The Windows operating system defines an event as any significant occurrence in the operating system or an application that should be recorded for tracking purposes. Informational events can be tracked as well as events that record warnings, errors, and auditing. Critical errors that deserve immediate attention, such as when the server has run out of disk space or memory, are recorded in the logs and displayed on screen.
The Windows service that controls event logging is the Event Log service. When this service is started, events are recorded in one of the available event logs. On member servers, you'll find three event logs:
Application Contains events logged by applications. You'll find events in this log for Exchange Server, SQL Server, IIS, and other installed applications. It is also used to record events from printers and, if you've configured alert logging, alerts. The default location is %SystemRoot%System32ConfigAppEvent.evt.
Security log Contains events you've set for auditing with local or global group policies. Depending on the auditing configuration, you'll find events for logon, logoff, privilege use, and shutdown, as well as general system events, such as the loading of the authentication package by the Local Security Authority (LSA). The default location is %SystemRoot%System32ConfigSecEvent.evt.
Note
Only administrators are granted access to the Security log by default. If other users need to access the Security log, you must specifically grant them the Manage Auditing and the Security Log user rights. You can learn more about assigning user rights in Chapter 37.
System Log Contains events logged by Windows Server 2003 and its components. You should routinely check this log for warnings and errors, especially those related to the failure of a service to start at bootup or the improper configuration of a service. The default location is %SystemRoot%System32ConfigSysEvent.evt.
On domain controllers, you'll find the Application, Security, and System logs as well as these additional event logs:
Directory Service Contains events logged by the Active Directory directory service. The primary events relate to the Active Directory database and global catalogs. You'll find details on database consistency checks, online defragmentation, and updates. The default location is %SystemRoot%System32ConfigNTDS.evt.
DNS Server Contains Domain Name System (DNS) queries, responses, and other DNS activities. You might also find details on activities that relate to DNS integration with Active Directory. The default location is %SystemRoot%System32Config DNSEvent.evt.
File Replication Service Contains events logged by the File Replication Service, a service used to replicate Active Directory changes to other domain controllers. You'll find details on any important events that took place while a domain controller attempted to update other domain controllers. The default location is %SystemRoot%System32 ConfigNtFrs.evt.
By default, the logs are sized as appropriate for the type of system you are working with and its configuration. In a standard configuration of Windows Server 2003, most logs have a maximum size of 16 MB. This includes the DNS Server, System, and Application logs. Because they are less critical, the Directory Service and File Replication Service logs on domain controllers have a maximum size of 512 kilobytes (KB). Because the Security log is so important, it is usually configured with a maximum size of 128 MB. Primarily, this is to allow the server to record a complete security audit trail for situations in which the server is under attack and a large number of security events are generated.
Windows Server 2003 logs are configured to overwrite old events as needed by default. So, when the log reaches its maximum size, the operating system overwrites old events with new events. This is different from Microsoft Windows NT. In Windows NT, the event logs were configured to overwrite only events that were older than 7 days. If desired, you can configure Windows Server 2003 logs in the same way. However, the problem with doing it that way is, when the maximum size is reached, events less than 7 days old can't be overwritten and the system will generate an error message telling you that such and such an event log is full each time it tries to write an event—and you can quickly get to where there are dozens of these errors on-screen.
Note
The log configuration can be controlled through Group Policy as well. This means changes to Group Policy could in turn change the maximum log size and which action to take when the maximum log size is reached. For more information about Group Policy, see Chapter 38.
You can view the event logs using Event Viewer, as shown in Figure 15-9. Event Viewer is a Microsoft Management Console (MMC) snap-in that can be started from the Administrative Tools menu or by typing eventvwr at the command line. The main view shows event logs by name and also displays the current size of each log. When you select the log you want to view in the left pane, the events recorded in the log are displayed in the right pane.
As Figure 15-10 shows, individual event entries provide an overview of the event that took place. Each event is recorded according to the date and time the event took place as well as the event type. For all the logs except Security, the event types are classified as Information, Warning, or Error. For the Security log, the event types are classified as Success Audit or Failure Audit. These event types have the following meanings:
Information Generally relates to a successful action, such as the success of a service starting up. If you've configured Alert logging, the alerts are also recorded with this event type to show they've been triggered.
Warning Describes events that aren't critical but could be useful in preventing future system problems. Most warnings should be examined to determine whether a preventative measure should be taken.
Error Indicates a fatal error or significant problem occurred, such as the failure of a service to start. All errors should be examined to determine what corrective measure should be taken to prevent the error from reoccurring.
Success Audit Describes an audited security event that completed as requested, such as when a user logs on or logs off successfully.
Failure Audit Describes an audited security event that didn't complete as requested, such as when a user tries to log on and fails. Failed audit events can be useful in tracking down security issues.
Note
Any attempt by users, services, or applications to perform a task for which they don't have appropriate permissions can be recorded as a failure audit. If someone is trying to break into a system, you might see a large number of failure audit events. If a service or application doesn't have the permissions it needs to perform certain tasks, you might also see a large number of failure audit events.
Other pertinent information recorded with an event includes the event source, category, event ID, user name, and computer name. The Source column lists the application, service, or component that logged the event. The Category column details the category of the event and is sometimes used to further describe the event. The Event column provides an identifier for the specific event that occurred. You can sometimes look up events in the Microsoft Knowledge Base to get more detailed information.
The User column shows the name of the user that was logged on when the event occurred. If a server process triggered the event, the user name usually is that of the special identity that caused the event. This includes the special identities Anonymous Logon, Local Service, Network Service, and System. Although events can have no user associated with them, they can also be associated with a specific user who was logged on at the time the event occurred.
The Computer column shows the name of the computer that caused the event to occur. Because you are working with a log from a particular computer, this is usually the account name of that computer. However, this is not always the case. Some events can be triggered because of other computers on the network. Some events triggered by the local machine are stored with the computer name as MACHINENAME.
You can double-click any event to open its Properties dialog box. As shown in Figure 15-11, the Properties dialog box provides additional information about the event including a text description and, for some events, any binary data or error code generated by the event. Most of the event descriptions aren't easy to understand, so if you need a little help deciphering the event, click Copy To Clipboard. You can then paste the event description into an e-mail message to another administrator.
Figure 15-11. Event details include a description of the event and in some cases binary data generated by the event
Tip
Within every event description is a Help And Support Center link that you can click. This link provides access to the Microsoft Web site where you can query for any additional information that might be available on the event. As of the time of this writing, the response is often that there's no additional information available. Hopefully this will improve over time.
You can use Event Viewer to view events on other computers on your network. Start Event Viewer, right-click Event Viewer (Local) in the left pane, and then choose Connect To Another Computer. In the Select Computer dialog box, type the domain name or Internet Protocol (IP) address of the computer whose event log you want to view, and then click OK. Or you can click Browse to search for the computer you want to use. Keep in mind that you must be logged on as an administrator or be a member of the Administrators group to view events on a remote computer.
You can view events on systems running Windows Server 2003, Windows XP, Windows 2000, and Windows NT. If you are connecting to a computer over a low-speed connection and you see timeouts when you try to work with the logs, you can configure Event Viewer to use longer wait and transfer times by specifying that you are using a low-speed connection. You do this on a per–log file basis. Right-click the log you want to work with, and choose Properties to display the log's Properties dialog box. In the lower-left corner of the dialog box, select Using A Low-Speed Connection, and then click OK.
Event Viewer provides several ways for you to organize and search for events in the logs. You can sort events based on date or other stored information. You can search a particular event log for specific events and view events one at a time. You can also filter events so that only the specific events you want to see are shown.
By default, logs are sorted so that the newest events are listed first. If you'd rather see the oldest events first, you can do this by clicking View and then selecting Oldest First. This change must be made for each log in which you want to see the oldest events first.
