Using Event Viewer

Event Viewer is a utility designed to track events recorded in the application, security, and system logs. It enables you to gather information about software, hardware, and system problems and track Windows 2000 security events. When you start Windows 2000, the Event Log service starts automatically. Event Viewer takes the form of a Microsoft Management Console (MMC) snap-in. It is named Eventvwr.msc and can be found in the %SystemRoot%\System32 folder. When you launch Event Viewer from the Administrative Tools folder on the Programs menu, you see the Event Viewer console (Figure 33-1).

Figure 33-1. The Event Viewer console.

Event Log Files

Windows 2000 records events in three kinds of logs:

  • Application log Contains events logged by programs or applications. For example, a database program might log a file error in the program log. Application and program developers determine the events that are logged. All users can view this log.
  • Security log Records security events such as invalid and valid logon attempts and events related to resource use, such as creating, opening, or deleting files. The security log is turned off by default. The administrator can turn on the security log to record events by setting auditing attributes or events through the Group Policy feature in Windows 2000. For example, if you have enabled auditing for logging on, all attempts to log on to the system are recorded in the security log. An auditing policy can also be set in the registry to cause the system to halt when the security log becomes full. Only administrators can view this log. More information on setting auditing policy can be found in Chapter 10.
  • System log Contains events logged by the Windows 2000 system components. For example, the log records the failure of a system component that is meant to load during startup. The event types logged here are predetermined by Windows 2000. All users can view this log.

By default, each log file has a maximum size of 512 KB and logs are overwritten as necessary, provided that the events are older than seven days. You can change the size of each log file by selecting the log you want to modify and choosing Properties from the Action menu of Event Viewer. In the Maximum Log Size box in the General tab, specify the new log size in kilobytes. The maximum log size can be as large as the capacity of the hard disk and memory. You can also decrease the size of the log file, but you have to clear the log of events first.

Logging stops if the log file becomes full and cannot overwrite itself because the events in the log are not old enough or because you have the log set to be cleared manually. You can specify the event logging parameters for specific logs with the Event Log Wrapping options in the General tab of the Properties dialog box for each log. Choose Overwrite Events As Needed, Overwrite Events Older Than x Days, or Do Not Overwrite Events. (Event Log is also covered as part of day-to-day administration in Chapter 10.)

The Components of an Event

The two key components in the interpretation of an event are the event header and the event description. The event description is the most useful piece of information because it indicates the significance of the event.

The Event Header

Event headers are displayed in columns in the Event Viewer console (Figure 33-2).

Figure 33-2. Event headers in the Event Viewer console.

Event headers are broken down into the following components:

  • Type Lists the severity of the event. Events in the application and system logs are classified as Information, Warning, or Error. Events in the security log are classified as Success Audit or Failure Audit. Event Viewer represents these classifications as symbols in its normal list view. These symbols include the following:
    • Information Describes the successful operation of a service, driver, or application. For example, when the Event Log service is started successfully, it is recorded as an Information event.
    • Warning Indicates events that (although not necessarily significant) pose a possible future problem. For example, when the hard disk is at or near capacity, you are advised to delete some files.
    • Error Indicates that a significant problem has occurred, such as loss of functionality or loss of data. For example, if a service such as Net Logon fails to load, it is logged in Event Viewer as an error.
    • Failure Audit Lists a failed attempt to perform an audited security event. For example, if a user tries to log on and fails, that attempt is logged as a Failure Audit event.
    • Success Audit Lists a successful attempt to perform an audited security event. For example, when a user logs on successfully, it is logged as a Success Audit event.
  • Date Indicates the date the event occurred.
  • Time Indicates the (local) time the event occurred.
  • Source Lists the software that logged the event. The software can be a program name, a component of the system, or a component of a large program, such as a driver name.
  • Category Shows the way the event source classifies the event; primarily used in the security log. Security audits are one of the event types that are classified here.
  • Event Lists a number that identifies the particular event type. The name of the event type is usually contained in the first line of its associated description.
  • User Indicates the user name of the user for whom the event occurred. If a server process caused the event, the user name is the client ID. If impersonation is not taking place, the primary ID is displayed here. Impersonation occurs when one process is permitted to take on the security attributes of another process. The security log entry lists both the primary and the impersonation IDs when applicable.
  • Computer Specifies the name of the computer on which the event took place.

The Event Description

Double-clicking a specific event in Event Viewer displays a text description in the Event Detail tab of the Properties dialog box (Figure 33-3) that is often helpful in the analysis of the event. Binary data is also generated for some events and can be helpful in interpreting those events because it is generated by the program that originated the event records. If you retain event descriptions, save them as binary data files. Don't save event descriptions in text format or comma-delimited text format, because these formats discard binary data.

Figure 33-3. The Event Properties dialog box.

Archiving an Event Log

You can save an event log to a file by right-clicking the log name in Event Viewer and choosing Save Log File As from the shortcut menu. You can archive event logs in one of the following three formats:

  • Log format Allows you to view the log in Event Viewer. Its extension is .EVT.
  • Text format Lets you use the detail contained in this file in a program such as Microsoft Word. Its extension is .TXT.
  • Comma-delimited text format Enables you to use the data in a spreadsheet or flat-file database. Its extension is .CSV.

Archived logs save the event description in the following order: date, time, source, type, category, event, user, computer, description. The entire log file is saved, regardless of any filtering options you might have set. The information is saved sequentially, even if you have established a sort order for the events.

You can open an archived log file from the Action menu by pointing to New and then choosing Log View. In the Add Another Log View dialog box, select Saved (Opens A Previously Saved Log), and click Browse to search for the log name in the Open dialog box. You can open only an archived log file with the .EVT filename extension in Event Viewer. (Archived log files with .TXT and .CSV extensions can be opened in any word processing program.) The information displayed in an archived log cannot be updated by refreshing.

Viewing an Event Log on Another Computer

You can connect to another computer to view its event log by right-clicking Event Viewer (Local) at the top of the tree and choosing Connect To Another Computer. In the Select Computer dialog box (Figure 33-4), you can browse for or enter the name of the other computer whose event log you want to view.

Figure 33-4. The Select Computer dialog box.

Event Viewer enables you to view machines running Microsoft Windows NT Workstation or Windows 2000 Professional, a server or domain controller running Windows NT Server or Windows 2000 Server, or a server running LAN Manager 2.x. You can configure a low-speed connection for the remote machine you want to view. To do this, select the log you want to view from the console tree, choose Properties from the Action menu, and then select the Low Speed Connection option.

For more sophisticated monitoring and analysis of a large network of computers, consider using Microsoft Systems Management Server (SMS), or Microsoft Operations Manager (MOM), or both. Information on these products is available at and

Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: