In this lab, we’ll use filters to review Windows events and export events to text files for later analysis.
NOTE: Once the lab is ready, please wait 2 additional minutes before attempting to remote desktop to the Windows machine. Prior to that, the provided credentials will not work. This is because the Windows machine runs several preparation scripts once it starts.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Export all successful logon events to a text file named `logons.txt` on the server’s Desktop.
- Open Event Viewer and expand Windows Logs.
- Under Windows Logs, click on the Security which will populate the security events
- In the Actions area, select Filter Current Log.
- In the All Event IDs field, enter the Event ID
4624, then click OK. - In the Actions area, click on Save Filtered Log File As.
- Select Desktop for the location, for the file name type
logons.txt, and select Text for the Save as type. - Click the Save button.
- Open Event Viewer and expand Windows Logs.
- Export all events from the security log to a file named `security.txt` on the server’s Desktop.
- In the Action area, click Clear Filter to remove the filter from the previous section.
- Right click on Security under Windows Logs and select Save All Events As.
- Select Desktop for the location, for the file name type
security.txt, and select Text for the Save as type. - Click the Save button.
- In the Action area, click Clear Filter to remove the filter from the previous section.
