Introduction


Event logs provide a standard way for the operating system, services, and applications to record important actions (e.g., application failures), report status messages, keep track of security events, and log boot up messages. In this way, event logs are similar to the syslog facility on UNIX and Linux platforms. They can be an extremely useful resource when you need to troubleshoot specific issues and are often the first places we look when trying to diagnose a problem. In fact, it is good to periodically check your event logs to find any application or system components that are failing without you knowing.

In addition to the event logs, Windows XP also has several log files that you can use to monitor and troubleshoot specific problems. The last few recipes we cover in this chapter describe how to enable some of the more important log files and in what situations you might want to use them.

Using a Graphical User Interface

There are two graphical tools that you should be familiar with for querying and viewing event log messages. Event Viewer (eventvwr.msc) has been around since the early days of Windows NT and is provided out of the box under Administrative Tools. It is a simple MMC snap-in that lets you view and filter messages in the event logs. You can also view the event logs on a remote machine with it, but depending on the size of the logs on the remote system and the network connection in between, this can be a painfully slow process.

As part of the Windows Server 2003 Resource Kit, Microsoft made the Event Comb utility (eventcombmt.exe) publicly available. Event Comb is a powerful utility that lets you search the event logs across multiple systems at once. With it, you can restrict your search by event ID, source, type, log, and event description. Event Comb is multi-threaded, so it can run against multiple machines simultaneously and you can configure the number of threads that can run at once.

Using a Command-Line interface

The event log command-line tools available for Windows 2000 are pretty limited in functionality. With Windows XP, three new tools were added to the default installation that provide many more features in terms of searching (eventquery.vbs) and creating events (eventcreate.exe), and configuring event triggers (eventtriggers.exe). You can see examples of these tools in action in Recipe 16.1, Recipe 16.2, and Recipe 16.13.

Using the Registry

Each event log is represented in the Registry with a subkey under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog

The name of each subkey is the same as the name of the event log (e.g., Application). The values under this subkey control settings such as the maximum size of the event log (Recipe 16.5), retention policy (Recipe 16.6), event log file location, and access control restrictions (Recipe 16.8).

Using Group Policy

The Group Policy settings that you can configure for event logs are available in the following location:

\Computer Configuration\Windows Settings\Security Settings\Event Log

Here you can configure the same settings as we just described with the Registry.

Using Downloadable Software

There are two downloadable tools that we use in this chapter. The first one comes from Sysinternals (http://www.sysinternals.com) and is named psloglist.exe . It is a command-line tool that is part of the PS Toolset. It allows you to query and enumerate events in an event log locally or on a remote machine (see Recipe 16.2 for an example).

The second downloadable tool we use comes from the Microsoft download website (http://download.microsoft.com). The nlparse.exe utility is part of the Account Lockout and Management Tools. It allows you to extract certain events from a netlogon.log file (see Recipe 16.17 for more information).

Using VBScript

There are two WMI classes that we use throughout this chapter. The Win32_NTLogEvent class represents individual event log messages, and Win32_NTEventlogFile represents the underlying file that contains event log messages. These two classes provide most of the functionality you'll need to retrieve, search, and configure event logs, except for one thing: neither class supports the ability to create event log messages. In Recipe 16.1, we show how to do this using the Windows Scripting Host LogEvent method.



Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net