Using the Event Viewer


The Event Viewer is the next tool to use when debugging, problem-solving, or logging information to resolve a problem with a network server. The Event Viewer, shown in Figure 34.3, is a built-in Windows Server 2003 tool that is used for error analysis and diagnostics.

Figure 34.3. The Event Viewer in Windows Server 2003.


Microsoft defines an event as any significant occurrence in the operating system or an application that requires tracking of the information. An event is not always negative because a successful logon to the network, a successful transfer of messages, or replication of data can also generate an event in Windows. It is important to sift through the events to determine which are informational events and which are critical events that require attention.

When server failures occur, the Event Viewer is one of the first places to check for information. The Event Viewer can be used to monitor, track, view, and audit security of your server and network. It is used to track information of both hardware and software contained in your server. The information provided in the Event Viewer can be a good starting point to identify and track down a root cause to system errors.

Note

A Windows Server 2003 system has event logs for system, security, and applications. On a domain controller, the Event Viewer also includes directory services, domain name system (DNS), and File Replication Services (FRS) logs. Depending on other applications loaded or running on a server, additional event logs may be added to the managed logs of the Event Viewer utility.


You can access the Event Viewer through the Administrative Tools menu or by right-clicking the My Computer icon on the desktop and selecting Manage. You can also launch the Event Viewer by running the Microsoft Management Console (File, Run, mmc.exe) or through a command line by running eventvwr.msc.

Getting the Most out of the Event Viewer

As noted previously, events can range in importance from simple informational data to serious or catastrophic events such as transport protocol or major system failures. The primary types of events include success audit, failure audit, informational, warning, and error. An icon in Event Viewer identifies the severity of each type of event.

The console tree on the left pane of the Event Viewer window lists the logs available to view, and the details pane on the right side of the window displays the events. Click a log to view the events associated with it on the details pane. When you're viewing a log, the Event Viewer displays the current information for the log. While you view the log, the information is not updated unless you refresh the Event Viewer. If you switch to another log and then return to the previous log, the previous log is automatically updated.

Each log has common properties associated with its events:

  • Type This property defines the severity of the event. An icon appears next to each type of event. It helps to quickly identify whether the event is informational, a warning, or an error.

  • Date This property indicates the date that the event occurred. You can sort events by date by clicking the Date column. This information is particularly helpful in tracing back an incident that occurred in the past, such as a hardware upgrade before your server started experiencing problems.

  • Time This property indicates the time that the event occurred. It can be used the same as the date.

  • Source This property identifies the source of the event, which can be an application, remote access, a service, and so on. The source is very useful in determining what caused the event.

  • Category This property determines the category of an event. An example is the Security category, which includes Logon/Logoff, System, Object Access, and others.

  • Event Each event has an associated Event ID, which is a numeral generated by the source and is unique to each event. You can use the Event ID on the Microsoft Support Web site (http://www.microsoft.com/technet/) to find topics and solutions related to an event on your server.

  • User This property identifies the user that caused the event to occur. User does not necessarily mean the person logged on to the server. Examples of user events in the Security log are System, Local Service, Network Service, and so on.

  • Computer This property identifies the computer that caused the event to occur.

To view more comprehensive details of events, click the log event in the console tree and double-click the event to view in the details pane (or select it and press Enter). The Event Viewer opens a property page showing the properties of the event, as shown in the sample in Figure 34.4. The top portion includes general information about the event, such as date, time, user, source, and so on. The Description field gives a detailed description of the event and contains a URL to Microsoft. If you click the link, information relating to the event is sent to Microsoft over the Internet in the form of a query, which will help you get more detailed information. To view details about the previous or next event, click the up or down arrow. To copy the details of an event to the Clipboard, click the Document button. The bottom part of the property page shows additional data included with the event. The Data field includes characters in bytes (hexadecimal) or words format. It displays by default as bytes, but you can switch the characters to words by clicking the Words radio button.

Figure 34.4. Detailed event properties.


You can search for a specific event by highlighting the log and selecting View, Find. In the resulting dialog box, you can search based on user, computer, event source, information, success audit, or any property or value stored in the event log. It is particularly useful to search for specific events, states in time, or other information when you have a large log and need to narrow in on information about a specific event or point in time.

