Managing Logs

Microsoft® Windows® 2000 Scripting Guide

Event logs provide a central repository for recording the activities that take place on a computer. Because many of the most meaningful of these events are recorded in one of the event logs, you can find a given event without having to search through a multitude of source-specific log files. On the other hand, because each event log contains events generated from many sources, it can be difficult to identify a set of related events. The advantages/disadvantages of the operating system's use of event logs reflect the problems inherent in managing one large data source versus the problems inherent in managing many smaller data sources.

Another advantage/disadvantage is that event logs are written using a proprietary binary data format and are designed to prevent modification of the contents of the log. This design provides a high level of security but also makes it more difficult to analyze the contents of the event log. Historically, this could be done only by using the Event Viewer snap-in and on only one computer at a time.

Fortunately, Windows 2000 includes a number scripting tools that make it easy to manage event logs across the enterprise.

Plain-Text Log Files

In addition to the event logs, the operating system also writes other events to plain-text log files, most of which are located in the %windir%\Debug folder. Plain-text log files are useful for operations that might generate thousands of events at a time. Because these operations generate so many events, it would be unwise to have them save events to an event log; the thousands of events generated by this single operation might completely fill the log, overwriting all the other events that have taken place on the computer.

For example, each time the File Replication service runs, the resulting log file might contain several thousand lines, depending on the amount of data replicated. Instead of each replication operation being written as an event log record, all the replicated data is recorded in a plain-text log file (%windir%\Debug\NtFrs.log).

One major advantage of these log files is that they are written as plain-text files, files that can be opened and viewed using any text editor. However, plain-text log files also have limitations:

  • Plain-text log files can be easily modified by any user who has read-write access to the folder in which the logs are stored. For example, an unscrupulous administrator might open a log file, modify it to remove evidence of any activity he or she would prefer to keep secret, and then save the file.

  • Plain-text log files are difficult to analyze by using automated analysis methods. This is due, in part, to the fact that plain-text log files in Windows can use any one of several formatting styles, including comma-separated values, fixed-width text, or free-form text. This makes it difficult to write a single script that can read and analyze multiple log files.