[ISN] REVIEW: "Windows NT Event Logging", James D. Murray

From: mea culpa (jerichoat_private)
Date: Thu Jan 14 1999 - 13:14:35 PST

  • Next message: mea culpa: "[ISN] Hacker sentenced to five months in federal prison"

    Forwarded From: seceduat_private
    Forwarded From: "Rob Slade" <rsladeat_private>
    
    BKWNTEVT.RVW   981101
    
    "Windows NT Event Logging", James D. Murray, 1998, 1-56592-514-9,
    U$32.95/C$48.95
    %A   James D. Murray
    %C   103 Morris Street, Suite A, Sebastopol, CA   95472
    %D   1998
    %G   1-56592-514-9
    %I   O'Reilly & Associates, Inc.
    %O   U$32.95/C$48.95 707-829-0515 fax: 707-829-0104 nutsat_private
    %P   316 p. + CD-ROM
    %T   "Windows NT Event Logging"
    
    I have a SCSI drive.  For some reason this fact generates an event every
    time I start my NT machine.  Event logging and auditing plays a role at
    least as central to data security as does encryption.  At one time I
    worked for an outfit whose product was the basis of a theft retrieval
    system.  Obviously our data did not age well, so event traps were written
    to alert the system administrator as soon, and in as many different ways,
    as possible.  At the moment I am reviewing a product that is failing in a
    very consistent manner.  Unfortunately, I can't get enough information
    about the manner, because I haven't yet found an event log that gets
    written in regard to this problem. 
    
    Administrators of mini and larger machines, and of course all security
    mavens, will be well familiar with the concept of event logging, although
    many desktop users and support people will be new to the idea.  Murray has
    written a valuable, though not easy, book to cover the issue. 
    
    Chapter one explains what event logging is, and how it is used in
    troubleshooting, resource tracking, and security.  It also provides
    details of the WinNT event logs, and their use.  The event logging service
    and its functions are treated in chapter two.  Event Viewer operation is
    detailed in chapter three, complete with a list of annoyances and
    limitations.  Chapter four goes into considerable detail regarding
    security auditing, and discusses the famous (or infamous) C-2 security
    standards. 
    
    Chapter five provides programmers with details of the Event Logging API
    (Application Programming Interface).  Event logs themselves do not hold
    messages as such, and so message files must be created, as is outlined in
    chapter six.  You may wish to access the event logs outside of the
    standard Event Viewer application, so chapter seven provides sample code
    to indicate how this is done.  Reporting events is covered for a variety
    of languages in chapter eight. 
    
    The appendices contain much useful information.  A has a list of resources
    for further information.  A number of them are quite generic, but there is
    a compendium of useful titles of interest in the Microsoft Knowledge Base. 
    Event logging under Windows for Workgroups is covered in B.  WinNT
    security events are detailed in C.  D provides a description of the DumpEl
    utility.  Kernel mode logging is described in E. 
    
    Although I had many reasons to be personally interested in the topic, I
    must say that I found the book very heavy going.  In addition the
    structure, while not disorganized, sometimes seems to lack focus, and the
    reader needs to go to a number of chapters to find information on a single
    topic.  Whatever its minor faults, however, this work contains significant
    data and advice on a very important topic for programmers, support people,
    administrators, and, yes, even users. 
    
    (Besides, how can I resist a book illustrated with a castor canadensis on
    the cover?) 
    
    copyright Robert M. Slade, 1998 BKWNTEVT.RVW 981101
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:46 PDT