iTechtalk

victory · 12-02-2008, 11:08 AM

Using Event Viewer in Windows Server 2008

Microsoft defines an event in Windows Server 2008 as any important occurrence in the operating system or an application that needs users (particularly administrators) to be notified.

Events are recorded in event logs. Events and the event log are significant administrative tools because they are essential for recognizing and troubleshooting problems, tracking security access (logon, logoff, resource auditing, and so on), and tracking the status of the system and its applications.

Note: Some features are not available if you use the Event Viewer console within the Computer Management console.

The general categories of Events are as follows:

1) System: These contain system-related events such as service start-up and shutdown, driver initialization, system-wide warning messages, network events, and other events that apply to the system in general.

2) Security: These contain events related to security, such as logon/logoff and resource access (auditing).

3) Application: These events are related with specific applications. For instance, a virus scrubber may log events related to a virus scan, cleaning operation, and so on, to the application log.

4) Setup: These events are related with setup processes such as adding roles and features.

5) Forwarded Events: The Forwarded Events log includes log entries from another computer system. Here you can create a subscription to an event log on another system, and then filter the event log that you have subscribed to so that only the desired events are retrieved. The retrieved events are placed into the Forwarded Events log.

Note: In addition to the three default event logs, other Windows Server 2008 services create their own logs. The Directory Service, DNS Service, and File Replication Service are some examples of services that create their own event logs. You can view these logs with the Event Viewer, just as you do the three standard logs.

Events range in severity from informational messages to serious events such as service or application failures. The primary event categories include informational, warning, error, success audit, and failure audit. The severity of an event is recognized by an icon beside the event in the log. For instance, warnings use an exclamation icon and errors use an X in a red circle. Each event has common properties related with it:

1) Date and Time: This is the date and time the event occurred.

2) Source: This recognizes the source of the event, such as a service, device driver, application, resource, and so on. The source property is helpful for determining what caused the event (cause and event source are not synonymous).

3) Category: The source determines the category for an event. For instance, security categories contain logon, logoff, policy change, and object access, among others.

4) Event: Each event contains an event ID, an integer generated by the source to identify the event uniquely.

5) User: This property recognizes the user who caused the event to be generated (if applicable).

6) Computer: This property identifies the computer that caused the event to be generated (if applicable).

The Event Viewer MMC snap-in is the tool which you can use to view and manage the event logs. The Event Viewer presents the logs in the tree pane as individual branches. When you click a log, its events appear in the pane on the right.