search
ngabalaax

Day-Two Understanding Event Logs overview lab

hashtag
Objective: 

Windows event logs are records of system, application, and security events on a machine[1]arrow-up-right. In this lab, learners will explore the built-in Windows event logs (System, Application, Security) log's and practice filtering them to find specific events. They will learn that System logs track OS-level events, Application logs record software-related events, and the Security log contains audit records such as login attempts[2]arrow-up-right.

hashtag
Challenge Description

A user reports repeated login failures and unusual application errors on a Windows 10 workstation. Use Event Viewer or PowerShell to inspect the logs for recent login events and application errors. Identify any failed login attempts (e.g. Event ID 4625) and note which user or service generated them.

Tools:  Windows Event Viewer.

hashtag
Step-by-step Instructions:

Step 1 - Simulate The Login Failure

Goal: Create Security log entries for failed logins by user Nasri.

  1. On your Windows 10 VM (WIN10-VM), press Ctrl+Alt+Del → choose Switch User or Other User.

  2. Enter:

    Username: TALOSEC\nasri
Password: (enter an incorrect password several times)

    Try entering the wrong password 3–5 times to generate multiple failed logon events.

  3. After several failed attempts, stop trying to log in.

Step 2 - Open Event Viewer and Explore Logs

1. Open in window server Event Viewer: Press Win+R, type eventvwr.msc, and press Enter. In the left pane, expand Windows Logs.

2. Browse Basic Logs: Click System, Application, and Security in turn. Observe each log’s entries. Note that System events come from OS components (e.g., drivers, services), Application events come from programs, and Security events show audit records (logons, policy changes, etc.)[2]arrow-up-right.

3. Filter for Failed Logons: With Security log selected, click Filter Current Log… on the right pane. In the filter window, enter 4634 in Event ID. Click OK. This shows only failed logon attempts. 4. Review Filtered Event: In the results pane, click the newest Event ID 4634 entry. In the bottom pane, note details like Account Name, Logon Type, IP Address, etc. A sample filtered event might look like the following:

hashtag
Questions

  1. How do System, Application, and Security logs differ from each other?

  2. What did you learn about using Event Viewer to filter or search for specific events?

  3. What challenges did you face when trying to locate specific events in the logs?

  4. How can event logs help detect unauthorized or suspicious activity on a system?

  5. What Event ID indicates a failed login attempt, and what information does it provide about the user or source?

  6. Based on your analysis, which user or service generated the failed login attempts in this challenge?

PreviousLogs overviewNextDay 3: Windows PowerShell Log Lab

Last updated