Monitoring System Activities with Event Viewer | Running Microsoft Windows 2000 Professional

[Previous] [Next]

To Windows 2000, an event is any occurrence that's potentially noteworthy—to you, to other users, to the operating system, or to an application. Event Viewer is the operating system's means of telling you about these events. It functions as a combination report card and status report by storing lists of events in log files that you can review, archive, or transfer to a database or spreadsheet for analysis.

Windows 2000 recognizes three broad categories of events: system events, security events, and application events. Events of each type are recorded in separate log files.

System events are generated by Windows 2000 itself and by installed components, such as services and devices. They are recorded in a file called the system log. Windows 2000 classifies system events according to their severity as either errors, warnings, or information events, as follows:

Errors are system events that represent possible loss of data or functionality. Examples of errors include events related to network contention or a malfunctioning network card, and loss of functionality caused by a device or service that doesn't load at startup.

Warnings are system events that represent less significant or less immediate problems than errors. Examples of warning events include a nearly full disk, a timeout by the network redirector, and data errors on a backup tape.

Information events are all other system events that Windows 2000 logs. Examples of information events include someone using a printer connected to your computer, or the successful loading of a database program.

Security events are generated by Windows 2000 when an activity you choose to audit succeeds (a success audit) or fails (a failure audit). Security events are recorded in a file called the security log. They include file-related events, such as attempts to access files or change permissions (NTFS volumes only), and other security-related events, such as logon/logoff events and changes to security policies. By default, Windows 2000 auditing is turned off, so you will likely see no events in the security log. To enable event auditing, open Local Security Policy from Administrative Tools in Control Panel. In the left pane, open Local Policies and select Audit Policy. In the right pane, right-click each event type you want to audit, and then select Success, Failure, or both Success and Failure in the ensuing dialog box.

Application events are generated by applications and are recorded in a file called the application log. The application developer determines which events to monitor, and how those events will be recorded in the application log. Windows 2000 Backup, for example, records an application event whenever you erase a tape or run a backup.

The importance of a Windows 2000 log depends on your situation. If you work in a security-conscious environment, or one in which users freely access resources on each other's machines, you'll find the event logs useful in helping you keep track of who, what, when, and where. If you don't care about such details, the security log will probably be of little interest to you, but the system log can still be helpful in diagnosing performance problems and hardware errors, and the application log can give you insight into how certain applications are working. Only applications designed to record their "thoughts" in the application log will appear there, but those that are so designed provide an obvious benefit—to you, your technical support person, and even the developer—for identifying and resolving problems that may arise.

If your computer is set up to share files or a printer with other users, checking the system log for print jobs and the security log for logon/logoff access will give you a feel for how and when your computer's resources are being used. Although the information might simply make you feel more in control of your system, you might also find patterns that help you determine better ways to manage it.

Viewing a Log

You can easily see what a log looks like even if you never before thought of monitoring your system. To view a log, open Event Viewer:

Open the Start menu and choose Settings, Control Panel.

In Control Panel, open Administrative Tools.

In Administrative Tools, open Event Viewer.

Select a log to view.

Figure 32-1 shows Event Viewer's System Log.

NOTE
To view audit events, you must be logged on as a member of the Administrators group.

click to view at full size.

Figure 32-1. The System Log records events generated by the operating system itself and its installed components.

Each event occupies one line in the details pane (the right pane). In addition to the Date, Time, and Computer columns, each event also includes the following categories of information (you might have to scroll the display to see all the columns):

The Type column at the far left of each line identifies the event type. You might see any of the following icons in an event log:

	Indicates an error event, such as a loss of data or functionality
	Indicates a warning event, such as a nearly full disk
	Indicates an information event, such as someone using a printer attached to your computer
	Indicates a success audit event, such as someone successfully logging on to the system
	Indicates a failure audit event, such as an unsuccessful attempt to log on to the system

The Source column shows the name of the application software or system component that logged the event.

The Category column tells you how the event is classified by the source. Although many events simply have None in this column, categories can be descriptive. The security log, for example, shows categories such as Logon/Logoff and Object Access (for file and folder access).

The Event column shows the number used to identify each particular type of event. This number is associated with a text description that appears when you view an event's details.

The User column identifies the user account involved in generating the event. Many events, particularly system events, aren't generated by a particular user, so these events show N/A in the User column.

TIP
Sorting Entries in Event Viewer
To sort entries in Event Viewer, click the heading of the column on which you want to sort. Each time you click, an arrow in the heading will switch from pointing up to indicate ascending order, to pointing down for descending order.

Examining Event Details

To get a closer look at an event in the Event Viewer window, select the event you want to see. Then use one of these methods to open the Event Properties dialog box:

Double-click the event.

Select the event and press Enter.

Right-click the event and choose Properties from the shortcut menu.

All methods lead to a dialog box similar to the one shown in Figure 32-2.

click to view at full size.

Figure 32-2. An event's properties dialog box provides details about the event.

