The Event Viewer in Windows Server 2003, shown in Figure 16.3, is available in the Computer Management MMC or as a standalone MMC snap-in. This Windows Server 2003 utility records information about various system occurrences. The Event Viewer is not only the first place you should look when you're having problems, but you must also review it regularly to monitor regular server operations and events. Figure 16.3. The Windows Server 2003 Event Viewer.The Event Viewer is used to view event log files that are updated by the operating system and various services and applications running on your server. Typically, events are written to the logs for any significant occurrence that a user or administrator should be aware of. Reading the contents of these log files can assist you in determining the status of your server and as a first step in diagnosing problems. As in previous versions of Windows, all servers have the following three log files: System, Security, and Application. Although these three logs have been carried over from previous versions of Windows, the Event Viewer has been expanded to allow other components or third-party applications to use it as the global location for log files. The logs that appear in your installation of Windows Server 2003 vary depending on the components installed. For example, the Domain Name Service maintains its own log in the Event Viewer. All Windows Server 2003 systems have at the very least the following three logs:
If the DNS service is installed on your server, the DNS log is also available. It records events related to the operation of the DNS service. If you're having name-resolution problems on your network, this is the first place to look. In addition, Active Directory domain controllers have the following logs:
Understanding the Event LogsAs mentioned earlier, event logs can be very useful, not only for monitoring server operations but also as a first step in diagnosing a problem. It is helpful to become familiar with the normal events that occur on a daily basis because some errors normally reoccur and are not an indication of a problem. The event logs contain five main types of events that range from informational messages that do not require any action to serious events, such as hardware or service failures, that require your immediate attention. As shown in Figure 16.4, each type of event is visually cued by an icon. This allows you to quickly recognize events that require your attention. Figure 16.4. The Windows Server 2003 Event Viewer, showing the icons for various types of events.The five types of events and their related icons are as follows:
Each entry in the event log, regardless of type, contains the following information:
As shown in Figure 16.5, some events provide a URL that you can click. This URL links you to the Microsoft website. If there is more information available for your event, it is displayed. If you don't understand an error message and there is no URL, write down the event ID. The event ID can be used to perform a search using the Microsoft Knowledge Base at http://support.microsoft.com. The articles in the Knowledge Base can sometimes be useful in figuring out a problem, or they can at least give you more information to work with. Figure 16.5. Log entries aren't always as clear as this one, so you will sometimes be able to click a URL for more information.
Working with the Event LogsAlthough the System and Application logs can be viewed by anyone, the Security log is restricted to administrators. To open and view an event log, perform the procedure outlined in Step by Step 16.2.
As you can see in Figure 16.6, an event is written to the System log when the event log service is started. The event log service is started every time the server is started, so that gives you a good starting point when you want to look for errors that have occurred since the last system restart. Figure 16.6. A System log event is recorded every time the server is started.
Viewing Logs on Another ComputerYou can view the log files from a remote system on your network using the Connect to Another Computer command from the Event Viewer menu. This feature simplifies administrative tasks by allowing you to diagnose a system remotely via Event Viewer rather than requiring you to sit at that computer's keyboard. You must be a member of the Administrators group on the remote computer to view its event logs. To open and view an event log on a remote computer, perform the procedure outlined in Step by Step 16.3.
Configuring Log PropertiesWhen you open a log in the Event Viewer, a snapshot of the log is displayed. Any new information that is written to the log as you are viewing it is not displayed until you click the Refresh icon on the toolbar. When you switch between logs, the view is refreshed automatically. Several configuration settings determine how much information can be stored in the event logs and how long the information is retained before it is overwritten. You can change the event log retention options through the Event Log Properties dialog box, shown in Figure 16.8, accessed from the Log menu. Each log file has its own size and day limit settings. Figure 16.8. Changing the event log retention settings.
In addition to the setting for log size, three additional settings determine the retention properties of the logs:
Caution: Be Careful When Setting Retention Time If you are not careful when configuring your event log retention settings, you could configure your logs so that important events are missed. For example, if you set the overwrite period too short, or turn on Overwrite Events as Needed with too small of a log size, as the log fills up, events will be overwritten. In addition, if you set the log size too small and then turn on Do Not Overwrite Events, after the log fills up, no events will be logged. The default settings for the logs restrict each log file to a maximum of 16,384KB. When the fixed file size is reached, the oldest events are overwritten by new events, as needed. If you need to retain events for longer time periods, you should increase the file size and the retention time. To configure the retention settings for an event log, perform the procedure outlined in Step by Step 16.4.
Exam Alert: Event Log Defaults The event logs in Windows 2000 defaulted to 512KB and would overwrite events older than 7 days. The Windows Server 2003 defaults, however, are a much more practical 16,384KB and overwrite events only as needed. The change in size is a significant difference, and it's something you might see on the exam. Clearing and Saving LogsIn addition to the retention settings, the Event Log Properties dialog box has an option to clear the log files. This option allows you to clear all entries from the selected log file. The option is also available from the pop-up menu when you right-click a log file in the Event Viewer MMC. To clear a log file from the Event Viewer MMC, perform the steps outlined in Step by Step 16.5.
As part of your regular maintenance, even if you have the logs set to overwrite as needed, you can manually archive them without clearing them. You can save the logs by right-clicking a log file entry in Event Viewer and selecting Save Log File As. You can save logs to an event file (.evt) or in a format that can be used with other applications (.txt). You can load the EVT file type into another Event Viewer. The log's TXT file can be saved in either standard monospace-columned or comma-delimited format. These formats can be used in common word processing or spreadsheet programs. Log Viewing OptionsThe default view of the Event Viewer is to display the newest entry at the top. A handy feature of the Windows Server 2003 Event Viewer is its capability to sort the logs based on the columns displayed in the utility. For example, to sort the logs based on event ID, click the Event column heading, and the information is sorted in either ascending or descending order, depending on whether you click the column heading once or twice (see Figure 16.9). Figure 16.9. Click one of the column headings to sort the event files.Filtering EventsBy default, the Event Viewer shows the entire contents of the log file. This can be quite overwhelming, especially on a busy server, because a lot of informational messages are usually irrelevant when you are searching for the cause of a problem. In these situations, you can use the Filter command from the View menu to quickly locate events of a certain type or pertaining to a particular source, category, user, computer, event ID, or date range. For example, you might want to see how many warnings have been recorded. To filter a log file from the Event Viewer MMC, perform the steps outlined in Step by Step 16.6.
The filtering options are very flexible; you can select either one or multiple filters to display only those entries that apply to the area you are working on. The available filters are as follows:
New Log ViewAs discussed in the previous section, sometimes a specific view of the logs makes it easier for you to do your job. Microsoft has supplied an option for the Event Viewer named New Log View. Using this option, you can customize a view of any of the logs, including filtering, size, and so on. You can then save this view under another name. This allows you to customize your view of the event logs without affecting the default views or the logs themselves. A new view can be added for any log by highlighting the log and then right-clicking it. From the pop-up menu, select New Log View. The new log entry will appear in Event Viewer and can be renamed and configured like any other log. Finding Specific EventsThere might be times when you must find a specific event, or series of events, that can't be easily grouped using filtering. For example, if you want to see how many and what types of disk errors have been occurring on your server, filtering might not find all the events you are searching for because of the specific nature of filters. In cases like these, it is useful to search the logs using the options available for filtering with the added ability to search using keywords. To search through the contents of the selected log for an event by keywords, use the Find command from the View menu. As you can see in the Find dialog box shown in Figure 16.12, you have similar options to those you used for filtering, in addition to the option to search for specific keywords in the Description field. Because the Find command does not allow you to search using a specific date range, it allows you to search backward and forward in a log. It displays a single entry at a time; use the Find Next button to move to the next entry. Figure 16.12. Select the desired Find options, and then click Find Next.
To find a specific log entry, perform the procedure outlined in Step by Step 16.7.
Loading a Saved Event LogIn most high-security environments, archiving the Security log is required. This is so that a record is maintained of previous security and auditing events. In addition, there might be situations where you will archive other logs for error-tracking purposes. After a log is archived, it can be imported into the Event Viewer on any Windows 2000/2003/XP computer. To load a saved log file, perform the procedure outlined in Step by Step 16.8.
Microsoft included a useful tool in the Windows 2000 Resource Kit, called dumpel.exe, which filters the event logs for specific events using a variety of search criteria. For some reason, it was left out of the Windows 2003 Resource Kit. However, it can still be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=c9c31b3d-c3a9-4a73-86a3-630a3c475c1a&DisplayLang=en. |