Event Logging and Viewing

from Chapter 3, Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek.

Event logs provide historical information that can help you track down system and security problems. The event-logging service controls whether events are tracked on Windows 2000 systems. When this service is started, you can track user actions and system resource usage events with the following event logs:

  • Application Log Records events logged by applications, such as the failure of MS SQL to access a database.

  • Directory Service Records events logged by Active Directory and its related services.

  • DNS Server Records DNS queries, responses, and other DNS activities.

  • File Replication Service Records file replication activities on the system.

  • Security Log Records events you've set for auditing with local or global group policies.

    Note: Any user who needs access to the security log must be granted the user right to Manage Auditing and the Security Log. By default, members of the Administrators group have this user right. To learn how to assign user rights, see Chapter 7.

  • System Log Records events logged by the operating system or its components, such as the failure of a service to start at bootup.

Accessing and Using the Event Logs

You access the event logs by completing the following steps:

  1. In the Computer Management console, connect to the computer whose event logs you want to view or manage.

  2. Expand the System Tools node by clicking the plus sign (+) next to it and then double-click Event Viewer. You should now see a list of logs, as shown in Figure 3-8.

  3. Select the log you want to view.

Entries in the main panel of Event Viewer provide a quick overview of when, where, and how an event occurred. To obtain detailed information on an event, double-click its entry. The event type precedes the date and time of the event. Event types include

  • Information An informational event which is generally related to a successful action.

  • Success Audit An event related to the successful execution of an action.

  • Failure Audit An event related to the failed execution of an action.

    Figure 3-8: Event Viewer displays events for the selected log.

    Figure 3-8: Event Viewer displays events for the selected log.

  • Warning: A warning. Details for warnings are often useful in preventing future system problems.

  • Error An error, such as the failure of a service to start.

    Note: Warnings and errors are the two types of events that you'll want to examine closely. Whenever these types of events occur and you're unsure of the cause, double-click the entry to view the detailed event description.

In addition to type, date, and time, the summary and detailed event entries provide the following information:

  • Source The application, service, or component that logged the event.

  • Category The category of the event, which is sometimes used to further describe the related action.

  • Event An identifier for the specific event.

  • User The user account that was logged on when the event occurred.

  • Computer The name of the computer where the event occurred.

  • Description In the detailed entries, a text description of the event.

  • Data In the detailed entries, any data or error code output by the event.

Setting Event Log Options

Log options allow you to control the size of the event logs as well as how logging is handled. By default, event logs are set with a maximum file size of 512 KB. Then, when a log reaches this limit, events older than seven days are overwritten to prevent the log from exceeding the maximum file size.

To set the log options, complete the following steps:

  1. In the Computer Management console, double-click the Event Viewer entry. You should now see a list of event logs.

  2. Right-click the event log whose properties you want to set and select Properties from the shortcut menu. This opens the dialog box shown in Figure 3-9.

  3. Enter a maximum size in the Maximum Log Size field. Make sure that the drive containing the operating system has enough free space for the maximum log size you select. Log files are stored in the %SystemRoot%\system32\config directory by default.

    Note: Throughout this book you'll see references to %SystemRoot%. This is an environment variable used by Windows 2000 to designate the base directory for the Windows 2000 operating system, such as C:\WIN2000. For more information on environment variables, see Chapter 9.

  4. Determine what happens when the maximum log size is reached. The options available are

    • Overwrite Events As Needed Events in the log are overwritten when the maximum file size is reached. Generally, this is the best option on a low priority system.

    • Overwrite Events Older Than . . . Days When the maximum file size is reached, events in the log are overwritten only if they are older than the setting you select. If the maximum size is reached and the events can't be overwritten, the system generates error messages telling you the event log is full.

    • Do Not Overwrite Events (Clear Log Manually) When the maximum file size is reached, the system generates error messages telling you the event log is full.

  5. Click OK when you're finished.

    Note: On critical systems where security and event logging is very important, you may want to use Overwrite Events Older Than . . . Days or Do Not Overwrite Events (Clear Log Manually). When you use these methods, you may want to archive and clear the log file periodically to prevent the system from generating error messages.

    Figure 3-9: You should configure log settings according to the level of auditing on the system.

    Figure 3-9: You should configure log settings according to the level of auditing on the system.

Clearing the Event Logs

When an event log is full, you need to clear it. To do that, complete the following steps:

  1. In the Computer Management console, double-click the Event Viewer entry. You should now see a list of event logs.

  2. Right-click the event log whose properties you want to set and select Clear All Events from the shortcut menu.

  3. Choose Yes to save the log before clearing it. Choose No to continue without saving the log file.

Archiving the Event Logs

On key systems such as domain controllers and application servers, you'll want to keep several months worth of logs. However, it usually isn't practical to set the maximum log size to accommodate this. Instead, you should periodically archive the event logs.

Archive Log Formats

Logs can be archived in three formats:

  • Event log format for access in Event Viewer

  • Tab-delimited text format, for access in text editors or word processors or import into spreadsheets and databases

  • Comma-delimited text format, for import into spreadsheets or databases

When you export log files to a comma-delimited file, each field in the event entry is separated by a comma. The event entries look like this:

9/7/99,9:43:24 PM,DNS,Information,None,2,N/A,ZETA,The DNS 
Server has started.
9/7/99,9:40:04 PM,DNS,Error,None,4015,N/A,ZETA,The DNS 
server has encountered a critical 
error from the Directory Service (DS). The data is the error code.

The format for the entries is as follows:

Date, Time, Source, Type, Category, Event, User, Computer, Description.

Creating Log Archives in the Event Viewer Format

To create a log archive in the Event Viewer file format, complete the following steps:

  1. In the Computer Management console, double-click the Event Viewer entry. You should now see a list of event logs.

  2. Right-click the event log you want to archive and select Save Log File As from the shortcut menu.

  3. In the Save As dialog box, select a directory and a log filename.

  4. In the Save As Type dialog box, Event Log (*.evt) will be the default file type.

  5. Choose Save.

    Note: If you plan to archive logs regularly, you may want to create an archive directory. This way you can easily locate the log archives. You should also name the log file so that you can easily determine the log file type and the period of the archive. For example, if you're archiving the system log file for January 2000, you may want to use the filename System Log Jan. 2000.

Creating Log Archives In Other Formats

To create a tab- or comma-delimited log archive, follow these steps:

  1. In the Computer Management console, double-click on the Event Viewer entry. You should now see a list of event logs.

  2. Right-click on the event log you want to archive and select Save Log File As from the shortcut menu.

  3. In the Save As dialog box, select a directory and a log filename.

  4. Using the Save As Type drop-down list box select the Text or CSV log file format.

  5. Choose Save.

Viewing Log Archives

You can view log archives in text format in any text editor or word processor. You should view log archives in the event log format in Event Viewer. You can view log archives in Event Viewer by completing the following steps:

  1. In the Computer Management console, right-click the Event Viewer entry. On the shortcut menu, select Open Log File. You should now see the Open dialog box shown in Figure 3-10.

  2. Select a directory and a log filename.

  3. Choose the log file type and then enter a display name for the log.

  4. Enter a display name for the log file.

  5. Click Open. The archived log is displayed as a separate view in Event Viewer. Select this view to display the saved events in the log.

from Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Link
Click to order