Event Viewer

Event Viewer allows you to monitor events in your system. It maintains logs about program, security, and system events on your computer. You can use Event Viewer to view and manage the event logs, gather information about hardware and software problems, and monitor Windows 2000 security events. The Event Log service starts automatically when you start Windows 2000. All users can view application and system logs.

To access Device Manager, on the Start menu, click Programs , point to Administrative Tools , and then click Event Viewer .

Event logs consist of a header, a description of the event (based on the event type), and, optionally, additional data. Most Security log entries consist of the header and a description.

Event Viewer displays events from each log separately. Each line shows information about a single event, including date, time, source, event type, category, Event ID, user account, and computer name.

For more information about Event Viewer, see Windows 2000 Server Help.

Event Logs

You can use Event Viewer to view and manage the System, Application, and Security event logs.

System Log.    The System log records events logged by the Windows 2000 system components. For example, the failure of a driver or other system component to load during startup is recorded in the System log. The event types logged by system components are predetermined by Windows 2000.

Application Log.    The Application log records events logged by programs. For example, a database program might record a file error in the Application log. Program developers decide which events to monitor.

Security Log.    The Security log records security events, such as valid and invalid logon attempts, and events related to resource use, such as creating, opening, or deleting files or other objects. The Security Log helps track changes to the security system and identify any possible breaches to security. For example, attempts to log on the system might be recorded in the Security log, if logon and logoff auditing are enabled.

note-icon

Note

You can view the Security log only if you are an administrator for a computer.

By default, security logging is turned off, but you can use Group Policy to enable security logging. To control the types of security events that are audited, in Group Policy, go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy. To control the auditing of files and folders, display the properties of a file or folder. An administrator can also set auditing policies in the registry that cause the system to halt when the security log is full.

Event Descriptions

The format and contents of event descriptions vary, depending on the event type. The description indicates what happened or the significance of the event. Table 14.6 lists the five types of events recorded by the event logs.

Table   14.6 Event Types and Definitions

Event Type

Definition

Error

A significant problem, such as loss of data or loss of functionality.

Warning

An event that might not be significant, but might indicate a future problem.

Information

An event that describes the successful operation of an application, driver, or service.

Success Audit

An audited security access attempt that succeeds.

Failure Audit

An audited security access attempt that fails.

Viewing Events

After you select a log in Event Viewer, you can search, filter, sort, and view details about events.

Search for Events    Searches can be useful when you are viewing large logs. For example, you can search for all Warning events related to a specific application, or search for all Error events from all sources. To search for events that match a specific type, source, or category, on the View menu, click Find .

Filter Events    Event Viewer lists all events recorded in the selected log. However, you can filter events using specified criteria. Filtering the events that occur on your network can help you pinpoint the source of problems. All events are logged continually, whether the filter is active or not. If you archive a log from a filtered view, all records are saved, even if you select a text format or comma-delimited text format file. Filtering has no effect on the actual content of the log; it changes only the view.

Sort Events    By default, Event Viewer sorts events by date and time from the newest to the oldest. When a log is archived, the default sort order is saved. You can also sort events to assess their sequence, filter events for specific characteristics, and search for events based on specific criteria.

View Details About Events    The Event Properties dialog box shows a text description of the selected event and any available binary data. Binary data, which appears in hexadecimal format, is generated by the program that is the source of the event record. A support technician familiar with the source program can interpret its meaning. Not all events generate binary data. For more information about an event, highlight the event, and then click it.

If you archive a login log file format, you can reopen it in Event Viewer. Logs saved as event log files have an EVT file name extension and retain the binary data for each event recorded. Logs archived in text or comma-delimited format have TXT and CSV file name extensions, respectively. Such logs can be reopened in most word-processing or spreadsheet applications. Logs saved in text or comma-delimited format do not retain the binary data. When you archive a log file, the entire log is saved, regardless of filtering options.