Security

Pinpoint the cause of server problems using event logs

Event logs can provide clues to the cause of a server problem; you just need to know what information to look for and how to interpret it. Brien Posey explains how to sort through event-log data and gives tips for deciphering the information.


Many people use the event logs only to check up on security once in a while. However, event logs can provide the information you need to root out the cause of a server problem. You just need to know what types of information are important and how to interpret them. In this Daily Feature, I will explain how to use the Event Viewer and Excel to sort event-log data, and then I will provide a couple of methods you can use to find the cause of the problem using that data.

Start with the Event Viewer
The Event Viewer is a collection of several different log files that compile information on the functionality of parts of Windows 2000, such as the core OS and Active Directory (AD). There are also event logs for applications, file replication service, and the system’s security.

To access the Event Viewer, select the Programs | Administrative Tools | Computer Management from the Start menu. When the Computer Management console loads, navigate through the console tree to Computer Management (Local) | System Tools | Event Viewer. When you expand the Event Viewer container, you’ll see a list of the various event logs appear beneath it. Simply select the event log you’d like to view, and the log’s contents will appear in the column to the right, as shown in Figure A.

Figure A


Sorting the event logs
As you scroll through a list of events, you'll notice that by looking at the icon that’s associated with the event, you can quickly and easily distinguish between general information, warnings, and errors. Windows 2000 uses different types and colors of icons to differentiate between information, warnings, and errors. These icons are intended to help you to locate what you’re looking for more quickly. However, there may be so many icons listed in the viewer that it's still difficult to find what you're looking for. So, how do you go about finding the proverbial needle in a haystack?

Errors are often reactionary, and a single error can cause a chain reaction of other errors. Suppose that after glancing through the error logs, you suspect that a previous error may have caused other errors. However, there are so many errors in the log that it's difficult to find initial the error. How do you find it? You can simply sort the data.

Each event log that you select displays several columns of information about that event. By default, the events are sorted by date, with the most recent event appearing at the top of the list. But you can actually sort the list by any of the available columns, including sorting by:
  • Type, which groups all of the errors together. Likewise, the warnings would also be grouped together, as would the general information events.
  • Event, which is an easy way to locate the specific event ID. For example, suppose you’ve been in contact with Microsoft’s technical support department, and they suggested that you check an event log for a specific event ID. You could click the Event column heading to sort all of the events numerically.
  • Time or Date, which obviously allows you to sort the events by the date or time that they occurred.
  • User, which can be useful if you’re searching the security logs after a suspected security breach.

Exporting the event logs for easier searching
Sometimes, sorting isn’t always the best technique for finding the information you need. There are times when you need to do a full-featured search by exporting the contents of the event log to a spreadsheet. To do so, right-click the event log you want to export and then select the Export List command from the context menu. You’ll then see the Save As dialog box. Select a file name, a destination, and a file type. If you’re planning to export the event log to an Excel spreadsheet, select Text (Comma Delimited) (*.CSV) from the Save As Type drop-down list. This will export the file in CSV format, which Excel can read with no problems.

When you’re ready to view the file, open it in Excel. Since CSV isn’t the default Excel file type, you’ll need to select it from the Files Of Type drop-down list before the file will actually open. In this drop-down list, CSV files appear as Text Files (*.PRN; *.TXT; *.CSV). Once the file opens, it will look something like the one shown in Figure B.

Figure B
You can export an event log into Excel for easier searching.


Opening the file in Excel allows you to search for specific entries with the Find command in Excel’s Edit menu. You can also use the Sort and Filter commands on the Data menu to narrow things down if you’re not sure exactly what you’re looking for. For example, you could use the Sort command to sort the event log by error type and then use Filter to remove the users you’re not interested in.

Interpreting errors to pinpoint problems
After searching through the event logs, you finally locate an error or the events that caused an error. How do you figure out what caused the problem and correct it?

As you can see in Figure B, my event log contains several errors that need to be corrected. Notice that each event contains an event ID number. For example, in line 12 of the spreadsheet, the Event ID is 7001.

To figure out what was causing this particular error, I would first go to the Event Viewer and double-click on the event. I would then see a dialog box appear that summarized the event. This dialog box would also provide me with a brief explanation of what might have caused the error. In Figure C, the dialog box is telling me that the DHCP client service depends on the NetBIOS over TCP/IP service, which failed to start.

Figure C
The Event Viewer briefly describes what might have caused the error.


The information gathered from Event Viewer gives you a starting point for correcting the problem. Depending on how knowledgeable you are and the severity of the error, you might be able to locate and fix the problem just by reading this information. However, you can also use the Event ID to a search a TechNet CD or Microsoft’s Support Knowledge Base Web site for a solution.

Conclusion
Event logs in Windows 2000 can help you troubleshoot a variety of problems, including network errors, service failures, and security problems. To get the most of them, you need to understand the basic anatomy of the event logs and of the events you’ll find within a log file. Finally, you can use event-log entries to interpret the meaning of an event or error and either solve the problem or search further for a resolution.

Editor's Picks