
the default install configuration doesn't log security events.  Yes, you 
read that correctly.
  So if you want the system to record these events, you need to enable it 
first.  Except, of course, that that's not part of the Event Manager, and 
it's not called "Log Security Events".  You need to look in the 
Administrative Tools for the Local Security Policy stuff, and find the place 
to "Enable Auditing of Security Events", and turn that ON.
  That's necessary, but not sufficient.  Somewhere nearby is the list of 
*which* security events to "audit", and by default none are enabled.  There 
are half a dozen categories of events, and two checkboxes for each, one 
labelled "Successes" and one labeled "Failures".  (A login failure typically 
means someone entered an account that doesn't exist, or the wrong 
password...)
  A truly hardened Windows box should have all categories of Failures 
audited.  Some categories, like "Object Access" will generate huge numbers 
of useless Successes, but login events are probably only a handful a day, so 
enable auditing of Successes for that category, too.
  NOW every login and logoff will cause an entry in the Security Log 
recording the account, the activity attempted, and whether it succeeded or 
not.

  [This is the sort of feature that an administrator would typically enable 
for all of the machines in a company's NT or Active Directory domain.  
Micorsoft doesn't expect the average home user to ever need to know about 
this stuff.]

David Gillett
CISSP CCNP MCSE CCSE
           ^^^^------ This one covers details like this.


On 27 Feb 2007 at 2:22, [log in to unmask] wrote:

> Since this pertains to Login Files, I have Win XP Home and am using  Windows 
> as my firewall, where can I go to see the log on this.  I  looked in Control 
> Panel under Security Center, but couldn't see where  or how I could review the 
> Windows log.  Can anyone point me in the right  direction?   Harriel
>  
> ---------------------------------------
> Hi David,
> 
> Thanks for the kind reply.  According to the logs,  the attempted 
> outbound violations have stopped, at least for now.
> 
> I  have scanned this computer with just about everything that I can find 
> and  nothing shows up.  For a long time, someone in San Marcus, TX pinged 
> my  computer a hundred times a day.  I finally reported it to the "abuse"  
> address for the ISP, but, as usual, never heard anything and I still,  
> occasionally,  get  pinged  by the San Marcus  address.
> 
> This is a dialup machine and a slow one at that; most of the  time less 
> than 28.8.
> 
> Loy

             Do you want to signoff PCSOFT or just change to
                    Digest mode - visit our web site:
                   http://freepctech.com/pcsoft.shtml