Monitoring Windows Event Viewer messages

Published: January 11, 2010

Updated: April 8, 2010

Applies To: Unified Access Gateway

The Windows Event Viewer provides information about service failures, Forefront UAG errors and warnings, and warnings about system resources, such as virtual memory and disk space. Use Event Viewer to view and manage event logs, obtain information about hardware, software, and system problems that must be resolved, and identify trends that require future action. Event Viewer maintains logs about application, security, and system events on your computer. Both the Forefront UAG server and Windows report warnings and error conditions to the event logs. For more information, see Event Viewer (

A computer that is running a Windows Server 2008 R2 operating system records events in the following logs:

  • Application log—Contains events logged by applications or programs. Developers determine which events to log. For example, Forefront UAG might record a file error in the Application log. Most Forefront UAG server-related events are in the Application log.

  • Security log—Records events, such as valid and invalid logon attempts, and events that are related to resource use, such as creating, opening, or deleting files or other objects. For example, if logon auditing is enabled, attempts to log on to the system are recorded in the Security log.

  • Setup log—Contains events related to application setup.

  • System log—Contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the System log. The event types logged by system components are predetermined by the server.

  • ForwardedEvents log—Used to store events collected from remote computers. To collect events from remote computers, you must create an event subscription. To learn about event subscriptions, see Event Subscriptions (

On a daily basis, you should check the event logs on all of your Forefront UAG servers for any unusual Warning and Error events. Forefront UAG server specific events are logged to the Application log with a Source Microsoft Forefront UAG.

You can create custom views for any combination of event logs and by event source, or filter event logs to show only selected event types or sources. For example, to only view Warning and Error event types, you can create a custom view or filter that shows only Warning and Error event types. Custom views enable you to analyze the event log using the custom view settings.

Warning and error level events logged by the Forefront UAG Web monitor are forwarded to the Windows Event viewer.

When a Forefront UAG array is configured, you should check the event logs for each array member. You can configure computers to forward and collect events. For more information, see Configure Computers to Forward and Collect Events (

Use one of the following methods to access the Windows Event Viewer:

  • From a command prompt, run eventvwr.msc to open the Event Viewer MMC snap-in.

  • On the taskbar, click Start, click Administrative tools, and then click Event Viewer.

If Microsoft System Center Operations Manager 2007 is deployed, you can use the Forefront UAG management pack (version 4.0.1095.0) to monitor Forefront UAG servers. For more information on the events monitored by the Forefront UAG management pack, see Events.

For more information on Forefront UAG events, see Forefront UAG Event Messages.