Viewing Logs on Remote Servers

Event Viewer enables you to connect to other computers on your network. To connect to another computer from the console tree, right-click Event Viewer (Local) and click Connect to Another Computer. Select Another Computer and then enter the name of the computer or browse to it and click OK. You must be logged in as an administrator or be a member of the Administrators group to view event logs on a remote computer. If the new computer requires a low-speed connection, right-click the log to be viewed and then click Properties. On the General tab, click Using a Low-Speed Connection.

Event Filtering

By default, the Event Viewer displays all events for a selected log. Filtering is very useful when it becomes necessary to narrow down the view. It is helpful to be able to filter the view so that the Event Viewer shows events that meet specific criteria. To use a filter, select the log to be filtered and then select View, Filter. This will result in the property page shown in Figure 34.5.

Figure 34.5. Filtering for Event Viewer events.


Tip

Event Comb (EventCombMT), located in the Windows Server 2003 Resource Kit, can assist you with the task of combing through multiple event logs on domain controllers. More specifically, you can check and diagnose replication by using the utility to search for particular EventIDs related to replication. Another similar tool that can be used in conjunction with EventCombMT is the Checkrepl.vbs script, which can monitor replication for a specific domain controller.


Events can be filtered based on different fields. It is possible to filter based on event source, category, and date range. If you suspect you have an application or service causing a server malfunction, it is helpful to filter based on event source. From the Event Source pull-down menu on the System Properties page, select the category or select All (default) to filter all event sources. To filter events based on date, specify the date range and then enter the From and To fields based on the date range you want to view information.

To return to the default view, click Restore Defaults and click OK. Choose View, All Records to remove the filter and view all events in the log.

Note

Filtering changes only the view and has nothing to do with the actual contents of the log. All events are continuously logged whether or not filtering is turned on. If a log file from a filtered view is archived, all records are saved, even if you select a text format or comma-delimited text format file.


Archiving Events

Occasionally, you need to archive an event log. Archiving a log copies the contents of the log to a file. Archiving is useful in creating benchmark records for the baseline of a server, or for storing a copy of the log that can be viewed or accessed elsewhere. When an event log is archived, it is saved in one of three forms:

  • Comma-delimited text file (.csv) This format allows the information to be used in a program such as Excel.

  • Text-file format (.txt) This format allows the information to be used in a program such as a word processing program.

  • Log file (.evt) This format allows the archived log to be viewed again in the Event Viewer.

The event description is saved in all archived logs. The sequence of data generated within each record is in this order: date, time, source, type, category, event, user, computer, and description. To archive, right-click the log to be archived and click Save Log File As. In the File Name field of the resulting property page, type in a name for the archived log file, choose a file type from the file format options of .csv, .txt, or .evt, and then click Save.

Note

You must be a member of the Backup Operators group at the minimum to archive an event log.


Logs archived in log-file format (.evt) can be reopened using the Event Viewer utility. Logs saved in log-file format retain the binary data for each event recorded. Event logs, by default, are stored on the server from which the Event Viewer utility is being run, but data can be archived to a remote server by simply providing a UNC path (such as \\servername\ share\) when entering a filename.

Logs archived in comma-delimited (.csv) or text (.txt) format can be reopened in other programs such as Microsoft Word or Microsoft Excel. Logs archived in text or commadelimited format do not retain the binary data.

Tip

By periodically archiving security logs to a central location on your network and then reviewing them against local security logs, you can see differences more clearly between logs that can help you proactively identify unauthorized activity on a server.


Customizing the Event Log

Each event log has a property associated with it. This property can be used to customize each of the event logs. The property defines the general characteristics of the log in the Event Viewer, such as the appearance of the log in the Event Viewer, the log size, and what should happen when the maximum log size is reached.

To customize the event log, access the properties of the particular log by highlighting the log and selecting Action, Properties. Alternatively, you can right-click the log and select Properties to display the General tab of its property page, as shown in Figure 34.6.

Figure 34.6. Selecting properties for the event log.


