Introduction

Event logs provide a standard way for the operating system, services, and applications to record important actions (e.g., application failure), report status messages, keep track of security events, and log boot up messages. In this way, event logs are similar to syslog on the Unix and Linux platforms. They can be an extremely useful resource when you need to troubleshoot specific issues and are often the first places I look when trying to diagnose a problem. As a proactive measure, scan the event logs on your servers frequently to identify any problems that are logged, but may not have resulted in a failure caught by your monitoring software.

Using a Graphical User Interface

There are two graphical tools that you should be familiar with for querying and viewing event log messages. Event Viewer (eventvwr.msc) has been around since the days of Windows NT and is provided out of the box under Administrative Tools. It is a simple MMC snap-in that lets you view and filter messages in the available event logs. You can also view the event logs on a remote server with it, but depending on the log size on the remote server and your network connection, this can be a painfully slow process.

As part of the Windows Server 2003 Resource Kit, Microsoft made the Event Comb utility (eventcombmt.exe) publicly available. Event Comb is a powerful utility that lets you search the event logs across multiple servers at once. With it, you can restrict your search by event ID, source, type, log, and event description. Event Comb is multithreaded, so it can run against multiple servers simultaneously and you can configure the number of threads that can run at once.

Using a Command-Line Interface

The event log command-line tools available for Windows 2000 have limited functionality. In Windows Server 2003, three new tools were added that provide many more features for searching and creating events and configuring event triggers. Table 8-1 lists command-line tools used in this chapter.

Using VBScript

There are two WMI classes that I use throughout this chapter. The Win32_NTLogEvent class represents individual event log messages and Win32_NTEventlogFile represents the underlying file that contains event log messages. These two classes provide most of the functionality you'll need to retrieve, search, and configure event logs, except for one thing. Neither class supports the ability to create event log messages. In Recipe 8.1, I show how to do this using the Windows Scripting Host LogEvent method.