Event Logging and Viewing

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

By William R. Stanek

Archived content - No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

from Chapter 3, Windows NT Administrator's Pocket Consultant by .

Event logs provide historical information that can help you track down system and security problems. The event-logging service controls whether events are tracked on Windows NT systems. When this service is started, the following user actions and system resource usage events can be tracked via the system's event logs:

  • Application Log Records events logged by applications, such as the failure of MS SQL to access a database.

  • Security Log Records events you've set for auditing in User Manager for Domains.

  • System Log Records events logged by the operating system or its components, such as the failure of a service to start at bootup.

Accessing and Using the Event Logs

You access the event logs by completing the following steps:

  1. Go to Start, select Programs, then Administrative Tools (Common), and then Event Viewer.

  2. Choose System, Security, or Application from the Log menu. This opens the related, as shown in Figure 3-9.

    Cc749869.03wnta09(en-us,TechNet.10).gif

    Figure 3-9: Event Viewer displays events for the selected log.

Note: Windows NT Service Pack 4 updates the Event Log service and requires that the Security privilege be enabled in order to view and manage the security event log. Under SP4, any user who needs access to the security logs must be granted the privilege to manage the security log. This change also effects members of the Administrators group.

Entries in the main window of Event Viewer provide a quick overview of when, where, and how an event occurred. To obtain detailed information on an event, double-click on its entry. A summary icon that tells you the event type precedes the date and time of the event. Event types include

  • Information An informational event which is generally related to a successful action.

  • Success Audit An event related to the successful execution of an action.

  • Failure Audit An event related to the failed execution of an action.

  • Warning A noncritical error that provides a warning. Details for warnings are often useful in preventing future system problems.

  • Critical Error A critical error, such as the failure of a service to start.

Note: Warnings and critical errors are the two key types of events that you'll want to examine closely. Whenever these types of events occur and you are unsure of the cause, double-click on the entry to view the detailed event description.

In addition to the date, time, and icon, the summary and detailed event entries provide the following information:

  • Source The application, service, or component that logged the event.

  • Category The category of the event, which is sometimes used to further describe the related action.

  • Event An identifier for the specific event.

  • User The user account that was logged on when the event occurred.

  • Computer The computer name where the event occurred.

  • Description In the detailed entries, this provides a text description of the event.

  • Data In the detailed entries, this provides any data or error code output by the event.

Setting Event Log Options

Log options allow you to control the size of the event logs as well as how logging is handled. By default, event logs are set with a maximum file size of 512 KB, then, when a log reaches this limitation, events older than seven days are overwritten to prevent the log from exceeding the maximum file size.

To set the log options, follow these steps:

  1. Start Event Viewer, then select Log Settings from the Log menu. This opens the dialog box shown in Figure 3-10.

  2. Choose a log using the Change Settings For . . . Log drop-down list box.

  3. Enter a maximum size in the Maximum Log Size field. Make sure that the drive containing the operating system has enough free space for the maximum log size you select. Log files are stored in the %SystemRoot%\system32\config directory by default.

  4. Select an event log wrapping mode. The options available are

    • Overwrite Events As Needed Events in the log are overwritten when the maximum file size is reached. Generally, this is the best option on a low priority system.

    • Overwrite Events Older Than . . . Days When the maximum file size is reached, events in the log are overwritten only if they are older than the setting you select. If the maximum size is reached and the events cannot be overwritten, the system generates error messages telling you the event log is full.

    • Do Not Overwrite Events (Clear Log Manually) When the maximum file size is reached, the system generates error messages telling you the event log is full.

  5. Click OK when you're finished.

    Note: On critical systems where security and event logging is very important, you may want to use Overwrite Events Older Than . . . Days or Do Not Overwrite Events (Clear Log Manually). When you use these methods, you may want to periodically archive and clear the log file to prevent the system from generating error messages.

    Cc749869.03wnta10(en-us,TechNet.10).gif

    Figure 3-10: Log settings should be configured according to the level of auditing on the system.

