W2K Server Resource Kit includes CyberSafe Log Analyst (CLA) which is a Microsoft Management Console (MMC) snap-in that lets you analyze the Security logs of the systems in your domain. CLA has prebuilt reports that provide useful views of security activity, but you can design custom reports. To install CLA, run \apps\loganalyst\setup.exe on the CD-ROM. This creates a shortcut in Administrative Tools.

Using CLA is a three-step process.

• Tell CLA which event logs to analyze. To test CLA, copy the local system's current event log by right-clicking Logs to be Analyzed and selecting Cut Live Local Event Log. To run reports on the merged activity of multiple systems, use Event Viewer to save each system's event log to an .evt file. After saving the logs, add them to CLA by selecting Add Event Log File from the Logs to be Analyzed context menu.
• To import selected logs into CLA's native format, select Analyze from the Logs to be Analyzed context menu.
• Select and generate the desired report from the Report Templates folder.

After the Resource Kits, the Admin Companions are next most useful books from Microsoft.