Event viewer
in [Windows XP Basics]
|
From: Gerry on 14 Feb 2010 07:11 Peter Why do you want "My Audits size in the Event Viewer is 14MB and the Audits date back to Oct 2003". My view is that event logs more than 14 days old are of little value. Errors should be eliminated if they are repeating and logs without errors are of no interest to me after 14 days. -- Gerry ~~~~ FCA Stourport, England Enquire, plan and execute ~~~~~~~~~~~~~~~~~~~ Peter Foldes wrote: > Jose > >>> Do you have success audits enabled? > > It is enabled by default and it always was > >> Event Logs also do not accumulate forever, they wrap when they get >> full. Full is defined in the Properties of the log and defaults to >> 512KB and 7 days after that, then old things get overwritten > > Not so. By default the setting is {Overwrite events as needed } and > the size before that happens is 100MB. Log size by default is 16384kb > which can be adjusted up or down to your needs and that cancels out > what you posted > My Audits size in the Event Viewer is 14MB and the Audits date back > to Oct 2003 without any being overwritten. The Log file on the latter > is sitting at 2MB and also dates back to Oct 2003 without anything > changed > "Jose" <jose_ease(a)yahoo.com> wrote in message > news:75323456-24af-4017-982b-f970bfce3bbc(a)f15g2000yqe.googlegroups.com... > On Feb 13, 5:51 pm, "Gerry" <ge...(a)nospam.com> wrote: >> Jose >> >> All Success Audit (lots of them), no failures here! >> >> -- >> >> Gerry >> ~~~~ >> FCA >> Stourport, England >> Enquire, plan and execute >> ~~~~~~~~~~~~~~~~~~~ >> >> >> >> Jose wrote: >>> On Feb 13, 2:23 pm, JD <J...(a)example.invalid> wrote: >>>> Jose wrote: >>>>> On Feb 13, 9:51 am, "William B. Lurie"<billu...(a)nospam.net> wrote: >>>>>> JD wrote: >>>>>>> William B. Lurie wrote: >>>>>>>> William B. Lurie wrote: >>>>>>>>> William B. Lurie wrote: >>>>>>>>>> VanguardLH wrote: >>>>>>>>>>> William B. Lurie wrote: >> >>>>>>>>>>>> Gerry, I found that Norton System Works Premier, which >>>>>>>>>>>> has a separate menu for such things, has a place where >>>>>>>>>>>> I can choose "Turn off all automatic updates". I >>>>>>>>>>>> did that several hours ago, and now the events have >>>>>>>>>>>> trickled down to a very few. >> >>>>>>>>>>> But doesn't that also mean that you won't get signature >>>>>>>>>>> and/or program updates for your Norton security program? You >>>>>>>>>>> would end up with an out-of- >>>>>>>>>>> date Norton product. >>>>>>>>>> I turned off all *automatic* updates. I can still do >>>>>>>>>> Live Update when I choose to do so. >>>>>>>>> ************************************************* >>>>>>>>> And now, some evidence and a question. >>>>>>>>> Overnight it did something every hour that >>>>>>>>> prevented it from going to hibernate. Or even screen saver! >> >>>>>>>>> Here's the event log: >> >>>>>>>>> http://bellsouthpwp.net/b/i/billurie/events.evt >> >>>>>>>>> Can someone please tell me how to interpret what it shows? >>>>>>>>> (By the way, I uploaded the file but my notepad can't read >>>>>>>>> it; I hope somebody can!) >> >>>>>>>> Here is a screen shot of the events log.......maybe more >>>>>>>> decipherable....... >> >>>>>>>> http://bellsouthpwp.net/b/i/billurie/events.jpg >> >>>>>>> Go back to the events log and double left mouse click on one of >>>>>>> the errors. That will bring up the Event Properties. On the >>>>>>> upper right side of that window will be an up and down arrow >>>>>>> and two little pages. Left mouse click on the two pages. Then >>>>>>> open Notepad and either hit Ctrl V or click on Edit and select >>>>>>> Paste. Now you have a copy of the error properties and maybe >>>>>>> you or someone here can tell you what is causing the error. >> >>>>>> Great instructions, JD, and here's one typical 'event'. >> >>>>>> Event Type: Failure Audit >>>>>> Event Source: Security >>>>>> Event Category: Policy Change >>>>>> Event ID: 615 >>>>>> Date: 2/13/2010 >>>>>> Time: 6:38:44 AM >>>>>> User: NT AUTHORITY\NETWORK SERVICE >>>>>> Computer: COMPAQ-2006 >>>>>> Description: >>>>>> IPSec Services: IPSec Services failed to get the complete >>>>>> list of network interfaces on the machine. This can be a >>>>>> potential security hazard to the machine since some of the >>>>>> network interfaces may not get the protection as desired by the >>>>>> applied IPSec filters. Please run IPSec monitor snap-in to >>>>>> further diagnose the problem. >> >>>>>> That, of course, leads me to another place I've never been >>>>>> before... IPSec