The purpose of logging is to record the status of an operation generated by the system or an application. Along with many scripts and applications, Windows 2000/XP/2003 has a built-in method to log events and errors. Managing event logs across an enterprise can become an involved process. Third-party utilities such as Dorian Software's Event Archiver allow you to read, write, modify, and archive event logs and entries. Although these utilities are available at a modest price, this chapter will show you how to access and control the event log through simple scripts, for free.
Logs provide a good method of recording events, but they are only as good as the time and frequency with which you check them. Alerting is the method of notifying a user when an event occurs. In this chapter, you will learn the various methods to create alerts to keep you informed of the many events that occur in your environment.
Windows 2000/XP/2003 includes a built-in event-logging system known as the event log. Before an interaction with the event log is performed, a request is sent to the Service Control Manager (SCM). SCM is controlled by %WINDIR% \System32\SERVICES.EXE. When the system first boots up, the event log service is started and the event log files are opened. Once the service receives the request, it processes it by storing or modifying an event in the proper event log.
The event log is divided into three categories:
Application Log (AppEvent.Evt) ”Stores application and system events, such as application errors
Security Log (SecEvent.Evt) ”Stores audited security events, such as clearing the event log
System Log (SysEvent.Evt) ”Stores operating-system- related events, such as creating a new user
These logs are stored in a proprietary binary format and reside in the %WINDIR% \System32\Config directory. Although all users can view the application and system logs, only administrators can view and clear the security event log.
Note | The event log files cannot merely be copied and opened on another system. When the system opens the event logs, it modifies the file headers and doesn't reset the header until the file is closed. To copy the event log, use the Save Log As option from the File menu of the Event Viewer. |
The Event Viewer is a built-in Windows 2000/XP/2003 tool to easily view the three separate event log files (see Figure 12.1). The Event Viewer executable (EVENTVWR.EXE) resides in the %WINDIR% \System32 directory. To start the Event Viewer, open Administrative Tools and run the Event Viewer. From within the Event Viewer, you can view, delete, archive, or import an entire event log or entry. The most common use of the event log is to troubleshoot system errors, such as service failures.
Note | The executable called EVENTVWR.EXE is actually just a pointer to the MMC snap-in EVENTVWR.MSC. |
Event log entries consist of an event ID that categorizes the type of event, and an event description that is the actual error or event text. The event type specifies the following classification of recorded events:
Error ”Indicates critical errors and corruption of data
Failure Audit ”Combined with auditing, indicates a failed security event, such as a bad password
Information ”Indicates a successful operation, such as a successful driver load
Success Audit ”Combined with auditing, indicates a successful security event, such as a successful logon
Warning ”Indicates a non-critical warning, such as a failed attempt to obtain a browse list
Other items logged with each event are:
Computer ”The name of the target computer
Date ”Date the event was written
Source Type ”The source of the event
Time ”Time the event was written
User Name ”The currently logged-on user
The event log is a logging system that stores critical and important system and application events. The original intent of this log system was only for the system and applications to write events. Some systems might be set up to overwrite events or to crash the system when the event log is full. Storing routine messages like "Logon script completed successfully" might overwrite critical events or cause a system to crash because the event log is full.
Logging provides a method to record events, and alerting provides a method to send event messages to users. A common method of sending messages over a network is to use Network Basic Input Output System (NetBIOS). NetBIOS is a non-routable interface that allows various types of computers to communicate over the local area network (LAN). NetBIOS was created by IBM and Sytek during the mid-1980s and has since become an industry standard for network communication. Microsoft Windows currently implements NetBIOS on the following protocols: NetBIOS Enhanced User Interface (NetBEUI), Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), and Transmission Control Protocol/Internet Protocol (TCP/IP).
Note | A common use of NetBIOS is the Network Neighborhood. |
NetBIOS contains two modes of communication: session or datagram. Session mode establishes a reliable channel between two systems, and uses error checking to ensure proper data transfer. Datagram mode is a one-way communication method that transmits small messages without error checking. This type of communication is commonly referred to as connectionless communication. A datagram is a container used to transmit data across a network.
Note | The term datagram is interchangeable with the term packet . |
Windows includes the ability to send command-line messages to other users or computers through NetBIOS using a utility called NET.EXE. These messages are sent in datagrams to other NetBIOS computer or user names. NetBIOS messages have a restricted size of 128 characters , whereas NetBIOS names are restricted to 15 characters (with a 16th hidden character used by the operating system).
Tip | Windows 2000/XP/2003 monitors these messages through the Messenger Service. If the system experiences errors while transmitting or receiving NetBIOS messages, you should first check the Messenger Service. |
MAPI (Messaging Application Program Interface) is an interface that provides a standard method for applications to send email. MAPI includes a standard set of functions, such as logging on, creating new messages, and reading messages, that developers can call directly in their applications using C or C++. MAPI is a built-in part of Windows 2000/XP/2003. Simple MAPI is a slimmed-down version of MAPI that can be accessed using C, C++, Visual Basic, or Visual Basic for Applications (VBA).