Tip: Quickly Filter Event Logs in Windows Server 2008

The Event Viewer automatically creates several filtered views of the event logs. Filtered views are listed under the Custom Views node. When you select the Administrative Events node, you see a list of all errors and warnings for all logs. When you expand the Server Roles node and then select a role-specific view, you see a list of all events for the selected role.

You can also create a custom view to make it easier to look for specific types of events. To do so, follow these steps:
1. In Server Manager, expand the Diagnostics node and the Event Viewer node.
2. Select Custom Views. In the actions pane or on the Action menu, click Create Custom View.
3. Use the Logged list to select the included time frame for logged events. You can choose to include events from the Last Hour, Last 12 Hours, Last 24 Hours, Last 7 Days, or Last 30 Days.
4. Use the Event Level check boxes to specify the level of events to include. Select Verbose to get additional detail.
5. You can create a custom view for either a specific set of logs or a specific set of event sources:
- Use the Event Logs list to select event logs to include. You can select multiple event logs by selecting their related check boxes. If you select specific event logs, all other event logs are excluded.
- Use the Event Sources list to select event sources to include. You can select multiple event sources by selecting their related check boxes. If you select specific event sources, all other event sources are excluded.
6. Optionally, use the User and Computer(s) boxes to specify users and computers that should be included. If you do not specify the users and computers to include, events generated by all users and computers are included.
7. When you click OK, Windows displays the Save Filter To Custom View dialog.
8. Type a name and description for the custom view.
9. Select where to save the custom view. By default, custom views are saved under the Custom Views node. You can create a new node by clicking New Folder, entering the name of the new folder, and then clicking OK.
10. Click OK to close the Save Filter To Custom View dialog box. You should now see a filtered list of events. Review these events carefully and take steps to correct any problems that exist.

Tips RSS Feed

Subscribe to the TechNet Magazine Tips RSS feed.

If you want to see a particular type of event, you can filter the log by following these steps:
1. In Server Manager, expand the Diagnostics node and the Event Viewer node.
2. Expand Windows Logs or Applications And Services Logs as appropriate for the type of log you want to configure. You should now see a list of event logs.
3. Select the log you want to work with. In the actions pane or on the Action menu, click Filter Current Log.
4. Use the Logged list to select the included time frame for logged events. You can choose to include events from the Last Hour, Last 12 Hours, Last 24 Hours, Last 7 Days, or Last 30 Days.
5. Use the Event Level check boxes to specify the level of events to include. Select Verbose to get additional detail.
6. Use the Event Source list to select event sources to include. If you select specific event sources, all other event sources are excluded.
7. Optionally, use the User and Computer(s) boxes to specify users and computers that should be included. If you do not specify the users and computers to include, events generated by all users and computers are included.
8. Click OK. You should now see a filtered list of events. Review these events carefully and take steps to correct any problems that exist. To clear the filter and see all events for the log, click Clear Filter in the actions pane or on the Action menu.

From the Microsoft Press book Microsoft Windows Server 2008 Administrator’s Pocket Consultant by William R. Stanek.

Looking for More Tips?

For more Windows Server tips, visit the TechNet Magazine Windows Server 2008 Tips page.

For more Tips on other products, visit the TechNet Magazine Tips index.