Event LogsConcepts

An event is a specific occurrence of an activity of the WS2003 operating system, an installed component, or an application. Events are generated automatically and are recorded in event logs, which can then be viewed and analyzed using the Event Viewer console in Administrative Tools. The key is to use Event Viewer to regularly monitor the event logs on your servers and deal with any situations that arise. You can use Event Viewer to search for or filter particular types of events if the log becomes excessively large. It's also important to configure the size limit and retention period for event logs as soon as you set up a new server. Logs can wrap ( newer events start overwriting older ones) once they reach a certain size, but this may cause important information to be lost. It's better to configure a decent chunk of disk space for each log and then archive and clear logs regularly, so that your information is saved but disk space is freed up.

Default Logs

Three event logs are present on every WS2003 computer:

System log

This log contains events generated by activities of the operating system. Examples of system events include the activities of services such as the Net-Logon service, failures of drivers to initialize properly, changes in the role of a server from member server to domain controller, and so on. System events come in three flavors:

Information events

These events simply describe normal activites that have occurred, such as the successful startup of the Event Log service itself, the establishment of a remote access connection, a browser forcing an election on the network, and so on. Some information events also record failures of certain activities that have no real consequence on network operations.

Warning events

These events describe occurrences that may be problems, such as failure of dynamic registration of a DNS name due to DNS client misconfiguration, failure of the Windows Time Service to find a domain controller, space running low on a disk, a scope on a DHCP server being 100% leased, and so on. You might be able to get by for a while with a warning, but you should resolve the problem as soon as you can.

Error events

These events describe critical occurrences that could result in loss of data or other significant problems. Error events include the failure of a required service such as failure of a workstation to initialize, the refusal of a dynamic DNS update from a DNS server, the PDC emulator of the forest root domain not having its time synchronized with a member server or clocking device, failure of a device driver, and so on.

Application log

This log contains events generated by applications running on the computer. The vendor must specifically code its applications to generate these events. Application events are usually helpful only when you give the information to the vendor to help troubleshoot problems you are encountering. However, some WS2003 system events are also logged here, such as Dr. Watson events for application failures, security events related to Group Policy, violations of export cryptography restrictions for IPSec, IIS activities involving Active Server Pages (ASP) functionality, and so on. Application log events are also either information, warning, or error events.

Security log

This log contains events generated when auditing is configured on the computer (for more information, see Auditing earlier in this chapter). A security log event is one of the following:

Success events

These indicate that the audited action occurred successfullyfor example, a user successfully logged on to the network, successfully accessed a file on a share, or successfully exercised a system right he possesses.

Failure events

These indicate that the audited action failed in its attemptfor example, a user tried to log on but failed because she entered a wrong password, tried to access a mapped drive but couldn't because of permission problems, tried to access a printer object in Active Directory but was refused , and so on.

Additional Logs

Depending on which optional WS2003 components are installed on your computer, other event logs may be displayed by Event Viewer:

Directory service log

This log records the activities of Active Directory and is present on WS2003 domain controllers. Events are either information, warning, or error type.

DNS server log

This log records the activities of a WS2003 DNS server. Events are either information, warning, or error type.

File Replication Service log

This log records the activities of the File Replication Service (FRS) on a WS2003 on which DFS is configured. Events are information, warning, or error type.