monitor snap-in. And now.......?? >> >>>>> Is there some reason you have your system configured to monitor >>>>> and audit and log security policy settings and changes? >> >>>>> That is what puts things in the Security log. Such settings do not >>>>> usually apply to "normal" home type users. Normally, this log is >>>>> empty, or has one entry in it - "The audit log was cleared ". >> >>>>> I dare say you are seeing a self inflicted wound. >> >>>>> Unless you are in an environment where you need to be extensively >>>>> auditing your Internet traffic, searching for network connectivity >>>>> issues, etc. you do not need to be monitoring these events. This >>>>> 615 probably occurred when you booted your system before the IPSec >>>>> service started and was then followed by a successful 615. >> >>>>> If you don't know what these things mean or how to begin to >>>>> interpret them you should turn them all off since they slow your >>>>> system down with all the unnecessary activity logging. More >>>>> logging is not always good logging unless you are troubleshooting >>>>> a problem. >> >>>>> If you don't know how to use the security auditing and IPSec tools >>>>> and don't need to know, turn off all that extra stuff you don't >>>>> need and your system will thank you for it by rewarding you with >>>>> better performance and fewer mysteries. >> >>>>> If you care to delve into all the settings, what they mean, how to >>>>> interpret them, etc. you should take a class, read a book, do some >>>>> Internet searching. >> >>>> Thanks for a non-response. Which book would you suggest he read? Or >>>> how does he turn off the security log? Oh wait though, I have 2,012 >>>> events in my Security log and I've never turned it on. And not one >>>> of those says "The audit log was cleared". I'm not being a smarty >>>> pants, I'm just curious as to the explanation of your response. >> >>>> -- >>>> JD.. >> >>> Yeah - maybe I was coming on too strong or rude. I now have a better >>> Security Event Log message for the future. >> >>> Here is what I have seen... >> >>> Sometimes people wonder why the Security log is empty and think it >>> is a problem that nothing is being logged. All the other logs have >>> stuff and know I want some security on my system so they read some, >>> poke around and end up turning on Security Auditing from Control >>> Panel, Administrative Tools, Local Security Policy. >> >>> Everything for Security Auditing is turned off by default with "No >>> Auditing", so sometimes the thought is that some kind of additional >>> security auditing must be a good thing either because they are >>> having some problem they can't figure out or maybe they are curious. >>> Security is good, therefore I will put some security on everything! >> >>> The logging goes on unnoticed, they may resolve whatever the >>> original problem was and sometime later they peek at the Security >>> log and see all the failure messages and wonder what is wrong with >>> their system. Failure messages must mean something is wrong! >> >>> Turn all that logging on and reboot your system and you will get a >>> lot of failure events. Now folks think they have an issue and >>> things are failing all over the place, but it is an understanding >>> issue (usually) or they forgot they turned on the logging and never >>> turned it off. >> >>> Event Logs also do not accumulate forever, they wrap when they get >>> full. Full is defined in the Properties of the log and defaults to >>> 512KB and 7 days after that, then old things get overwritten >>> (luckily). The logs are usually in the c:\windows\system32\config >>> folder where those registry files are. You know those files... the >>> event logs are there too. Maybe yours wrapped or was never cleared - >>> or both. >> >>> Excess logging slows things down (any logging slows things down). >>> Maybe not much for this stuff, but if something has to read/write or >>> to even check to see if it needs to or even consider it, it takes >>> some CPU time that I would rather be spent someplace else. If you >>> are "tuning up" a system for performance, you can turn all that >>> extra junk off unless you need it to troubleshoot a problem. If you >>> turn it on, turn it off when you are done if you remember. >> >>> There is a similar story with the Internet Explorer log - why is it >>> always empty and is that my IE problem? An empty IE log can't be >>> good if I'm having IE problems. I can tell you, mine is empty and it >>> better stay that