Event Viewer and Resulting Internet Communication in Windows Vista
In This Section
Benefits and Purposes of Event Viewer
Administrators can use Event Viewer to view and manage event logs. Event logs contain information about hardware and software problems and about security events on your computer. A computer running Windows Vista records events in a variety of logs including application, system, and security. While Event Viewer is primarily a tool for administrators to manage event logs, users can also view application and system logs on their computer. Only administrators can gain access to security logs.
Forwarding and Collecting Events
Windows Vista includes the ability to collect copies of events from multiple remote computers and store them on one computer. Forwarding and collecting events in this way can be carried out across the Internet and can use encryption or not, depending on how it is configured. Using the event collecting feature requires that you configure both the forwarding and the collecting computers. The configuration you create for forwarding and collecting events is called an event subscription.
The process of collecting events depends on the Windows Remote Management (WinRM) service and the Windows Event Collector service. Both of these services must be running on computers participating in the forwarding and collecting process. The WinRM service supports communication through HTTPS (you can specify that the events that you forward across the Internet are encrypted before being sent).
It is outside the scope of this white paper to fully describe event collecting, event subscriptions, the Windows Remote Management (WinRM) service, or the Windows Event Collector service. For more details about forwarding and collecting events, see "Additional References," later in this section.
Overview: Using Event Viewer in a Managed Environment
Users can access event logs for their own computers through Control Panel\System and Maintenance\Administrative Tools\Event Viewer. The user can obtain detailed information about a particular event by double-clicking the event (or through other methods, such as right-clicking and then clicking Event Properties). The dialog box gives a description of the event, and can contain one or more links to Help.
Links can either be to Microsoft servers or to servers managed by the vendor for the software that generated the event. On Windows Vista, in Event Properties, the link next to More Information is labeled Event Log Online Help. By default, Event Log Online Help uses the following URL and appends the information shown in "How Event Viewer Communicates with Sites on the Internet," later in this section.
When users click the link, they are asked to confirm that the information presented to them can be sent over the Internet. If the user clicks Yes, the information listed about the event will be sent across the Internet. This information is described in more detail in "How Event Viewer Communicates with Sites on the Internet," later in this section.
You might want to prevent users from sending this information over the Internet through this link and accessing a Web site. Alternatively, you may want to redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization. In Windows Vista, you can control either of these through Group Policy.
You might also want to collect copies of events from multiple remote computers and store them on one computer. For information about this option, see "Benefits and Purposes of Event Viewer," earlier in this section and "Additional References," later in this section.
How Event Viewer Communicates with Sites on the Internet
To access the relevant Help information provided by the link in the Event Properties dialog box, the user must send the information listed about the event. The data collected is limited to what is needed for retrieving more information about the event from the Event Log Online Help. User names, e-mail addresses, and names of files unrelated to the logged event are not collected.
For information about the ability to collect copies of events from multiple remote computers and store them on one computer, see "Benefits and Purposes of Event Viewer," earlier in this section and "Additional References," later in this section.
The communication across the Internet that takes place when a user clicks the Event Log Online Help link in the Event Properties dialog box is described in the following list:
Specific information sent or received: Information about the event sent over the Internet is appended to an URL, which by default is:
The information appended to the URL includes:
Company name (software vendor)
Date and time
Product name and version (for example, Microsoft Windows Operating System, 6.0.nnnn)
Event ID (for example, 1010)
Event source (for example, Microsoft-Windows-Dhcp-Client)
Locale ID (for example, 1033 for English - United States)
- Company name (software vendor)
Default settings: Access to Event Viewer is enabled by default.
Triggers: The user chooses to send information about the event over the Internet to obtain more information about the event.
User notification: When a user clicks the link, a dialog box listing the information that will be sent is provided.
Logging: This is a feature of Event Viewer.
Encryption: The information may or may not be encrypted, depending on whether the link uses HTTP or HTTPS.
Access: No information is stored.
Privacy: In Event Viewer, click Help, click Help Topics, click the Search tab, and type privacy statement.
Transmission protocol and port: Communication occurs over the standard port for the protocol in the URL, using either HTTP or HTTPS.
Ability to disable: The ability to send information over the Internet or to be linked to a Web site can be prevented through a Group Policy setting.
Controlling Event Viewer to Prevent the Flow of Information to and from the Internet
You can prevent users from sending information across the Internet and accessing Internet sites through Event Viewer by configuring Group Policy. Alternatively, you can redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization. You can control these by configuring Group Policy.
These Group Policy settings affect only the flow of information to and from an intranet or the Internet through Event Viewer, not the other functions of Event Viewer.
Procedures for Preventing the Flow of Information to and from the Internet Through Event Viewer
The following procedure tells how to use Group Policy to prevent users from sending information across the Internet and accessing Internet sites through Event Viewer.
To Use Group Policy to Prevent the Flow of Information to and from the Internet Through Event Viewer
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate Group Policy object (GPO).
Expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication Settings.
In the details pane, double-click Turn off Event Viewer "Events.asp" links, and then click Enabled.
Important You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication policy setting, which is located in Computer Configuration\Administrative Templates\System\Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Vista.
The following procedure tells how to use Group Policy to redirect the requests that result from users clicking links in Event Viewer so that the requests go to a Web server in your organization.
To Use Group Policy to Redirect Links in Event Viewer to a Web Server in Your Organization
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate GPO.
Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Event Viewer.
In the details pane, double-click Events.asp URL, click Enabled, and then type the URL for the Web page that you want Event Viewer links to go to. Click OK.
In the details pane, double-click Events.asp program, click Enabled, and then type the path for the program to be used for displaying the URL that you typed in the previous step. If you want the page to be displayed in the Web browser and the Web browser is in the system path, you can type the name of the Web browser executable alone, for example, iexplore.exe.
In the details pane, double-click Events.asp program command line parameters, click Enabled, and then type any command line parameters required for the program you typed in the previous step. If the program you typed in the previous step does not use parameters, clear the text box.
|Even after the preceding settings go into effect, when users click a link in Event Viewer, the user notification still appears, stating that Event Viewer will send information across the Internet and asking for confirmation. Regardless of the user notification, if you carry out the preceding procedure and redirect events to a Web server in your organization, the information goes to that server, not across the Internet.|
For information about how to configure event forwarding and collecting, see the TechNet Web site at:
For detailed information about the WinRM service (one of the services used for event forwarding and collecting), see the MSDN Web site at:
For information about the Event Collector SDK, see the MSDN Web site at: