Using the Event Logs


Objective:

Monitor and analyze events. Tools might include Event Viewer and System Monitor.

The Event Viewer in Windows Server 2003, shown in Figure 16.3, is available in the Computer Management MMC or as a standalone MMC snap-in. This Windows Server 2003 utility records information about various system occurrences. The Event Viewer is not only the first place you should look when you're having problems, but you must also review it regularly to monitor regular server operations and events.

Figure 16.3. The Windows Server 2003 Event Viewer.


The Event Viewer is used to view event log files that are updated by the operating system and various services and applications running on your server. Typically, events are written to the logs for any significant occurrence that a user or administrator should be aware of. Reading the contents of these log files can assist you in determining the status of your server and as a first step in diagnosing problems.

As in previous versions of Windows, all servers have the following three log files: System, Security, and Application. Although these three logs have been carried over from previous versions of Windows, the Event Viewer has been expanded to allow other components or third-party applications to use it as the global location for log files. The logs that appear in your installation of Windows Server 2003 vary depending on the components installed. For example, the Domain Name Service maintains its own log in the Event Viewer. All Windows Server 2003 systems have at the very least the following three logs:

  • System log This file records events related to system operation, most often associated with device drivers and services such as DHCP and WINS. Most of the information here relates to the stopping and starting of services or the failure of a system component.

  • Application log This file records events related to applications, programs, and utilities, usually not native Windows Server 2003 components. Examples are database programs, email servers, and print messages. The information that is recorded here is determined by the application developer, and it usually consists of informational messages, errors, or warnings. This log is also used to store the alerts generated by the Performance Logs and Alerts tool.

  • Security log This file records events related to security and auditing. Typical events include valid or invalid logon attempts and the accessing of resources such as the opening, reading, or deleting of a file or folder. The types of events recorded in this log can be configured via the audit policy. In previous versions of Windows, the security log would not record any information until an audit policy was enabled. In Windows 2003, security logging is enabled by default.

If the DNS service is installed on your server, the DNS log is also available. It records events related to the operation of the DNS service. If you're having name-resolution problems on your network, this is the first place to look.

In addition, Active Directory domain controllers have the following logs:

  • Directory Service log This file records events related to the operation of the Active Directory service. Typical events in this log are related to communication between domain controllers and Global Catalog servers.

  • File Replication Service log This file records events related to replication of the SYSVOL and the DFS tree, as well as other applications that use FRS, such as DFS.

Understanding the Event Logs

As mentioned earlier, event logs can be very useful, not only for monitoring server operations but also as a first step in diagnosing a problem. It is helpful to become familiar with the normal events that occur on a daily basis because some errors normally reoccur and are not an indication of a problem.

The event logs contain five main types of events that range from informational messages that do not require any action to serious events, such as hardware or service failures, that require your immediate attention. As shown in Figure 16.4, each type of event is visually cued by an icon. This allows you to quickly recognize events that require your attention.

Figure 16.4. The Windows Server 2003 Event Viewer, showing the icons for various types of events.


The five types of events and their related icons are as follows:

  • Error events These are displayed as an X in a red circle. An error event is usually serious and can lead to data loss or a loss of functionality. Typical examples of error events are services that have stopped or failed to load on system startup and disk read or write failures.

  • Warning events These are displayed as an exclamation point on a yellow triangle. A warning event is usually not critical but indicates that you might have to take action in the future. Typical examples of warning events are low disk space conditions or failures in synchronization of the time service.

  • Information events These are displayed as a lowercase i on a bubble. Most information events are just to let you know that a task has been completed successfully. For example, when a service is started, it might write an information event to the log. Although the majority of informational events are benign, if you have Alert Logging turned on, that service writes an information message to the log when an alert has been triggered, which is a condition that requires follow-up.

  • Success audits These are displayed as a key icon. Successfully logging on to the server or accessing an audited resource are examples of things that would generate a success audit event.

  • Failure audits These are displayed as a padlock icon. If a user tries and fails to log on to a server or access an audited resource that he or she has not been granted access to, a failure audit event is generated.