The Log Size section specifies the maximum size of the log and the subsequent actions to be taken when the maximum log size limit is reached. The three options are

  • Overwrite Events as Needed

  • Overwrite Events Older Than X Days

  • Do Not Overwrite Events

If you select the Do Not Overwrite Events option, Windows Server 2003 will discontinue to log events when it fills up. Although Windows Server 2003 will notify you when the log is full, you will need to monitor and manually clear the log periodically so that new events can be tracked and stored in the log file. Log file sizes must be specified in multiples of 64KB. If a value is not in multiples of 64KB, the Event Viewer will automatically set the log file size to a multiple of 64KB.

When you need to clear the eventfor example, when the log is fullclick Clear Log in the lower right of the property page. If you need to reset the logging information to defaults, click Restore Defaults to reset the log-tracking information.

If a remote server is being monitored and is connected using a low-speed connection, check the Using a Low-Speed Connection box. Using a low-speed connection prevents the Event Viewer from downloading all event data before it is requested. This feature is useful when you're working with logs on a remote server with a slow connection such as dial-up or over a slow WAN connection.

Understanding the Security Log

Logging an accurate and wide range of security events in the Event Viewer requires an understanding of auditing in Windows Server 2003. It is important to know that events are not audited by default. Through auditing, which is enabled in the local security policy for a local server, domain controller security policy for a domain controller machine, or an Active Directory (AD) Group Policy Object (GPO) for a domain, you can track Windows Server 2003 security events. It is possible to specify that an audit entry be written to the security event log whenever certain actions are carried out or an object (such as a file or printer) in AD is accessed. The audit entry shows the action carried out, the user responsible for the action, and the date and time of the action. Successful and failed attempts at actions can be audited so that the audit trail shows the user or users who performed certain actions on the network or user or users who attempted to perform certain actions that are not permitted.

Auditing System Events Through Group Policies

For a domain, the types of system events audited through Group Policies can be specified by navigating to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy in the Group Policy Object Editor and double-clicking an event category that needs to be changed in the details pane. If you're defining the audit policy settings for an event category for the first time, check the Define These Policy Settings box. Then do one or both of the following and click OK:

  • To audit successful attempts, check the Success box.

  • To audit unsuccessful attempts, check the Failure box.

The default auditing policy setting for domain controllers is No Auditing. This means that even if auditing is enabled for a domain, it does not necessarily imply that auditing has been enabled for the domain controller because domain controllers do not inherit auditing policy locally. To enable auditing on domain controllers, use the domain controller security policy.

The following examples describe how to set up auditing for some objects on a domain, site, or organizational unit (OU) using the Group Policy Object Editor (Computer Configuration\Windows Settings\Security Settings):

  • Registry keys Highlight the Registry in the console pane, right-click Registry, and then click Add Key. Browse to locate the key you want to edit and click OK. To modify a Registry key that has already been added to a GPO, right-click the Registry key, click Properties, and click Edit Security.

  • System services Highlight the particular service you want. Right-click the service and select Properties. If it is not already selected, check the Define This Policy Setting box and then select the appropriate setting. Then click Edit Security.

  • Files or folders Right-click File System and then click Add File. Browse to the specific file and click OK. To modify auditing on a file or folder already in this GPO, in the details pane, right-click the file or folder and then click Edit Security.

If security logging is crucial in the organization, you can choose to shut down the server immediately if logging is unable to save a security event to the log file. This security policy can be located in Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security options. Enabling this security setting causes the system to stop if a security audit cannot be logged.

A typical reason for an event failing to be logged is that the security audit log is full and the retention method specified in the log general properties is Do Not Overwrite Events. When this situation arises, the following stop error appears:

STOP: C0000244 {Audit Failed}. An attempt to generate a security audit failed. 


To bring the system back online after an automatic security eventinduced shutdown, turn the server back on, log in as an administrator, and clear or archive the log.

Note

In severe situations, an organization may choose to have servers automatically shut down when a security breach or event occurs. However, it is important to note that a server shutdown in the middle of the day can affect all users on the network who were connected to the shut-down server, so care must be taken in selecting the applicable security policy and automated process appropriate for the organization. Also, if the sole purpose of the attack is to deny service, it will be a success if the server shuts down automatically.





Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net