Before you start
Objectives: Learn what is Event Viewer, why it is used and types of logs it contains.
Prerequisites: no prerequisites.
Key terms: Event Viewer, Windows, introduction,
Introduction
Windows Event Viewer contains event logs that record significant events on our computer generated by the operating system and other programs. For example, when an error occurs, when some application fails, or when a service stops (or starts). With Event Viewer we can also diagnose network problems by examining errors related to networking service in System log.
Starting from Windows Vista, Event Viewer has a new and improved interface, and also new features available. To access the Event Viewer, we can go to Computer Management -> Administrative Tools, or we can runeventvwr.msc. We can also use Event Viewer to view events on remote computers.
Logs
Event Viewer has multiple event logs, which are files that record significant positive or negative events on our computer. The error and other details can be found in different event logs, and can be very helpful when troubleshooting problems. Event Viewer contains different events of different type. Each event can be:
- Information – significant event which indicates a successful operation or execution (for example, when a service starts or stops).
- Warning – indicates a problem that doesn’t require immediate attention, but may cause issues and problems (for example, warning for high resource usage, like low disk space).
- Error – indicates a significant problem that a user should know about and it probably requires immediate attention (for example, when a service can’t start during the boot process).
- Audit Success/Failure – security events that occur when audit access attempt is successful or not. For example, a successful login event is a success audit, and when a user tries to delete a file that he doesn’t have access to is an example of a failure audit event.
Event Viewer tracks information in several different logs. These logs are stored under Windows section. Those are:
- Application – stores events related to programs and services.
- Security – stores events related to security audit and items such as audit for success and failures.
- Setup – stores events related to the Windows setup performance and issues with installing Windows and important Windows components such as patches and hotfixes.
- System – stores events that are logged by Windows and Windows services.
- Forwarded Events – stores events that are forwarded to our computer by other computers.
Finding Events
Trying to find an event or group of events that are related was a very difficult task back in Windows XP. In Windows versions after Windows XP, we can filter the events by the type, severity, time, event ID, category, keywords or even user and computer. Existence of filters enable us to find the specific event instead of browsing very large number of events. Keep in mind that the filter only applies to the selected log, and when we close the Event Viewer, the filter will be removed. However, we can create custom views which will be always available in Event Viewer.
Custom views apply a filter to one or more logs, and are saved so we can use them whenever we open Event Viewer (applied filters are lost if we don’t save them as custom views). Custom views can also be exported or imported. We can also copy custom view and make changes to it (these operations require administrative privileges). Event Viewer has several predefined custom views, and those are Administrative Events, Active Directory Domain Services, File Server, Print Services.
Tasks
When it comes to troubleshooting problems, Event Viewer enables us to attach tasks to events. For example, we might want to be notified by email if particular event occurs. Or, we can start specific program when certain event occurs. Most of the time, we will want to be notified of security events such as failed logon or successful logon. We can accomplish this ba attaching a task to that event so that we receive a notification from it. Actions taken by the task can run a program, send an e-mail, or show a message. So, we can be e-mailed every time a certain service fails. In addition to choosing e-mail as an action, we also need to specify the sender address, a destionation address, e-mail subject and body, an attachment (optional), and we need to specify an SMTP server address (we need SMTP server for this to work).
Network Logs
The Windows Network Diagnostic Tool stores additional information about problems and solutions in one or more event log. To better diagnose networking problems we can filter for TCP/IP related items and capturing those events in custom views. If network diagnostics diagnose a problem related to wireless network, it will save the information in the event log as either helper class event, or information event. Helper class events provide a summary of the diagnostic results. They can also provide additional information for troubleshooting such as details about the connection that was diagnosed, diagnostic results and capabilities of the WiFi card being diagnosed. Events saved by the network diagnostics can include information about the connection that was diagnosed and its settings.
Event Gathering
Event logs on each computer store events that are generated on that computer only (locally). Sometimes we need to see events on multiple different computers and servers. To do that we can utilize Event Gathering using event forwarding and event subscriptions. This feature is available in newer versions of Windows (not available in Windows XP).
Event forwarding enables us to transfer events that match a specific criteria to another computer known as the collector computer. This enable us to manage events centrally without using third party tools. Trough event forwarding a single event log on the collector computer holds important events from other computers in our organization. Event forwarding uses the HTTP protocol to transfer events to the collector computer. For additional security we can also use HTTPS protocol. The advantage of HTTP or HTTPS protocol is that it works trough most firewalls and proxy servers.
To use event forwarding we must perform certain configuration tasks on both source and collector computer. On both computers we need to start the Windows Remote Management (WinRM) service. Also, we need to start the Windows Event Collector service. The source computer requires the Windows firewall exception for the HTTP protocol as well.
Event forwarding can be utilized in two ways, either trough collector initiated subscriptions or source initiated subscriptions. In collector initiated subscriptions, the collector computer retrieves events from the computer that generated the events. We use collector initiated subscription when we have a limited number of source computers, since we have to manually configure each one. When configuring collector initiated subscription, we need to run the winrm qc command to enable and configure the remote management on the source computer. Then we have to add the collector computer account to the Event Log Readers group on the source computer. After configuring the source computer(s), we need to run the wecutil qc command on the collector computer. This configures the collector service.
In the source initiated subscriptions, the computer that generated the event (source computer) sends event data to the collector. We use source initiated subscription when we have a large number of source computers that are configured trough group policies. To configure source initiated subscription we configure the collector computer manually and then use group policies to configure the source computers. After configuring a source initiated subscription we need to create event subscriptions to receive the event transferred from the source computer to the collector computer. On the collector computer that has been configured for source initiated subscription we can configure a subscription without the need to define the event source computers, since we do this trough group policies. This is different from collector initiated subscription where we must configure the list of source computers.
The advanced subscription settings enable us to configure a three types of subscriptions. Those are
- Normal
- Minimize bandwidth
- Minimize latency
Using those types we actually manage the speed of the whole process. We can also configure the service account used by the subscription. It can be the default machine account, or specific user account. We have to make sure that the specified account is a member of the source computer event log readers group.