way. >> >>> You can buy books on Amazon that discuss Windows security, >>> performance, forensic analysis, malware - there are even Dummies >>> books for these things. >> >>> Like I mentioned before, no event in the Event Log should defy >>> explanation. If you have things in your Security Event Log, most >>> certainly they are there for a reason and should be explainable. >>> Some people will say the security events can be ignored. Well, I >>> want to explain them, then maybe I'll decide to ignore them. >> >>> I generally only have the one security event noting that my log was >>> cleared and I don't even need to have that. I only keep it so I know >>> my Security Event Log is working. Sometimes I use the Security >>> logging for troubleshooting or understanding somebody else's >>> problem, but generally not - it is extra I/O I don't need. >> >>> I sometimes keep an unused entry in my msconfig Startup tab and a >>> unused non MS service - just so I know msconfig is working. Seeing >>> those empty tabs is a little creepy. > > Good for you! > > Such was not the case for the OP. > > Do you have success audits enabled? > > If you don't know what they mean, post some up for interpretation if > you want, or post some anyway so I can add them to my list if I don't > have them already. > > I find them all annoying in day to day activities.
From: William B. Lurie on 15 Feb 2010 06:43 Jose wrote: > On Feb 13, 9:51 am, "William B. Lurie" <billu...(a)nospam.net> wrote: >> JD wrote: >>> William B. Lurie wrote: >>>> William B. Lurie wrote: >>>>> William B. Lurie wrote: >>>>>> VanguardLH wrote: >>>>>>> William B. Lurie wrote: >>>>>>>> Gerry, I found that Norton System Works Premier, which >>>>>>>> has a separate menu for such things, has a place where >>>>>>>> I can choose "Turn off all automatic updates". I >>>>>>>> did that several hours ago, and now the events have >>>>>>>> trickled down to a very few. >>>>>>> But doesn't that also mean that you won't get signature and/or program >>>>>>> updates for your Norton security program? You would end up with an >>>>>>> out-of- >>>>>>> date Norton product. >>>>>> I turned off all *automatic* updates. I can still do >>>>>> Live Update when I choose to do so. >>>>> ************************************************* >>>>> And now, some evidence and a question. >>>>> Overnight it did something every hour that >>>>> prevented it from going to hibernate. Or even screen saver! >>>>> Here's the event log: >>>>> http://bellsouthpwp.net/b/i/billurie/events.evt >>>>> Can someone please tell me how to interpret what it shows? >>>>> (By the way, I uploaded the file but my notepad can't read >>>>> it; I hope somebody can!) >>>> Here is a screen shot of the events log.......maybe more >>>> decipherable....... >>>> http://bellsouthpwp.net/b/i/billurie/events.jpg >>> Go back to the events log and double left mouse click on one of the >>> errors. That will bring up the Event Properties. On the upper right side >>> of that window will be an up and down arrow and two little pages. Left >>> mouse click on the two pages. Then open Notepad and either hit Ctrl V or >>> click on Edit and select Paste. Now you have a copy of the error >>> properties and maybe you or someone here can tell you what is causing >>> the error. >> Great instructions, JD, and here's one typical 'event'. >> >> Event Type: Failure Audit >> Event Source: Security >> Event Category: Policy Change >> Event ID: 615 >> Date: 2/13/2010 >> Time: 6:38:44 AM >> User: NT AUTHORITY\NETWORK SERVICE >> Computer: COMPAQ-2006 >> Description: >> IPSec Services: IPSec Services failed to get the complete >> list of network interfaces on the machine. This can be a potential >> security hazard to the machine since some of the network interfaces >> may not get the protection as desired by the applied IPSec filters. >> Please run IPSec monitor snap-in to further diagnose the problem. >> >> That, of course, leads me to another place I've never been before... >> IPSec monitor snap-in. And now.......?? > > Is there some reason you have your system configured to monitor and > audit and log security policy settings and changes? > > That is what puts things in the Security log. Such settings do not > usually apply to "normal" home type users. Normally, this log is > empty, or has one entry in it - "The audit log was cleared ". > > I dare say you are seeing a self inflicted wound. > > Unless you are in an environment where you need to be extensively > auditing your Internet traffic, searching