System Event Viewer Tips

  • Artigo

Tópico modificado em: 2006-02-10

By Nino Bilic

Although Event Viewer is a Microsoft® Windows® operating system tool, and not a Microsoft Exchange Server tool, Event Viewer is useful when troubleshooting Exchange Server problems. This article describes Event Viewer basic concepts and new helpful features.

  • Definitions
  • Overview
    • Types of Logs Found in Event Viewer
    • Types of Events Logged
  • Event Anatomy
  • What Format to Save In?
  • How Do You Know It Opened Properly?
  • Event Viewer Differences Between Windows Server 2003, Windows XP, Windows 2000 Server, and Windows NT Server 4.0
  • Tips
    • Increasing the Log File Size
    • Filtering Events
    • Searching for Keywords
    • If on Windows XP, Use New Functionality
    • Get All Logs that You Might Need
  • For More Information

Definitions

The following terms and definitions are used in this article:

  • Event   Any significant occurrence in the system or an application that requires users to be notified or an entry to be added to a log.
  • Event log service   A service that records events in the System, Security, and Application logs.
  • Event logging   The process of recording an audit entry in the audit trail whenever certain events occur, such as services starting and stopping, or users logging on, logging off, and accessing resources.
  • Event Viewer   A component you can use to view and manage event logs, gather information about hardware and software problems, and monitor security events. Event Viewer maintains logs about program, security, and system events.

Overview

Using the event logs in Event Viewer, you can gather information about hardware, software, and system problems, and you can monitor Windows operating system security events.

Types of Logs Found in Event Viewer

Microsoft Windows Server™ 2003, Windows XP, Windows 2000 Server, and Windows NT® record events in three kinds of logs:

  • Application log   The Application log contains events logged by applications or programs. For example, a database program might record a file error in the Application log. The program developer decides which events to record.
  • **System log   **The System log contains events logged by the Windows operating system components. For example, the failure of a driver or other system component to load during startup is recorded in the System log. The event types logged by system components are predetermined by the Windows operating system.
  • Security log   The Security log can record security events such as valid and invalid logon attempts as well as events related to resource use, such as creating, opening, or deleting files. An administrator can specify what events are recorded in the Security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the Security log.

Servers running Windows Server 2003 and Windows 2000 Server that are domain controllers might have the following additional logs in Event Viewer:

  • Directory Service log   Windows Server 2003 and Windows 2000 Server directory service logs events in the Directory Service log. This includes any information regarding the Active Directory® directory service and Active Directory database maintenance.
  • File Replication Service log   File Replication Service (FRS) logs its events in this log. This service is used for replication of files, such as domain policies, between domain controllers.
  • DNS Server service log   This log includes events related to the Domain Name System (DNS) Server service running on Windows Server 2003 and Windows 2000 Server. This will show only on DNS servers running Windows Server 2003 and Windows 2000 Server.

Types of Events Logged

The icon on the left side of the Event Viewer screen describes the classification of the event by the Windows operating system. Event Viewer displays these types of events:

  • Error   A significant problem, such as loss of data or loss of functionality. For example, if a service fails to load during startup, an error will be logged.
  • Warning   An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a warning will be logged.
  • Information   An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, an information event will be logged.
  • Success Audit   An audited security access attempt that succeeds. For example, a user's successful attempt to log on to the system will be logged as a Success Audit event.
  • Failure Audit   An audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt will be logged as a Failure Audit event.

Event Anatomy

The main event components are as follows:

  • Source   The software that logged the event, which can be either an application name, such as Microsoft SQL Server™, or a component of the system or of a large application, such as MSExchangeIS, which is the Microsoft Exchange Information Store service.
  • Category   A classification of the event by the event source. For example, the security categories include Logon and Logoff, Policy Change, Privilege Use, System Event, Object Access, Detailed Tracking, and Account Management.
  • Event ID   A unique number for each source to identify the event.
  • User   The user name for the user who was logged on and working when the event occurred. N/A indicates that the entry did not specify a user.
  • Computer   The computer name for the computer where the event occurred.
  • Description   This field provides the actual text of the event, or how the application that logged the event explains what has happened.
  • Data   Displays binary data generated by the event in hexadecimal (bytes) or DWORDS (words) format. Not all events generate binary data. Programmers and support professionals familiar with source application can interpret this information.

What Format to Save In?

Generally, you want to use the Event Log (.evt) format only. This is the easiest format to read and search through, because it can be opened with Event Viewer on your server.

When you want to see events for services that you do not have installed on your computer, such as Cluster service or third-party services, save logs in .csv format. The .csv files can be opened in Microsoft Office Excel.

