The CyberSafe Log Analyst assists you in organizing and interpreting security event logs from Windows 2000, providing more effective, system-wide user activity analysis. There are three steps to analyzing user activity: saving event logs, analyzing event logs, and generating reports. This topic describes these steps in detail so you can begin to analyze activities immediately.
This procedure automates the process of saving the event log from the computer where CLA is installed.
In the CyberSafe Log Analyst scope pane, right-click the CyberSafe Log Analyst node and choose Cut Live Local Event Log from the shortcut menu. The event log is saved in the Pending subdirectory of CLA (for example, c:\program files\cla\pending). It is also added to the Logs to be Analyzed node, so you can immediately analyze the event log.
This procedure saves the current "raw" event logs from other computers. These instructions detail a very simple, manual method of saving the event log so you can later analyze it.
On the computer where you installed CLA, "share" the Pending subdirectory (for example, \cla\pending). When you save the event logs from other computers, you will save them into this shared directory, so the event log files will automatically be added to CLA.
On the computer containing the event log you want to analyze, open the Windows 2000 Event Viewer (by choosing Start > Administrative Tools (Common) > Event Viewer).
Choose Log > Security to view the current day's security event log.
Choose Log > Save As to save the event log. Note the file name must include the .evt file extension, and must be saved in the Pending subdirectory that you shared in Step 1.
In the CyberSafe Log Analyst scope pane, right-click the Logs to be Analyzed node and choose Analyze from the shortcut menu. The status of the analysis is displayed in the Description Bar (displayed above the results pane).
Note
If you have saved event logs directly into the Pending subdirectory of the CLA directory (for example, \cla\pending), they may not immediately appear in the Logs to be Analyzed node. To display these event logs, refresh the display by right-clicking the Logs to be Analyzed node and choosing Refresh from the shortcut menu.
In the CyberSafe Log Analyst scope pane, select the Report Templates node.
In the results pane, right-click the report template you want to use and choose Generate Report from the shortcut menu that appears. The Report Generator dialog box appears.
Under Time Granularity, move the bar to select the granularity of the report. Choose Minute, Hour, 2 Hours, Day, Week, Month, or All Data. The default setting is for All Data.
Under Examine Period, click the arrow and select the time period for this report. Choose to generate the report based on the Past 24 Hours, Past 7 Days, Past 30 Days, Yesterday, Last Week, Last Month, Custom Date Range, or Full Time Range. The default setting is for Full Time Range.
Do the following:
To preview the report in a separate window, click Preview.
To output the report directly to your default printer, click Print. Use the standard Print dialog box to specify the print options.
To change the settings on your printer, click Print Setup. Use the standard Print Setup dialog box to specify the printer options (such as paper size and orientation).
To modify the report template options, click Formatting. The Report Generation dialog box expands so you can modify the date period, granularity, title, graph type and size, and table size of the report.
When finished, click Close to exit the Report Generator dialog box.