Forwarded From: secedu@all.net
Forwarded From: "Rob Slade" <rslade@sprint.ca>
BKWNTEVT.RVW 981101
"Windows NT Event Logging", James D. Murray, 1998, 1-56592-514-9,
U$32.95/C$48.95
%A James D. Murray
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 1998
%G 1-56592-514-9
%I O'Reilly & Associates, Inc.
%O U$32.95/C$48.95 707-829-0515 fax: 707-829-0104 nuts@ora.com
%P 316 p. + CD-ROM
%T "Windows NT Event Logging"
I have a SCSI drive. For some reason this fact generates an event every
time I start my NT machine. Event logging and auditing plays a role at
least as central to data security as does encryption. At one time I
worked for an outfit whose product was the basis of a theft retrieval
system. Obviously our data did not age well, so event traps were written
to alert the system administrator as soon, and in as many different ways,
as possible. At the moment I am reviewing a product that is failing in a
very consistent manner. Unfortunately, I can't get enough information
about the manner, because I haven't yet found an event log that gets
written in regard to this problem.
Administrators of mini and larger machines, and of course all security
mavens, will be well familiar with the concept of event logging, although
many desktop users and support people will be new to the idea. Murray has
written a valuable, though not easy, book to cover the issue.
Chapter one explains what event logging is, and how it is used in
troubleshooting, resource tracking, and security. It also provides
details of the WinNT event logs, and their use. The event logging service
and its functions are treated in chapter two. Event Viewer operation is
detailed in chapter three, complete with a list of annoyances and
limitations. Chapter four goes into considerable detail regarding
security auditing, and discusses the famous (or infamous) C-2 security
standards.
Chapter five provides programmers with details of the Event Logging API
(Application Programming Interface). Event logs themselves do not hold
messages as such, and so message files must be created, as is outlined in
chapter six. You may wish to access the event logs outside of the
standard Event Viewer application, so chapter seven provides sample code
to indicate how this is done. Reporting events is covered for a variety
of languages in chapter eight.
The appendices contain much useful information. A has a list of resources
for further information. A number of them are quite generic, but there is
a compendium of useful titles of interest in the Microsoft Knowledge Base.
Event logging under Windows for Workgroups is covered in B. WinNT
security events are detailed in C. D provides a description of the DumpEl
utility. Kernel mode logging is described in E.
Although I had many reasons to be personally interested in the topic, I
must say that I found the book very heavy going. In addition the
structure, while not disorganized, sometimes seems to lack focus, and the
reader needs to go to a number of chapters to find information on a single
topic. Whatever its minor faults, however, this work contains significant
data and advice on a very important topic for programmers, support people,
administrators, and, yes, even users.
(Besides, how can I resist a book illustrated with a castor canadensis on
the cover?)
copyright Robert M. Slade, 1998 BKWNTEVT.RVW 981101
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 16:59:40 1999