for network connectivity > issues, etc. you do not need to be monitoring these events. This 615 > probably occurred when you booted your system before the IPSec service > started and was then followed by a successful 615. > > If you don't know what these things mean or how to begin to interpret > them you should turn them all off since they slow your system down > with all the unnecessary activity logging. More logging is not always > good logging unless you are troubleshooting a problem. > > If you don't know how to use the security auditing and IPSec tools and > don't need to know, turn off all that extra stuff you don't need and > your system will thank you for it by rewarding you with better > performance and fewer mysteries. > > If you care to delve into all the settings, what they mean, how to > interpret them, etc. you should take a class, read a book, do some > Internet searching. ************************************************************** I'd like to reopen this informative discussion, and add the details of three *events* which seem to be applicable to my system's failing to go to hibernate, and sometimes not even to Screen Saver (!). Any explanations will be appreciated. ********************************************************** Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7026 Date: 2/15/2010 Time: 6:06:25 AM User: N/A Computer: COMPAQ-2006 Description: The following boot-start or system-start driver(s) failed to load: ftsata2 KLIF For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ************************************************************ Event Type: Failure Audit Event Source: Security Event Category: Policy Change Event ID: 615 Date: 2/13/2010 Time: 6:38:44 AM User: NT AUTHORITY\NETWORK SERVICE Computer: COMPAQ-2006 Description: IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem. ********************************************************************* Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7026 Date: 2/15/2010 Time: 6:06:25 AM User: N/A Computer: COMPAQ-2006 Description: The following boot-start or system-start driver(s) failed to load: ftsata2 KLIF For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ******************************************************
From: JD on 15 Feb 2010 08:48 William B. Lurie wrote: > SNIP < > ************************************************************** > I'd like to reopen this informative discussion, and add > the details of three *events* which seem to be applicable > to my system's failing to go to hibernate, and sometimes > not even to Screen Saver (!). Any explanations will be > appreciated. > ********************************************************** > Event Type: Error > Event Source: Service Control Manager > Event Category: None > Event ID: 7026 > Date: 2/15/2010 > Time: 6:06:25 AM > User: N/A > Computer: COMPAQ-2006 > Description: > The following boot-start or system-start driver(s) failed to load: > ftsata2 > KLIF > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > ************************************************************ > Event Type: Failure Audit > Event Source: Security > Event Category: Policy Change > Event ID: 615 > Date: 2/13/2010 > Time: 6:38:44 AM > User: NT AUTHORITY\NETWORK SERVICE > Computer: COMPAQ-2006 > Description: > IPSec Services: IPSec Services failed to get the complete > list of network interfaces on the machine. This can be a potential > security hazard to the machine since some of the network interfaces > may not get the protection as desired by the applied IPSec filters. > Please run IPSec monitor snap-in to further diagnose the problem. > ********************************************************************* > Event Type: Error > Event Source: Service Control Manager > Event Category: None > Event ID: 7026 > Date: 2/15/2010 > Time: 6:06:25 AM > User: N/A > Computer: COMPAQ-2006 > Description: > The following boot-start or system-start driver(s) failed to load: > ftsata2 > KLIF > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > ****************************************************** Did you make any changes to your computer around the same time you noticed your problems? I went to http://www.ask.com and entered the two programs that are not loading: ftsata2 http://www.file.net/process/ftsata2.sys.html http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1266240824138+28353475&threadId=1163749 KLIF http://www.file.net/process/klif.sys.html Do you use any anti-malware or anti-spyware programs? -- JD..