Clearing the Event Logs

When an event log is full, you need to clear it. To do that, complete the following steps:

  1. Start Event Viewer, and then select the log to be cleared from the Log menu.

  2. Select Clear All Events from the Log menu.

  3. Choose Yes to save the log before clearing it. Choose No to continue without saving the log file.

  4. When prompted to confirm that you want to clear the log, click Yes.

Archiving the Event Logs

On key systems such as domain controllers and application servers, you'll want to keep several months worth of logs. However, it usually isn't practical to set the maximum log size to accommodate this. Instead, you should periodically archive the event logs.

Archive Log Formats

Logs can be archived in three formats:

  • Event log format for access in Event Viewer

  • Text format for access in any text editor or word processor

  • Comma-delimited text format for import into spreadsheets or databases

When you save log files to a comma-delimited file, each field in the event entry is separated by a comma. The event entries look like this:

1/1/99,8:09:47 AM,Ci,Error,CI Service ,4147,N/A,ZETA,
The IISADMIN service is not available, so virtual roots cannot be indexed. 
1/1/99,8:09:46 AM,JET,Information,General ,9,N/A,ZETA, ((169) ) The database engine stopped.

The format for the entries is as follows:

Date, Time, Source, Type, Category, Event, User, Computer, 
Description.

Creating Log Archives

To create a log archive, follow these steps:

  1. Start Event Viewer, then select the log to be archived from the Log menu.

  2. Select Save As from the Log menu.

  3. In the Save As dialog box, select a directory and a log file name.

  4. Select a log format using the Save As Type drop-down list box.

  5. Choose Save.

Note: If you plan to archive logs regularly, you may want to create an archive directory. This way you can easily locate the log archives. You should also name the log file so that you can easily determine the log file type and the period of the archive. For example, if you are archiving the system log file for January 1999, you may want to use the file name System Log Jan. 99.

Viewing Log Archives

Log archives in text format can be viewed in any text editor or word processor. Log archives in the event log format should be viewed in the Event Viewer. You can view log archives in Event Viewer by doing the following:

  1. Start Event Viewer, then Open from the Log menu.

  2. Use the Open dialog box to select the archive file, then click Open.

  3. In the Open File Type dialog box, choose the log file type: System, Security, or Application.

  4. Click OK.

Viewing Events on Remote Computers

Event Viewer can access the event logs on any Windows NT system in the domain. To access an event log, do the following:

  1. Start Event Viewer using an account that has access to the computers you want to work with.

  2. Choose Select Computer from the Log menu.

  3. In the Select Computer dialog box, enter the computer name beginning with the double backslashes (\\), such as \\ZETA. Or select a computer name in Select Computer dialog box.

  4. Click OK.

When you work with event logs on remote computers, the Open, Save As, and Clear All Events options of the Log menu behave slightly differently. To use these options, you may need access to the local file system on the remote computer.

Diagnosing System Problems

Windows NT Diagnostics (WINMSD.EXE) is a limited-use tool for checking system configuration. Use the information the utility provides to help you diagnose system problems. Figure 3-11 shows the utility's main window.

You work with the utility by doing the following:

  • Run the utility by going to Start, selecting Programs, then Administrative Tools (Common), and then Windows NT Diagnostics.

  • Select the Windows NT computer you want to work with using the Select Computer option of the File menu.

  • Print any of the utility's windows using the Print button.

    Cc749869.03wnta11(en-us,TechNet.10).gif

    Figure 3-11: Windows NT Diagnostics provides information on the system's configuration. You can use this information to troubleshoot system problems.

Rather than detailing each and every tab of the utility, the following sections focus on the tasks you can accomplish with the utility. Note that many of these tasks can be accomplished in other ways. However, to obtain all of the information available in Windows NT Diagnostics, you'd have to use many different tools.

Determining OS Build and Service Pack Version

Most Windows NT systems should have the most recent OS version and service pack installed on them. The Version tab of Windows NT Diagnostics provides information on the OS version including the OS build and service pack version. You'll find additional information on the CPU and the system's registered owner.

Determining BIOS Version and CPU Clock Speed

Many computers are shipped with updateable BIOS. If you need to check the system's current BIOS version before updating it, use the System tab of Windows NT Diagnostics. You can also use this tab to determine if the system has multiple processors. Each processor is listed separately in the Processor(s) list box.