Each entry in the event log, regardless of type, contains the following information:

  • A description of the event (usually, but not always)

  • The date and time that the event was logged

  • The type of event (one of the five types we discussed earlier)

  • The source of the eventusually the service, component, or application that posted the event to the log

  • The usernameeither the user ID of the logged-on user for a security event or the process name for system events

  • The name of the server where the event occurred

  • The category of the event, which is typically used only in the Security log for events such as logon/logoff, object access, and policy changes

  • The event ID, which is used to identify the event type, which is a number that can be used to aid in the troubleshooting of server problems

As shown in Figure 16.5, some events provide a URL that you can click. This URL links you to the Microsoft website. If there is more information available for your event, it is displayed. If you don't understand an error message and there is no URL, write down the event ID. The event ID can be used to perform a search using the Microsoft Knowledge Base at http://support.microsoft.com. The articles in the Knowledge Base can sometimes be useful in figuring out a problem, or they can at least give you more information to work with.

Figure 16.5. Log entries aren't always as clear as this one, so you will sometimes be able to click a URL for more information.


EventID.net

EventID.net is a third-party website that collects definitions for most of the common events. Basic searches and information are free. This site also provides troubleshooting information and extra documentation for subscribers. This is a good reference if you can't locate any useful information on an event in the Microsoft Knowledge Base. The site is accessible at www.eventid.net.


Working with the Event Logs

Although the System and Application logs can be viewed by anyone, the Security log is restricted to administrators. To open and view an event log, perform the procedure outlined in Step by Step 16.2.

Step by Step

16.2 Opening the Event Viewer and viewing the System log

1.

Click Start, All Programs, Administrative Tools, Event Viewer.

2.

In the left pane of the Event Viewer MMC, click the entry for the System log.

3.

Find an event with a source of EventLog and an Event ID of 6005. Double-click the entry to open it.

As you can see in Figure 16.6, an event is written to the System log when the event log service is started. The event log service is started every time the server is started, so that gives you a good starting point when you want to look for errors that have occurred since the last system restart.

Figure 16.6. A System log event is recorded every time the server is started.


Viewing Logs on Another Computer

You can view the log files from a remote system on your network using the Connect to Another Computer command from the Event Viewer menu. This feature simplifies administrative tasks by allowing you to diagnose a system remotely via Event Viewer rather than requiring you to sit at that computer's keyboard. You must be a member of the Administrators group on the remote computer to view its event logs.

To open and view an event log on a remote computer, perform the procedure outlined in Step by Step 16.3.

Step by Step

16.3 Opening the Event Viewer on a remote computer

1.

From the Start menu, click Start, All Programs, Administrative Tools, Event Viewer.

2.

In the left pane of the Event Viewer MMC, right-click the Event Viewer (Local) entry. Select Connect to Another Computer from the pop-up menu.

3.

From the Select Computer dialog box shown in Figure 16.7, you can either enter the name of the remote computer (without the leading \\) or click the Browse button to locate it on your network if you're not sure of the computer name. Click the Browse button to continue.

Figure 16.7. Remember to enter the computer name without the leading backslashes.


4.

From the next Select Computer dialog box, click the Advanced button.

5.

From the Select Computer dialog box, click the Locations button to select the domain to browse. Then click the Find Now button to search for computers.

6.

Select a computer and then click OK twice to connect.

Configuring Log Properties

When you open a log in the Event Viewer, a snapshot of the log is displayed. Any new information that is written to the log as you are viewing it is not displayed until you click the Refresh icon on the toolbar. When you switch between logs, the view is refreshed automatically.

Several configuration settings determine how much information can be stored in the event logs and how long the information is retained before it is overwritten. You can change the event log retention options through the Event Log Properties dialog box, shown in Figure 16.8, accessed from the Log menu. Each log file has its own size and day limit settings.

Figure 16.8. Changing the event log retention settings.


In addition to the setting for log size, three additional settings determine the retention properties of the logs:

  • Overwrite Events As Needed When the log is full, new events overwrite the oldest events.

  • Overwrite Events Older Than X Days This prevents the information in the logs from being overwritten until the specified time has elapsed. If the log becomes full, no events are recorded until there are events older than the specified period.

  • Do Not Overwrite Events This option prevents the logs from ever being overwritten, even if they become full. It should be used only if you clear or archive the logs on a regular basis. This option is typically used for the Security logs on highly secure networks, where access records must be maintained indefinitely. Increasing the maximum size of the log file is a good idea to ensure the server does not stop functioning in the event that the log reaches its maximum size and is set to avoid overwriting older events.

Caution: Be Careful When Setting Retention Time

If you are not careful when configuring your event log retention settings, you could configure your logs so that important events are missed. For example, if you set the overwrite period too short, or turn on Overwrite Events as Needed with too small of a log size, as the log fills up, events will be overwritten. In addition, if you set the log size too small and then turn on Do Not Overwrite Events, after the log fills up, no events will be logged.


