Chapter 12: Logging and Alerting

Previous page
Table of content
Next page

In Brief

The purpose of logging is to record the status of an operation generated by the system or an application. Along with many scripts and applications, Windows 2000/XP/2003 has a built-in method to log events and errors. Managing event logs across an enterprise can become an involved process. Third-party utilities such as Dorian Software's Event Archiver allow you to read, write, modify, and archive event logs and entries. Although these utilities are available at a modest price, this chapter will show you how to access and control the event log through simple scripts, for free.

Logs provide a good method of recording events, but they are only as good as the time and frequency with which you check them. Alerting is the method of notifying a user when an event occurs. In this chapter, you will learn the various methods to create alerts to keep you informed of the many events that occur in your environment.

Inside The Event Log

Windows 2000/XP/2003 includes a built-in event-logging system known as the event log. Before an interaction with the event log is performed, a request is sent to the Service Control Manager (SCM). SCM is controlled by %WINDIR% \System32\SERVICES.EXE. When the system first boots up, the event log service is started and the event log files are opened. Once the service receives the request, it processes it by storing or modifying an event in the proper event log.

Types of Logs

The event log is divided into three categories:

  • Application Log (AppEvent.Evt) ”Stores application and system events, such as application errors

  • Security Log (SecEvent.Evt) ”Stores audited security events, such as clearing the event log

  • System Log (SysEvent.Evt) ”Stores operating-system- related events, such as creating a new user

These logs are stored in a proprietary binary format and reside in the %WINDIR% \System32\Config directory. Although all users can view the application and system logs, only administrators can view and clear the security event log.

Note  

The event log files cannot merely be copied and opened on another system. When the system opens the event logs, it modifies the file headers and doesn't reset the header until the file is closed. To copy the event log, use the Save Log As option from the File menu of the Event Viewer.

The Event Viewer

The Event Viewer is a built-in Windows 2000/XP/2003 tool to easily view the three separate event log files (see Figure 12.1). The Event Viewer executable (EVENTVWR.EXE) resides in the %WINDIR% \System32 directory. To start the Event Viewer, open Administrative Tools and run the Event Viewer. From within the Event Viewer, you can view, delete, archive, or import an entire event log or entry. The most common use of the event log is to troubleshoot system errors, such as service failures.

click to expand
Figure 12.1: The Windows 2000 Event viewer.
Note  

The executable called EVENTVWR.EXE is actually just a pointer to the MMC snap-in EVENTVWR.MSC.

Event Log Entries

Event log entries consist of an event ID that categorizes the type of event, and an event description that is the actual error or event text. The event type specifies the following classification of recorded events:

  • Error ”Indicates critical errors and corruption of data

  • Failure Audit ”Combined with auditing, indicates a failed security event, such as a bad password

  • Information ”Indicates a successful operation, such as a successful driver load

  • Success Audit ”Combined with auditing, indicates a successful security event, such as a successful logon

  • Warning ”Indicates a non-critical warning, such as a failed attempt to obtain a browse list

Other items logged with each event are:

  • Computer ”The name of the target computer

  • Date ”Date the event was written

  • Source Type ”The source of the event

  • Time ”Time the event was written

  • User Name ”The currently logged-on user

Event Log Etiquette

The event log is a logging system that stores critical and important system and application events. The original intent of this log system was only for the system and applications to write events. Some systems might be set up to overwrite events or to crash the system when the event log is full. Storing routine messages like "Logon script completed successfully" might overwrite critical events or cause a system to crash because the event log is full.

Understanding NetBIOS

Logging provides a method to record events, and alerting provides a method to send event messages to users. A common method of sending messages over a network is to use Network Basic Input Output System (NetBIOS). NetBIOS is a non-routable interface that allows various types of computers to communicate over the local area network (LAN). NetBIOS was created by IBM and Sytek during the mid-1980s and has since become an industry standard for network communication. Microsoft Windows currently implements NetBIOS on the following protocols: NetBIOS Enhanced User Interface (NetBEUI), Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), and Transmission Control Protocol/Internet Protocol (TCP/IP).

Note  

A common use of NetBIOS is the Network Neighborhood.

NetBIOS Communication Modes

NetBIOS contains two modes of communication: session or datagram. Session mode establishes a reliable channel between two systems, and uses error checking to ensure proper data transfer. Datagram mode is a one-way communication method that transmits small messages without error checking. This type of communication is commonly referred to as connectionless communication. A datagram is a container used to transmit data across a network.

Note  

The term datagram is interchangeable with the term packet .

Windows includes the ability to send command-line messages to other users or computers through NetBIOS using a utility called NET.EXE. These messages are sent in datagrams to other NetBIOS computer or user names. NetBIOS messages have a restricted size of 128 characters , whereas NetBIOS names are restricted to 15 characters (with a 16th hidden character used by the operating system).

Tip  

Windows 2000/XP/2003 monitors these messages through the Messenger Service. If the system experiences errors while transmitting or receiving NetBIOS messages, you should first check the Messenger Service.

Understanding MAPI

MAPI (Messaging Application Program Interface) is an interface that provides a standard method for applications to send email. MAPI includes a standard set of functions, such as logging on, creating new messages, and reading messages, that developers can call directly in their applications using C or C++. MAPI is a built-in part of Windows 2000/XP/2003. Simple MAPI is a slimmed-down version of MAPI that can be accessed using C, C++, Visual Basic, or Visual Basic for Applications (VBA).



Previous page
Table of content
Next page
Windows Admin Scripting Little Black Book
Windows Admin Scripting Little Black Book (Little Black Books (Paraglyph Press))
ISBN: 1933097108
EAN: 2147483647
Year: 2004
Pages: 89
Authors: Jesse M. Torres
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Managing Enterprise Systems with the Windows Script Host
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
VBScript in a Nutshell, 2nd Edition
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy