Checking the Event Viewer
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-01-17
You can use Event Viewer to obtain information about service failures, replication errors in the Active Directory directory service, and warnings about system resources such as virtual memory and disk space. Use Event Viewer to view and manage event logs; obtain information about hardware, software, and system problems that must be resolved; and identify trends that require future action.
Event Viewer maintains logs about application, security, and system events on your computer. Both Microsoft Exchange Server and Microsoft Windows report warnings and error conditions to the event logs. Therefore, make sure that you review event logs daily.
For more information about Event Viewer, see the Windows Server 2003 Help documentation. You can also use Event Viewer as a troubleshooting tool. For more information about using Event Viewer as a troubleshooting tool, see Microsoft Knowledge Base article 302542 "How to Diagnose System Problems with Event Viewer in Windows Server 2000."
A computer that is running a Windows Server 2003 operating system records events in three types of logs:
- Application logs The Application log contains events logged by applications or programs. Developers determine which events to log. For example, a database program might record a file error in the Application log. Most Exchange Server-related events are in the Application log.
- Security logs The Security log records events such as valid and invalid logon attempts, as well as events related to resource use such as creating, opening, or deleting files or other objects. For example, if logon auditing is enabled, attempts to log on to the system are recorded in the Security log.
- System logs The System log contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the System log. The event types logged by system components are predetermined by the server.
Exchange 2007 diagnostic logging records significant events related to authentication, connections, and user actions. After you enable diagnostic logging, you can view the log entries in Event Viewer.
|Using the maximum logging settings is not recommended unless you are instructed to do this by Microsoft Product Support Services. Maximum logging drains significant resources and can give many "false positives," that is, errors that get logged only at maximum logging but are really expected and are not a cause for concern. It is also recommended that you do not enable diagnostic logging permanently. Use it only when troubleshooting.|
Within each Event Viewer log, Exchange Server records informational, warning, and error events. Monitor these logs closely to track the types of transactions being conducted on your Exchange servers. You should periodically archive the logs or use automatic rollover to avoid running out of space. Because log files can occupy a finite amount of space, increase the log size (for example, to 50 MB) and set it to overwrite, so that Exchange Server can continue to write new events.
You can also automate event log administration by using tools and technologies such as the following:
- Event Comb The Event Comb tool lets you gathers specific events from the event logs of several computers to one central location. It also lets you report on only the event IDs or event sources you specify. For more information about Event Comb, see the Account Lockout and Management Tools Web site.
- Eventtriggers You can also use command-line tools to create and query event logs and associate programs with particular logged events. By using Eventtriggers.exe, you can create event triggers that will run programs when specific events occur. For more information about Eventtriggers, see the Windows Server 2003 topic New command-line tools and the Windows XP topic Managing event logs from the Command Line.
- Microsoft Operations Manager You can use Microsoft Operations Manager (MOM) to monitor the health and use of Exchange servers. Exchange 2007 Management Pack extends Microsoft Operations Manager by providing specialized monitoring for servers that are running Exchange 2007. This management pack includes a definition of health for an Exchange 2007 server and will raise an alert message to the administrator if it detects a state that requires intervention. For more information about Exchange 2007 Management Pack, see the Microsoft Operations Manager Web site.