What Is the Event Log?

[Previous] [Next]

From the system administrator's point of view, the event log is little more than a list of messages posted by the system or by application software. This list of messages is organized into logical groups called log files (or logs). The collection of logs is referred to generally as the event log. The system administrator's window to the event log is the Event Viewer snap-in of the Microsoft Management Console (MMC), which is installed with Windows 2000. You can open the Event Viewer by clicking Start, pointing to Programs, pointing to Administrative Tools, and then choosing the Event Viewer option. You can also access the Event Viewer by choosing Computer Management in Administrative Tools. Figure 61 shows the Event Viewer snap-in in Computer Management.

click to view at full size.

Figure 6-1. The Event Viewer snap-in in Computer Management

In the Event Viewer node in the MMC, you see a set of logs. When you select a log, the right-hand pane displays the list of that log's events. Double-clicking on an event entry gives you detailed information about the event. I will discuss the information found in each event in a moment, but first we need to discuss the purpose of the different logs.

By default, your system's event log contains three logs: Application, System, and Security. Applications can add their own custom logs to the system; however, this is not typically necessary or common. If you decide to report to your own custom log file, you tell the Event Viewer snap-in about it by selecting the Event Viewer node in the left-hand pane and choosing Open Log File from the Action menu. This produces an Open dialog box that allows you to open a log file. You must report at least one event to a custom log before viewing the log with the Event Viewer snap-in.

Table 6-1 describes the three standard event logs. Since the subject of this book is writing server applications, the Application log will be of most interest to us.

Table 6-1. Standard event logs in Event Viewer

Log Name Description
Application Contains events generated by application software and services
System Contains events generated by device drivers and other operating system components
Security Contains events generated by security audits

Now let's take a moment to dissect a logged event entry. An event is a single entry in an event log and consists of the following information fields: event type, date and time generated, date and time written, event source, event category, event ID, user, and system. In addition to this information, each event can contain a detailed textual description and have binary data associated with it. The Event Viewer snap-in is capable of displaying most of this information. Table 6-2 offers a brief description of each field.

Most of the fields are self-explanatory, but the event source, event ID, event category, and event type deserve more explanation.

The event source represents the application, service, or system component that reported the event. Typically a one-to-one relationship exists between the reporting agent and event source. However, the code that is reporting the event decides which source it is reporting as, so a single application can report as multiple sources. Likewise, multiple applications can report as a single source. Windows does not restrict this reporting flexibility in any way.

The event ID is a source-defined value that identifies a certain type of event. Any event can be identified via a composite of the event's source and ID. For example, the Browser service defines event ID 8021 as "The browser was unable to retrieve a list of servers from the browser master <servername> on the network …" and event ID 8033 as "The browser has forced an election …."

The event category is an optional source-defined category for the event. It is helpful for applications and system components that report a large number of different types of events to be further broken down into logical categories.

Table 6-2. Fields for an entry in an event log

Field Description
Event type Identifies the type of event. The system defines five different event types, listed in Table 6-3.
Date and time generated Identifies the time that the source wanted the event added to a log.
Date and time written Identifies the time that the system recorded the entry in a log.
Event source Identifies the component responsible for adding the event to a log. Usually the source is an application or a service.
Event category Identifies a source-defined category for the event.
Event ID Identifies a source-defined number that uniquely indicates the nature of the incident that caused an entry to be added to a log.
User Identifies the user account context that generated the event entry. This value is a user's security identifier (SID). See Chapter 9 for more discussion on SIDs.
System Identifies the machine on which the incident occurred.

You must decide whether the event category is necessary or useful for your software. If an event source chooses to ignore categories, the Event Viewer snap-in will report no categories for events from that source.

The event type can be one of five system-defined event types shown in Table 6-3. The software that is reporting the event selects the event type.

Table 6-3. Event types

Event Type Description
EVENTLOG_INFORMATION_TYPE Information events indicate a situation or an operation that occurred that is not problematic to the application or system—for example, the starting or stopping of a service application.
EVENTLOG_WARNING_TYPE Warning events signify potential or future problem situations—for example, relatively low memory or disk space, which might become problematic if resources continue to be consumed.
EVENTLOG_ERROR_TYPE Error events are logged when an application or a system component actually failed some part of its functionality—for example, an inability to write data to a disk, which resulted in data loss.
EVENTLOG_AUDIT_SUCCESS Success audit events are logged by Windows security when an audited action is performed successfully.
EVENTLOG_AUDIT_FAILURE Failure audit events are logged by Windows security when an audited action is attempted and fails.



Programming Server-Side Applications for Microsoft Windows 2000
Programming Server-Side Applications for Microsoft Windows 2000 (Microsoft Programming)
ISBN: 0735607532
EAN: 2147483647
Year: 2000
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net