From: Jose on 15 Feb 2010 08:56 On Feb 14, 7:03 am, "Gerry" <ge...(a)nospam.com> wrote: > Jose > > >>Do you have success audits enabled? > > Obviously the answer is Yes; otherwise there would not be any reports! > The computer has Windows XP Home Edition installed. I have never altered > the default with regard to Auditing Entries. I realise as a result of > Peter's response that I could and that the Security tabs can be > displayed if a default is changed.http://www.dougknox.com/xp/tips/xp_security_tab.htm > > What is the point in investigating a Success Audit? An Audit Failure > makes more sense because it is reporting some wrong. Understanding a > Failure could pinpoint what is causing a problem. I have seen Failures > in the past but not recently. > If I am not looking into a problem, I will turn all that stuff off. It is extra I/O I don't need and would rather my CPU time be spent doing things I want. I find no use for the constant logging of routine events. I don't look at my Event Log unless I am suspicious of a problem which is almost never - or trying to help someone else with their problem which is often. My event logs are no longer intellectually stimulating. If other folks want to log all that stuff, more power to 'em. I just chose not to! It is also possible that with my tinkering over the years my XP has been installed, I changed some of the Event Log settings so they may not match yours. Maybe we are not even talking about the same things anymore. Okay - I don't to get bogged down with it and would rather move on. The OP still does't seem to be able to hibernate reliably, his screen saver doesn't work, he does not have SP3, has not said the hotfix to fix hibernating for SP2 was installed, and has not described the SP3 anomalies. I think I'll just watch that for a while!
From: William B. Lurie on 15 Feb 2010 09:17
JD wrote: > William B. Lurie wrote: >> SNIP < >> ************************************************************** >> I'd like to reopen this informative discussion, and add >> the details of three *events* which seem to be applicable >> to my system's failing to go to hibernate, and sometimes >> not even to Screen Saver (!). Any explanations will be >> appreciated. >> ********************************************************** >> Event Type: Error >> Event Source: Service Control Manager >> Event Category: None >> Event ID: 7026 >> Date: 2/15/2010 >> Time: 6:06:25 AM >> User: N/A >> Computer: COMPAQ-2006 >> Description: >> The following boot-start or system-start driver(s) failed to load: >> ftsata2 >> KLIF >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> ************************************************************ >> Event Type: Failure Audit >> Event Source: Security >> Event Category: Policy Change >> Event ID: 615 >> Date: 2/13/2010 >> Time: 6:38:44 AM >> User: NT AUTHORITY\NETWORK SERVICE >> Computer: COMPAQ-2006 >> Description: >> IPSec Services: IPSec Services failed to get the complete >> list of network interfaces on the machine. This can be a potential >> security hazard to the machine since some of the network interfaces >> may not get the protection as desired by the applied IPSec filters. >> Please run IPSec monitor snap-in to further diagnose the problem. >> ********************************************************************* >> Event Type: Error >> Event Source: Service Control Manager >> Event Category: None >> Event ID: 7026 >> Date: 2/15/2010 >> Time: 6:06:25 AM >> User: N/A >> Computer: COMPAQ-2006 >> Description: >> The following boot-start or system-start driver(s) failed to load: >> ftsata2 >> KLIF >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> ****************************************************** > > Did you make any changes to your computer around the same time you > noticed your problems? > > I went to http://www.ask.com and entered the two programs that are not > loading: > > ftsata2 > > http://www.file.net/process/ftsata2.sys.html > > http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1266240824138+28353475&threadId=1163749 > > > KLIF > > http://www.file.net/process/klif.sys.html > > Do you use any anti-malware or anti-spyware programs? > Yes, I have one anti-malware program installed but turned it off two weeks ago when this ATI stuff started. msconfig has it not loading on startup. |