Event LogsTasks

These tasks assume that you already have Event Viewer open .

Configure an Event Log

To configure the size and retention settings of an event log, do the following:

Right-click on an event log Properties

The maximum log size can range between 64 KB and 4 GB (512 KB is the default). Monitor your logs, and if they grow too quickly, increase the maximum log size so events don't get lost. You can configure retention settings in one of three modes:

Overwrite events as needed

This is the default setting and means that circular logging is configured. Once the log becomes full, old events are deleted to make room for new ones. This setting can result in loss of important information and should be changed as soon as your server becomes operational on the network.

Overwrite events older than seven days

This is another form of circular logging. You can select this option if you know that your maximum log size is large enough to prevent your log from getting full, and if you regularly archive your log at the end of each logging interval and then clear the log to free up space for the next interval.

Do not overwrite events

Use this setting if you have adequate disk space for the event log and when security and system functionality is a priority for your enterprise and you need to keep a long-life paper trail. You must monitor and archive the log periodically and manually clear the events before the log becomes full. Otherwise, if the log becomes full, WS2003 stops writing new events to the log.

If you have configured auditing on your system and security is a concern, you can configure your system to shut down when the Security log becomes full. Set the retention setting on the log to "Do not overwrite events," then use Registry Editor to create or assign the value of 1 to the REG_DWORD key called CrashOnAuditFail in:

 HKLM\SYSTEM\CurrentControlSet\Control\Lsa 

and reboot your machine (use caution when editing the registry!). If the Security log fills up, the system will display a message saying "Audit failed" and will stop responding. To recover from this, reboot and log on as Administrator, open Event Viewer, archive the Security log if desired, and then clear it.

If you want your system to still be configured to stop when the log becomes full again, you need to recreate the CrashOnAuditFail registry key at this point.

View an Event Log

Select an event log in the console tree to display a list of events in the details pane. Recent events are listed at the top by default, but you can sort by type, date, and other attributes by clicking on the heading of each column in the details pane. Sorting by type lets you check for critical (error) events quickly; sorting by source helps you troubleshoot problems associated with specific services or devices; sorting by event ID helps you isolate specific conditions and system activities that cause problems. These methods help you quickly determine the frequency and severity of a problem. Use the up or down arrows to scroll through events and the other funny button to copy the details of the event to the clipboard so you can paste it into a document or email message. Note the event ID if you need to contact a Microsoft support technician. Double-click on a particular event in the details pane to display more information about the event.

To filter out unwanted events so you can focus on the problem at hand:

Right-click on an event log Properties Filter

Note that the filter disappears when you connect to a different computer.

Archive an Event Log

Right-click on an event log Save Log File as specify filename and file type

Event logs are located in %SystemRoot%\System32\config . They can be archived (saved) in one of three formats:

Log-file format ( .evt file)

Can be opened and viewed again only in Event Viewer

Comma-delimited text file ( .csv file)

Can be imported into a spreadsheet or database

Text-file ( .txt file)

Can be cut and pasted into a Word file or other application

Use the .evt format if you want to keep the binary information recorded in events, as this information is discarded with the other formats. Once a log has been archived, you can view it again by:

Right-click on Event Viewer node open Log File select an archived log file specify the type of log specify a display name if desired Open