The Event Properties dialog box provides a verbal description of the event in the Description box, along with the same summary information that appeared in the Event Viewer log. For some events, additional information is available in the Data area. This information might be useful to programmers or support technicians who are familiar with the product that generated the event.

If you want to view details for other events, you can do so without first returning to the main window: click the arrow buttons to display the event above or below the currently displayed event. When you've finished viewing event details, click OK to return to Event Viewer's main window.

Filtering Events

As you can see from even a cursory look at your system log, events can pile up quickly, obscuring those of a particular type (such as print jobs) or those that occurred at a particular date and time (such as repeated, failed logon attempts). You can use Event Viewer to pinpoint clusters of events, or those that occur cyclically, by filtering the log to display only the events that interest you:

In the Event Viewer window, select the log you want to filter—system, security, or application.

Choose Filter from the View menu. The Filter tab of the log's properties dialog box appears, as shown in Figure 32-3.

Figure 32-3. You can filter a log to show only particular events.

Choose any combination of the following filtering criteria:

Under Event Types, specify the types of events you want to include.

Select a source program and a category from the Event Source and Category lists.

In the next fields of the dialog box, type an Event ID, a User account name, and a Computer name, if you want to refine your filter request further.

In the From and To boxes, specify the range of dates and times you want to include.

Click OK to activate the filter.

In a few seconds, a list of events matching your specifications appears on the screen. Figure 32-4, for example, shows the results of filtering a system log to include only error events.

click to view at full size.

Figure 32-4. Filtering lets you focus your attention on the events that matter.

To restore all the events to your Event Viewer window, open the View menu and choose All Records.

Searching for an Event

The Find command on the View menu provides another way to search a log. Find is exactly what you need when you want to find a single needle in an event haystack. When you choose Find, a dialog box similar to the one shown in Figure 32-5 appears.

Figure 32-5. Use Find to locate particular events without filtering the log.

Much of this dialog box is similar to the Filter dialog box, but some elements are different:

The Description box allows you to type a portion of the text description you see when you view the event details. If you specify text here, you can zero in on exactly the event or events you seek. However, the Find command doesn't search for binary data; you can't type a set of hexadecimal numbers and expect Find to show you the event that produced those numbers in the Detail dialog box.

The Search Direction buttons let you specify the direction of the search. Select Down to search through the event log from the current position to the end, or select Up to search from the current position back to the beginning. When Find reaches the end of the log, it asks if you want to continue searching from the other end.

The Find Next button is the Find command's version of OK, meaning "go and do it." Click the Find Next button repeatedly to search until you find the matching event you want.

Managing Logs

By default, the system, security, and application logs each hold 512 KB of information. If the log becomes full, another default tells Windows 2000 to begin overwriting the oldest information, but only if it is at least seven days old. (If the log becomes full before seven days have passed, new events aren't recorded.) To adjust either or both of these default settings:

Right-click the log in the console tree and choose Properties from the shortcut menu.

The log's properties dialog box appears, as shown in Figure 32-6.

Figure 32-6. A log's properties dialog box specifies such information as the capacity of the log.

Under Log Size, choose the option you want to use when the log reaches its maximum size.

NOTE
If you specify a size smaller than the current size of the log, you must clear the log before the new size takes effect. This extra step prevents you from destroying existing records by inadvertently making the log too small to hold all of the currently recorded events.

If you select Overwrite Events As Needed, all events are recorded, but old events might be discarded before you have a chance to review them.

The second option ensures that events aren't deleted until a certain time has elapsed (you can specify 1 through 365 days). This is a good choice if you archive logs on a regular schedule. If the log reaches its maximum size before the specified time has passed, however, the system stops recording events until you clear the log or the requisite time has passed so that old events can be overwritten.

The last option, which requires you to clear the log manually, means that when the log is full, the system stops recording events until you clear the log.

NOTE
If the system stops recording events because the log is full, a warning message appears on the screen.

Restoring the Default Settings

To restore a log's default properties, redisplay its properties dialog box. Then click Restore Defaults.

Clearing and Archiving Logs

You can clear a log by clicking Clear Log in the log's properties dialog box. (See Figure 32-6.) Alternatively, select the log in the console tree, and then choose Clear All Events from the Action menu.

To archive a log, select it in the console tree, and then choose Save Log File As from the Action menu. Event Viewer saves the log as an .evt file, which you can subsequently reopen in Event Viewer. The .evt file includes the binary data as well as the text associated with each event.

Alternatively, you can export a log to a text file that you can subsequently read in another application, such as a spreadsheet. An exported log includes the text associated with events, but not the binary data. To export a log, select it in the console tree, choose Export List from the Action menu, and then choose a file format. Your options include comma-delimited and tab-delimited formats in Unicode and ANSI character systems. All major spreadsheet programs can read archived logs in any of these formats, but if your Windows installation uses a non-Latin alphabet, you might need to pick one of the Unicode options.

Reopening an Archived Log

To reopen an archived log, open the Action menu, and then choose New Log View. The archived log appears as a new subentry in the Event Viewer console tree.