The default settings for the logs restrict each log file to a maximum of 16,384KB. When the fixed file size is reached, the oldest events are overwritten by new events, as needed. If you need to retain events for longer time periods, you should increase the file size and the retention time.

To configure the retention settings for an event log, perform the procedure outlined in Step by Step 16.4.

Step by Step

16.4 Configuring the event log retention settings

1.

From the Start menu, click Start, All Programs, Administrative Tools, Event Viewer.

2.

In the left pane of the Event Viewer MMC, right-click the desired event log. From the pop-up menu, select Properties.

3.

From the Application Log Properties dialog box shown in Figure 16.8, you can adjust the log size, set the retention time, or clear the log manually. After making the desired changes, click the OK button to save.

Exam Alert: Event Log Defaults

The event logs in Windows 2000 defaulted to 512KB and would overwrite events older than 7 days. The Windows Server 2003 defaults, however, are a much more practical 16,384KB and overwrite events only as needed. The change in size is a significant difference, and it's something you might see on the exam.


Clearing and Saving Logs

In addition to the retention settings, the Event Log Properties dialog box has an option to clear the log files. This option allows you to clear all entries from the selected log file. The option is also available from the pop-up menu when you right-click a log file in the Event Viewer MMC.

To clear a log file from the Event Viewer MMC, perform the steps outlined in Step by Step 16.5.

Step by Step

16.5 Clearing an event log

1.

From the Start menu, click Start, All Programs, Administrative Tools, Event Viewer.

2.

In the left pane of the Event Viewer MMC, right-click the desired event log. From the pop-up menu, select Clear All Events.

3.

After you elect to clear events, the confirmation dialog box appears.

4.

From the Save Log As dialog box, specify a name and location for the saved log, and then click the Save button.

As part of your regular maintenance, even if you have the logs set to overwrite as needed, you can manually archive them without clearing them. You can save the logs by right-clicking a log file entry in Event Viewer and selecting Save Log File As. You can save logs to an event file (.evt) or in a format that can be used with other applications (.txt). You can load the EVT file type into another Event Viewer. The log's TXT file can be saved in either standard monospace-columned or comma-delimited format. These formats can be used in common word processing or spreadsheet programs.

Log Viewing Options

The default view of the Event Viewer is to display the newest entry at the top. A handy feature of the Windows Server 2003 Event Viewer is its capability to sort the logs based on the columns displayed in the utility. For example, to sort the logs based on event ID, click the Event column heading, and the information is sorted in either ascending or descending order, depending on whether you click the column heading once or twice (see Figure 16.9).

Figure 16.9. Click one of the column headings to sort the event files.


Filtering Events

By default, the Event Viewer shows the entire contents of the log file. This can be quite overwhelming, especially on a busy server, because a lot of informational messages are usually irrelevant when you are searching for the cause of a problem.

In these situations, you can use the Filter command from the View menu to quickly locate events of a certain type or pertaining to a particular source, category, user, computer, event ID, or date range. For example, you might want to see how many warnings have been recorded.

To filter a log file from the Event Viewer MMC, perform the steps outlined in Step by Step 16.6.

Step by Step

16.6 Filtering an event log

1.

From the Start menu, click Start, All Programs, Administrative Tools, Event Viewer.

2.

In the left pane of the Event Viewer MMC, right-click the desired event log. From the system menu, select View, Filter.

3.

After you select Filter, the Properties dialog box shown in Figure 16.10 appears.

Figure 16.10. Select the desired filtering options, and then click OK.


4.

From the Event Log Properties dialog box shown in Figure 16.10, deselect all the event types, except for Warning, and then click OK. The results after filtering are shown in Figure 16.11.

Figure 16.11. The log file after filtering.


5.

To return to the default view that shows all events, from the system menu select View, All Records.

The filtering options are very flexible; you can select either one or multiple filters to display only those entries that apply to the area you are working on.

The available filters are as follows:

  • Event Types This allows you to filter based on the type of events. For example, you might want to just see events that relate to a problem, such as warnings or errors. If you're working with Security logs, you would be more interested in success or failure audits, such as multiple failed logons, which might indicate an intrusion attempt.

  • Event Source This option allows you to filter events from a specific source, such as a driver, system component, or service.

  • Category This option allows you to filter events from a specific category. This filter is mostly useful with the Security log because it uses the category field more than the other logs do. This allows you to quickly filter the user logon type events from resource access and system events. Typical categories for the Security log are Account Logon, Logon/Logoff, System Event, and Policy Change.

