Hi, I have both systems configured so that the event logger logs everything that is sent to it. Both systems have the logs set to overwrite. The NT security log is 4 Megabytes and is currently holding almost 8 months of log entries. The 2K system security log is 10Megabytes and normally holds about 2 1/2 months of log entries, but right now it has about a week. The NT has my companies default install, which includes Novell, and I have not made significant changes to it. The Windows 2K system I installed and proceeded to shut off almost ever service known to Microsoft. The only open TCP port on the system is the UNIX line printer port, 515. The only open UDP ports are those opened by the anti-virus software. All of the above ports are blocked by the W2K IPSEC packet filter. The 2K is an IBM NetVista 800MHz Pentium III with about 180 out of 256 Megabytes of RAM in use, but I don't know what the memory usage was when Word was indexing forever. The NT has 144 Megabytes of RAM, and right now about half is in use. The system is a 200 MHz Pentium Compaq Deskpro. Just checked arp and it again failed to log the process termination. Looking back through the event log, I find several instances between May 31 and Dec 23 where arp logged termination correctly. Starting on Dec 31 it failed to log termination of arp commands. I did find that I have a much more frequent event showing a process being created, but with no corresponding termination event being logged. I normally use a Cygwin bash shell to run command line programs. It creates a subshell which then executes the command line. The creation of this subshell creates a new process event message. This is then followed by the execution of the command and the new process event message for that command. When that command completes, there is usually a process termination event message logged. What is not logged is the termination of the subshell. This is the same on NT and 2K. In UNIX the subshell and executed command would have the same process ID, but in Windows they each get their own process ID. Monitoring a command with Filemon from Winternals shows that the subshell has filesystem activity after the execution of the command. Strace for NT also shows the command starting before the subshell terminates. The one curiosity I noticed in the trace was when the subshell exits, its exit status is 131072 (0x10000). All other programs I have previously traced have had single digit return values. Adding "exit(131072);" to a "Hello World" program resulted in a exit status of 12 and the process termination was logged. Thinking that possibly the problem may be in the bash shell, I tried running "arp -a" from a DOS command window. It logs the process creation, but not the termination. Rebooting the NT has "fixed" arp, but rasusers and the bash subshell still are not logging process termination. Looking back through the commands that had been started on the system between Dec 23 and Dec 31 was not productive. As usual, I find a new quirk in Microsoft's operating systems and it leads me to whole new set of questions with no easy answers. TGIF & B Cing U Buck _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:48:42 PST