This step-by-step article describes how to use the Performance Logs and Alerts service to create counter logs and alerts to monitor unauthorized attempts to access your computer in Microsoft Windows 2000 Server.
You can configure counter logs in the Performance Logs and Alerts service to monitor the number of failed logon attempts and the number of failed attempts to access files on your computer. When you regularly examine counter logs, you may by able to detect some types of security violations before they succeed. You can also configure alerts to send a message and notify you if a potential security violation occurs. Alerts are critical security controls that help you perform real-time monitoring.
Note To perform the procedures that are described in this article, you must log on as Administrator or as a member of the Administrators group.
Configure Alerts to Monitor Unauthorized File Access and Logon Attempts
Click Start, point to Programs, point to Administrative Tools, and then click Performance Logs and Alerts.
In the console tree, expand Performance Logs and Alerts, and then click Alerts.
Right-click an empty area of the right pane, and then click New Alert Settings From.
In the Open box, click the .htm file that you created and saved earlier, and then click Open.
Click OK if you receive the message that you are creating an alert from a counter log.
In the Name box, type a name for the alert, and then click OK.
Click the General tab, and then configure the following settings for each counter that is listed in the Counters box:
In the Alert when the value is box, click Over.
In the Limit box, type the number of errors that can occur before an alert is generated.
Click the Action tab, and then specify the action that you want to occur when an alert is triggered:
If you want the Performance Logs and Alerts service to create an entry in the Application log of Event Viewer when an alert occurs, click to select the Log an entry in the application event log check box.
If you want the Performance Logs and Alerts service to trigger the Messenger service to send a message, click to select the Send a network message to check box, and then type the Internet Protocol (IP) address or name of the computer on which the alert message should appear.
To start a counter log when an alert occurs, click to select the Start performance data log Send a network message to check box, and then specify the counter log that you want to run.
To run a command or program when an alert occurs, click to select the Run this program check box, and then type the file path and name of the program or command that you want to run, or click Browse to locate the file.
When an alert occurs, the service creates a process and runs the specified command file. The service also copies any command-line arguments you define to the command line that is used to run the file. Click Command Line Arguments, and then click to select the appropriate check boxes to include the arguments that you want when the program is run.
Click the Schedule tab, specify the start and stop times for the scan, and then click OK.
Important The counter does not monitor failed interactive logons at the console or through Remote Desktop Protocol (RDP). Instead, the counter only monitors server message block (SMB) communications logons (for example, when a user tries to open a file on the server but they lack permissions to the share). The Server object in Performance Monitor refers only to shares.