To Windows 2000, an event is any occurrence that's potentially noteworthy—to you, to other users, to the operating system, or to an application. Event Viewer is the operating system's means of telling you about these events. It functions as a combination report card and status report by storing lists of events in log files that you can review, archive, or transfer to a database or spreadsheet for analysis.
Windows 2000 recognizes three broad categories of events: system events, security events, and application events. Events of each type are recorded in separate log files.
System events are generated by Windows 2000 itself and by installed components, such as services and devices. They are recorded in a file called the system log. Windows 2000 classifies system events according to their severity as either errors, warnings, or information events, as follows:
Security events are generated by Windows 2000 when an activity you choose to audit succeeds (a success audit) or fails (a failure audit). Security events are recorded in a file called the security log. They include file-related events, such as attempts to access files or change permissions (NTFS volumes only), and other security-related events, such as logon/logoff events and changes to security policies. By default, Windows 2000 auditing is turned off, so you will likely see no events in the security log. To enable event auditing, open Local Security Policy from Administrative Tools in Control Panel. In the left pane, open Local Policies and select Audit Policy. In the right pane, right-click each event type you want to audit, and then select Success, Failure, or both Success and Failure in the ensuing dialog box.
Application events are generated by applications and are recorded in a file called the application log. The application developer determines which events to monitor, and how those events will be recorded in the application log. Windows 2000 Backup, for example, records an application event whenever you erase a tape or run a backup.
The importance of a Windows 2000 log depends on your situation. If you work in a security-conscious environment, or one in which users freely access resources on each other's machines, you'll find the event logs useful in helping you keep track of who, what, when, and where. If you don't care about such details, the security log will probably be of little interest to you, but the system log can still be helpful in diagnosing performance problems and hardware errors, and the application log can give you insight into how certain applications are working. Only applications designed to record their "thoughts" in the application log will appear there, but those that are so designed provide an obvious benefit—to you, your technical support person, and even the developer—for identifying and resolving problems that may arise.
If your computer is set up to share files or a printer with other users, checking the system log for print jobs and the security log for logon/logoff access will give you a feel for how and when your computer's resources are being used. Although the information might simply make you feel more in control of your system, you might also find patterns that help you determine better ways to manage it.
You can easily see what a log looks like even if you never before thought of monitoring your system. To view a log, open Event Viewer:
Figure 32-1 shows Event Viewer's System Log.
NOTE
To view audit events, you must be logged on as a member of the Administrators group.
Figure 32-1. The System Log records events generated by the operating system itself and its installed components.
Each event occupies one line in the details pane (the right pane). In addition to the Date, Time, and Computer columns, each event also includes the following categories of information (you might have to scroll the display to see all the columns):
Indicates an error event, such as a loss of data or functionality | |
Indicates a warning event, such as a nearly full disk | |
Indicates an information event, such as someone using a printer attached to your computer | |
Indicates a success audit event, such as someone successfully logging on to the system | |
Indicates a failure audit event, such as an unsuccessful attempt to log on to the system |
TIP
Sorting Entries in Event ViewerTo sort entries in Event Viewer, click the heading of the column on which you want to sort. Each time you click, an arrow in the heading will switch from pointing up to indicate ascending order, to pointing down for descending order.
To get a closer look at an event in the Event Viewer window, select the event you want to see. Then use one of these methods to open the Event Properties dialog box:
All methods lead to a dialog box similar to the one shown in Figure 32-2.
Figure 32-2. An event's properties dialog box provides details about the event.
The Event Properties dialog box provides a verbal description of the event in the Description box, along with the same summary information that appeared in the Event Viewer log. For some events, additional information is available in the Data area. This information might be useful to programmers or support technicians who are familiar with the product that generated the event.
If you want to view details for other events, you can do so without first returning to the main window: click the arrow buttons to display the event above or below the currently displayed event. When you've finished viewing event details, click OK to return to Event Viewer's main window.
As you can see from even a cursory look at your system log, events can pile up quickly, obscuring those of a particular type (such as print jobs) or those that occurred at a particular date and time (such as repeated, failed logon attempts). You can use Event Viewer to pinpoint clusters of events, or those that occur cyclically, by filtering the log to display only the events that interest you:
In a few seconds, a list of events matching your specifications appears on the screen. Figure 32-4, for example, shows the results of filtering a system log to include only error events.
Figure 32-4. Filtering lets you focus your attention on the events that matter.
To restore all the events to your Event Viewer window, open the View menu and choose All Records.
The Find command on the View menu provides another way to search a log. Find is exactly what you need when you want to find a single needle in an event haystack. When you choose Find, a dialog box similar to the one shown in Figure 32-5 appears.
Much of this dialog box is similar to the Filter dialog box, but some elements are different:
By default, the system, security, and application logs each hold 512 KB of information. If the log becomes full, another default tells Windows 2000 to begin overwriting the oldest information, but only if it is at least seven days old. (If the log becomes full before seven days have passed, new events aren't recorded.) To adjust either or both of these default settings:
The log's properties dialog box appears, as shown in Figure 32-6.
NOTE
If you specify a size smaller than the current size of the log, you must clear the log before the new size takes effect. This extra step prevents you from destroying existing records by inadvertently making the log too small to hold all of the currently recorded events.
NOTE
If the system stops recording events because the log is full, a warning message appears on the screen.
To restore a log's default properties, redisplay its properties dialog box. Then click Restore Defaults.
You can clear a log by clicking Clear Log in the log's properties dialog box. (See Figure 32-6.) Alternatively, select the log in the console tree, and then choose Clear All Events from the Action menu.
To archive a log, select it in the console tree, and then choose Save Log File As from the Action menu. Event Viewer saves the log as an .evt file, which you can subsequently reopen in Event Viewer. The .evt file includes the binary data as well as the text associated with each event.
Alternatively, you can export a log to a text file that you can subsequently read in another application, such as a spreadsheet. An exported log includes the text associated with events, but not the binary data. To export a log, select it in the console tree, choose Export List from the Action menu, and then choose a file format. Your options include comma-delimited and tab-delimited formats in Unicode and ANSI character systems. All major spreadsheet programs can read archived logs in any of these formats, but if your Windows installation uses a non-Latin alphabet, you might need to pick one of the Unicode options.
To reopen an archived log, open the Action menu, and then choose New Log View. The archived log appears as a new subentry in the Event Viewer console tree.