Determining Video Drivers, Adapters, and BIOS Version

Video driver and adapter conflicts are common causes of system problems. Use the Display tab of Windows NT Diagnostics to obtain information on the system's video card, including

  • BIOS version

  • Current display setting mode

  • Type and available memory

  • Chip architecture

  • Driver version and driver file name(s)

Note: Similar information is available in the Display utility. Select the Settings tab, and then click on the Display Type button.

Obtaining Disk Drive Information

The Drives tab of the Windows NT Diagnostics provides a way to quickly obtain information on all of the drives available to the system. You can check the available drive space, the permissible file naming conventions, and more.

Once you access the Drives tab, you examine drive information as follows:

  1. Select Drives by type to display a list of available drives by type. You can now double-click on the drive type listings to show listings for individual drives.

  2. Select Drives by letter to list available drives by letter.

  3. Double-click on the entry for the drive you want to work with. This opens the drive's Properties dialog box.

The Properties dialog box has two tabs. The General tab provides information on the drive's label, sector byte size, cluster size, drive space free, and drive space used. The File System tab provides information on the file system type, the maximum file name size (based on file system type), and flag settings for the file system.

On FAT volumes, the flag settings usually read as follows:

  • Case is preserved in filenames

  • Unicode characters are allowed in filenames

On NTFS volumes, the flag settings usually read as follows:

  • Case is preserved in filenames

  • Supports case-sensitive filenames

  • Unicode characters are allowed in filenames

  • File-based compression is supported

  • Security is preserved and enforced

Determining Memory Page File Usage

For optimal system performance, paged memory should be spread across all fixed system drives, and there should be adequate additional paged memory available to handle system tasks. To view paged memory usage, use the Memory tab of Windows NT Diagnostics. Once you access this tab, use the following statistics of the Pagefile Space area:

  • Total The total amount of pagefile space available

  • Total In Use The total amount of pagefile space in use

  • Peak Use The highest amount of pagefile space used by the system since startup

  • Pagefile A list box showing the usage breakdown and location for each pagefile on the system

Tip If you find that a system is running out of pagefile space, you may want to increase the amount of virtual memory. For details, see the section of Chapter 2 titled "Setting Virtual Memory."

Troubleshooting Service and Device Problems

Settings, flags, and dependencies can help you determine why a service or device isn't running properly. To troubleshoot service problems, follow these steps:

  1. Start Windows NT Diagnostics, then click on the Services tab.

  2. Click on the Services button to examine system services. Double-click on the service you want to examine.

  3. Click on the Devices button to examine system devices (as well as a few system services that depend on devices). Double-click on the device you want to examine.

  4. If properties are available for the service or device, a Properties dialog box is displayed. Use this dialog box to examine the service or device.

The General Tab

In the General tab, examine the service settings and flags. The following settings must be configured properly:

  • Pathname Provides the complete path to the service's executable or DLL.

  • Start type Provides service startup type: Automatic, Manual, or Disabled.

  • Service Account Name The account the service runs as. LocalSystem is the default.

  • Service flags Provide insight into how the service runs and its permissible actions. For example, some services must be able to interact with the desktop; if they can't, they won't run properly. Thus, if this flag isn't available you'll need to reconfigure the service.

The Dependencies Tab

In the Dependencies tab, determine if the service or device is dependent on any other service, file, or system component. Generally, any item listed in this tab must be running in order for the service or device to start and run properly.

Determining IRQ, I/O Port, and DMA Usage

Conflicts with IRQ, I/O ports, and DMA are less common on Windows NT systems, but they do occur. If you need to examine these resources and check for possible conflicts, start Windows NT Diagnostics and then click on the Resources tab. The buttons of this tab are used as follows:

  • IRQ Displays IRQ settings, bus, and bus type for installed devices.

  • I/O Port Displays I/O port addresses used by installed devices.

  • DMA Displays DMA channel, port, bus, and bus type for any DMA-driven device installed on the system.

  • Memory Displays memory dedicated to any of the system's installed devices.

  • Devices Displays a list of installed devices.

Once you select the type of resource you want to view, you can view properties of individual items. Simply double-click on their entry.

from Windows NT Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Link
Click to order