  • Event ID Filters the log to display only a single event ID.

  • User Filters the log to show events that are associated with a particular user. Not all events have a user entry.

  • Computer Filters the log to show events that are associated with a particular computer. Because the initial release of Windows Server 2003 lets you display the log from only one computer at a time, this option is not commonly used.

  • From and To Filters the log to show only events that are included in the specified time/date range.

New Log View

As discussed in the previous section, sometimes a specific view of the logs makes it easier for you to do your job. Microsoft has supplied an option for the Event Viewer named New Log View. Using this option, you can customize a view of any of the logs, including filtering, size, and so on. You can then save this view under another name. This allows you to customize your view of the event logs without affecting the default views or the logs themselves.

A new view can be added for any log by highlighting the log and then right-clicking it. From the pop-up menu, select New Log View. The new log entry will appear in Event Viewer and can be renamed and configured like any other log.

Finding Specific Events

There might be times when you must find a specific event, or series of events, that can't be easily grouped using filtering. For example, if you want to see how many and what types of disk errors have been occurring on your server, filtering might not find all the events you are searching for because of the specific nature of filters. In cases like these, it is useful to search the logs using the options available for filtering with the added ability to search using keywords.

To search through the contents of the selected log for an event by keywords, use the Find command from the View menu. As you can see in the Find dialog box shown in Figure 16.12, you have similar options to those you used for filtering, in addition to the option to search for specific keywords in the Description field. Because the Find command does not allow you to search using a specific date range, it allows you to search backward and forward in a log. It displays a single entry at a time; use the Find Next button to move to the next entry.

Figure 16.12. Select the desired Find options, and then click Find Next.


To find a specific log entry, perform the procedure outlined in Step by Step 16.7.

Step by Step

16.7 Finding an event

1.

From the Start menu, click Start, All Programs, Administrative Tools, Event Viewer.

2.

In the left pane of the Event Viewer MMC, right-click the desired event log. From the system menu, select View, Find.

3.

After you select Find, the Find dialog box shown back in Figure 16.12 appears.

4.

From the Find dialog box shown in Figure 16.12, deselect all the event types except for Failure Audit, and then click OK.

5.

The first log entry that matches the Find criteria is highlighted. You can double-click the entry to display it, or you can click Find Next to move to the next matching entry.

Loading a Saved Event Log

In most high-security environments, archiving the Security log is required. This is so that a record is maintained of previous security and auditing events. In addition, there might be situations where you will archive other logs for error-tracking purposes. After a log is archived, it can be imported into the Event Viewer on any Windows 2000/2003/XP computer.

To load a saved log file, perform the procedure outlined in Step by Step 16.8.

Step by Step

16.8 Loading a saved event log

1.

From the Start menu, click Start, All Programs, Administrative Tools, Event Viewer.

2.

In the left pane of the Event Viewer MMC, right-click Event Viewer (Local). From the pop-up menu, select Open Log File.

3.

In the Open dialog box shown in Figure 16.13, select the file to open. Saved event logs have an *.evt filename.

Figure 16.13. Select the saved event log that you want to view. Make sure that you specify the log type.


4.

Click Open to load the saved log file. As you can see in Figure 16.14, the saved file is added as an additional entry in the Event Viewer.



Figure 16.14. The log file is displayed as an additional entry. It does not replace the existing logs.


Third-Party Solutions

Event Viewer can record a significant amount of useful, if not vital, information, but extracting or even locating the data within the log files can be a daunting task. You may want to invest in an event-consolidation and event-reporting utility that can automatically and semi-intelligently scan Event Viewer. These tools look for patterns of failure, intrusion, or degradation of the system and then report the findings to you in a concise format.


Microsoft included a useful tool in the Windows 2000 Resource Kit, called dumpel.exe, which filters the event logs for specific events using a variety of search criteria. For some reason, it was left out of the Windows 2003 Resource Kit. However, it can still be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=c9c31b3d-c3a9-4a73-86a3-630a3c475c1a&DisplayLang=en.




MCSA. MCSE 70-290 Exam Prep. Managing and Maintaining a MicrosoftR Windows ServerT 2003 Environment
MCSA/MCSE 70-290 Exam Prep: Managing and Maintaining a Microsoft Windows Server 2003 Environment (2nd Edition)
ISBN: 0789736489
EAN: 2147483647
Year: 2006
Pages: 219
Authors: Lee Scales

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net