The least desirable format that you can save logs in is .txt file format. Text files are searchable, but they can be cluttered with information, and it is easy to miss critical events. Use .txt format only when necessary.

How Do You Know It Opened Properly?

  • The following is an example of an event that does not show information properly.
    Event Type: Information
    Event Source: MSExchangeIS Private
    Event Category: (30)
    Event ID: 2003
    Date: 8/16/2001
    Time: 1:47:02 PM
    User: N/A
    Computer: SERVERNAME
    Description: The description for Event ID ( 2003 ) in Source ( MSExchangeIS Private ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event:
  • The following is the same event displayed properly.
    Event Type: Information
    Event Source: MSExchangeIS Private
    Event Category: Transport Sending
    Event ID: 2003
    Date: 8/16/2001
    Time: 1:47:02 PM
    User: N/A
    Computer: SERVERNAME
    Description: There are no messages ready to send. The send thread is sleeping.

The first event example is the event as it appeared when opened on a computer without Exchange Server. The second example is that same event log entry when opened on a computer running Exchange Server.

If you want to open an event log and see event descriptions properly, you must open the log on the computer that has those applications or services installed. If you need to display the event log for events that were created by a third-party application on another computer, you might want to save the log in .csv format to see what those events say.

There will always be some events that you will not see properly, such as third-party services, hardware drivers, audio visual software, and backup software, but at least you will see Exchange Server events as they should appear, if you open the log on the Exchange server.

Event Viewer Differences Between Windows Server 2003, Windows XP, Windows 2000 Server, and Windows NT Server 4.0

In Event Viewer, when you press the COPY button, the whole text recorded in the event is copied to the Clipboard. You can then paste the information anywhere you need it.

In Windows Server 2003 and Windows XP, you can direct Event Viewer to look up registry entries on some other computer when you are opening the log. For example, on a computer running Windows XP Professional, you can create additional shortcuts for launching Event Viewer. Each of the shortcuts can point to another computer, one for Exchange Server version 5.5, another for Exchange 2000 Server, and a third one for Cluster service, so you can open the associated event logs on your workstation computer.

You can open event logs created on Windows Server 2003, Windows 2000 Server, and Windows NT Server 4.0. In almost all cases, all events will appear properly. There might be a case when Windows NT Server 4.0 events will appear as something totally different when viewed on Windows Server 2003 or Windows 2000 Server. For information, see Microsoft Knowledge Base article 312216, "Detailed Usage of the Event Viewer /AUXSOURCE Switch Option."

Tips

The following sections provide information that can help you when troubleshooting Exchange Server.

Increasing the Log File Size

By default, the log file size is 512 kilobytes (KB), which is not enough if you want to see activity over several days. On a busy application server, with some diagnostics logging, 512 KB can be filled with information within a few hours. Consider increasing the log file size. A log file size of 10 megabytes (MB) or larger will in most cases give you enough history to show a few days of information. Event logs compress well. It is common for a 90 MB Application log to compress to a 2 MB file.

Filtering Events

If you are looking for a specific event ID in the log, or you want to see just errors, warnings, or events logged by a specific component, use filtering. On Windows NT Server 4.0, click View, and then click Filter Events. On Windows Server 2003 or Windows 2000 Server, select the log you want to filter, click View, and then click Filter. This is a useful feature when viewing large event logs.

Searching for Keywords

Consider that you want to search all events in a particular event log that mention one specific user or server. In Event Viewer, click View, and then click Find. Type a word that you want to find in any event in the Description field, or you can search for specific information, such as event IDs or source.

If on Windows XP, Use New Functionality

As mentioned previously, there is new functionality in Windows Server 2003 and Windows XP. You can redirect Event Viewer to look up registry settings and DLLs on another computer.

This is a useful and timesaving feature. It allows you to view event logs for any type of application that you might have installed on any servers in your environment, from your computer running Windows XP. For more information, see Microsoft Knowledge Base Article 312216, "Detailed Usage of the Event Viewer /AUXSOURCE Switch Option."

Get All Logs that You Might Need

In most cases, you should look at the Application log when troubleshooting Exchange Server. However, with Exchange Server 2003 and Exchange 2000 Server, you should always also check the System log, because of the interrelationship between Exchange, Active Directory, and DNS. Consider getting both logs at the same time. Reviewing both might show you errors on the Windows operating system level that might explain the Exchange Server behavior.

For More Information

For more information, see Microsoft Knowledge Base article 294893, "Viewing Saved FRS, DNS, and Directory Service Event Logs and Events on Windows XP Non-Domain Controllers."