You can also sort events based on information in a particular column. For example, if you wanted to sort the events based on the user name, you would click the User column header. Sort any event log in this way and all the event logs will be sorted in the same way.
By using the Find feature, you can search for events within a selected log and view matching events one at a time. Say, for instance, a Microsoft Knowledge Base article says to look for an event with such and such an event source and you want to search for it quickly. You can use the Find feature to do this.
To search the selected event log, click View, and then click Find. This displays the Find In dialog box, as shown in the screen on the following page. Choose the find options you want to use as described in Table 15-3, and then click Find Next. The first event that matches the search criteria is highlighted in the log. You can double-click the event to get more detailed information or click Find Next to find the next match.
Table 15-3. Find and Filter Options for Event Logging
Option | Description |
|---|---|
Event Types | Allows you to include or exclude events by type. The most important event types are warnings, which indicate that something might pose a future problem and might need to be examined, and errors, which indicate a fatal error or significant problem occurred. |
Event Source | Includes events only from a specified source, such as an application, service, or component that logged the event. |
Category | Includes events only within a given category. The categories available change based on the event source you choose. |
Event ID | Includes events only with the event ID you specify. Only one event ID can be entered. |
User | Includes events associated with a particular user account that was logged on when the event was triggered. Server processes can log events with the special identities Anonymous Logon, Local Service, Network Service, and System. Not all events have a user associated with them. |
Computer | Includes all events associated with a particular computer. Usually this is the name of the computer whose logs you are working with. |
Search Direction | With Find, use these options to specify whether you want to search forward from the current position in the log (Down) or backward from the current position in the log (Up). |
From/To | With filters, all events from the first to the last are displayed by default. To specify the date with which to start, select Events On in the From selection list, then set the start date. To specify the date with which to end, select Events On in the To selection list, then set the end date. |
The Find option works well if you want to perform quick searches, such as for a single event of a specific type. If you want to perform an extended search, however, such as when you want to review all events of a particular type, there's a better way to do it and that's to filter the event log so that only the specific events you want to see are shown.
To filter the selected event log, click View, and then click Filter. This displays the log's Properties dialog box with the Filter tab selected, as shown in the following screen. Choose the filter options you want to use, as described in Table 15-3, and then click OK. Once you've applied the filter, only events with the options you specify are displayed in the selected event log.
Tip
Set filter options
You can set as many filter options as you want to narrow the results. Keep in mind, however, that each filter option you apply sets a search criterion that must be matched for an event to be displayed. The options are cumulative so that an event must match all filter options.
If you later want to restore the log to its original view, click View, and then click Filter to display the log's Properties dialog box with the Filter tab selected. Then click Restore Defaults.
In most cases, you'll want to have several months' worth of log data available in case you must go back through the logs and troubleshoot. One way to do this, of course, is to set the log size so that it is large enough to accommodate this. However, this usually isn't practical because individual logs can grow quite large. So, as part of your routine, you might want to archive the log files on critical systems periodically, such as for domain controllers or application servers.
To create a log archive, right-click the log in the left pane of Event Viewer, and then select Save Log File As. In the Save As dialog box, select a directory and a log file name. In the Save As Type dialog box, Event Log (*.evt) is the default file type. This saves the file in event log format for access in Event Viewer. You can also select .txt to save the log in tab-delimited text format, such as for accessing it in a text editor or importing it into a spreadsheet, or .csv to save the log in comma-delimited text format, such as for importing it into a spreadsheet or database. After you select a log format, choose Save.
Logs saved in Event Log format (.evt) can be reopened in Event Viewer at any time. To do this, right-click the Event Viewer node in the left pane of Event Viewer, and choose Open Log File. Use the Open dialog box to select a directory and a log file. Then use Log Type to specify the type of log, such as Application. Next type a display name to use. When you click Open, the saved event log is loaded into Event Viewer and will appear on the list of available logs in the left pane, as shown in Figure 15-12.
