Microsoft

Step-By-Step: How to monitor your server with the Windows NT Event Viewer

Learn to use Windows NTs Event Viewer utility to monitor events on your server


Is everything working properly on your Windows NT Server? Did everything start up properly? How do you know? Windows NT includes a handy utility called Event Viewer that you can use to monitor events on your server. In this Daily Drill Down, I’ll discuss Windows NT Event Viewer.

What is Event Viewer?
Event Viewer is shipped with Windows NT Server and Workstation. You use it to monitor events in your system. Logged events hold a wealth of information that can help you troubleshoot problems with your system. Event Viewer even allows you, while logged on as an administrator, to remotely check the logs of any NT Server or Workstation in your network.

The Event Viewer service, called EventLog, starts automatically when you run Windows NT. Event Viewer records events in three types of logs:
  • Application log
  • System log
  • Security log

The Application log records events logged by applications. For example, a database application might record a file error in the Application log.

The System log records events logged by the Windows NT system components. For example, the failure of a driver or other system component to load during startup is recorded in the System log.

The categories for Security event logs are Logon and Logoff, Policy Change, Privilege Use, System Event, Object Access, Detailed Tracking, and Account Management. You must be a member of the Administrator or Domain Admins group to have privileges to view this log.

You can also archive event logs, which we’ll discuss a little later in this Daily Drill Down. Once you open a specific log, you can view, sort, and filter events. The Event Viewer window displays several types of information, including the following:
  • Date and Time: These fields are crucial to help determine the cause of an error or to identify a pattern of events.
  • Source: This field shows the software that logged the event. It can be an application or a component of the system, such as a driver.
  • User: This field contains specific text that exactly matches the text in the User name field. This field is not case-sensitive.
  • Category: This field contains a classification of the event, as defined by the source.
  • Computer: This field shows the exact name of the computer where the logged event occurred. This field is not case-sensitive.
  • Event: This field provides an event number that identifies the specific event. Many times, unless you have already researched a specific event number, it isn’t very descriptive. The event number can help technical representatives figure out problems, however. You can use Microsoft’s TechNet to research event numbers, or you can look them up in the Microsoft Knowledge Base.
  • Type: This field gives a classification of the event by the Windows NT operating system, such as Error, Warning, Information, Success Audit, or Failure Audit.

Viewing event logs
To open Event Viewer, go to Start | Programs | Administrative Tools | Event Viewer. You can save a lot of clicking and digging through menus by placing a shortcut to Event Viewer and other administrative tools on your Desktop. The Event Viewer opening screen lists events and the time and date they were recorded, as shown in Figure A.

Figure A
You can monitor events on your server using Event Viewer.


From the Log menu, you can choose which log file to view. You can even view the log files from another computer, if you have sufficient privileges, by choosing Select Computer.

By default, Event Viewer lists the most recent event first. You can change the sort order very easily. From the View menu, choose Oldest First or Newest First to sort events chronologically.

You can choose Filter Events from the View menu to view only events with specific characteristics. To turn off event filtering, click All Events on the View menu.

Event Viewer allows you to search for events if there’s a specific event you want to look for. Choose Find from the View menu to search for events based on event description or a specific characteristic. In the Find dialog box, select the type of events you want to find.

You can specify any Source, Category, Event, Computer, and User events you want. In the Description field, you can enter any text that matches a portion of an event record’s description. To specify the direction of the search, choose Up or Down. Click Find Next to begin the search. To restore the default search criteria, click Clear before clicking Find Next. After you define the search criteria, you can press [F3] to find the next matching event without displaying the Find dialog box. Your search choices remain in the Find dialog box throughout the current session. The default settings are restored the next time you start Event Viewer.

Viewing more detail
Although Event Viewer records what’s going on, the main screen doesn’t really provide much detail about an event. Fortunately, you can go into a little more detail. Choose Detail from the View menu to see descriptions and additional details or double-click the event. In the Event Detail screen, shown in Figure B, use the scroll bar to browse the information in the Description and Data windows.

Figure B
You can view events in greater detail.


To see details about other events, click Next or Previous. Choose Bytes to view binary data as characters. Choose Words to see binary data as DWORDS. Not all events generate binary data.

Don’t worry if you can’t make heads or tails of the information on the Event Detail screen. An experienced programmer or a support technician familiar with the source application can interpret this information.

Refreshing log files
Log files recorded by Event Viewer are not dynamically refreshed. This means that if an event occurs while you have Event Viewer open, you won’t see the event in the viewer as it happens. You can refresh the log file from the View menu by choosing Refresh.

This bit of information is important if you’re troubleshooting a problem that’s producing many events. After you try to correct a problem, you’ll want to refresh the screen to see if your action produced a solution. The Refresh option is not available for archived logs because those files are static. When a log is archived, the sort order affects only files that you save in text format or comma-delimited text format; it will not affect event records that you save in log-file format.

Clearing event logs
From time to time, you may want to clear an event log and start fresh. From the Log menu, switch to the log you want to clear and select Clear All Events.

You will see a message asking if you want to archive the currently logged events. If you answer Yes, the Save As dialog box will appear. Enter the filename and folder path where you want the archived log to be stored. After you answer Yes or No, Event Viewer clears the current log. Only new events will then appear in the log.

If you check Do Not Overwrite Events in the Event Settings dialog box, you must clear the log manually on a periodic basis. You can do this when the log reaches a certain size or when a message notifies you that the log is full. The only way to clear an archived log is to delete the file.

Viewing event logs for another computer
Event Viewer will allow you to view the events for another computer if you are logged on as an administrator. Use the Select Computer dialog box from the Log menu and specify the computer whose events you want to view. You can use the UNC of the computer.

For example, to view the events of a computer named Server1, you would type \\Server1 to connect to it. You can also choose a computer name in Select Computer. If you’re connected to the selected computer by a device such as a modem, be sure to select the Low-Speed Connections check box. If the Save Settings On Exit option on the Options menu is checked when you quit Event Viewer, your Low-Speed Connection setting remains in effect when you restart Event Viewer.

Don’t worry about security problems with this feature. You can restrict remote access to Event Viewer to only the Administrators group. Doing so, however, requires a trip into the Windows NT Registry.
Follow the directions below, but remember that they involve editing the Registry. Any time that you edit the Registry, you should first back it up, then exercise great caution that you don’t change anything inadvertently. A mistake here can yield unknown results.
Start Registry Editor by selecting Run from the Start menu and typing Regedt32 on the computer where you want to restrict remote access to Event Viewer. Click OK to start Registry Editor. Then navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\Winreg\AllowedPaths.

Double-click the Machine value in the right pane and delete the string in the Multi-String Editor box. Quit Registry Editor and restart the computer for the changes to take effect.

Archiving event logs
Event logs can become very large in a short period of time, depending on the type of activity your computer is used for. You can archive an event log to save the information. When you archive a log file, the entire log is saved, regardless of filtering options. Log files are saved as text files or comma-delimited text files, and they retain their current sort order but not the binary data.

Open the log file you wish to archive. From the Log menu, choose Save As, then choose a file format. Enter a filename and destination for the archived log file.

The filename will have a .txt extension regardless of the file format you choose. Once you exit Event Viewer, the default logs will be displayed the next time you start Event Viewer.

In order to view a log file that has been archived, choose Open from the Log menu. Type in the name of the archived log you want to view and click OK. You must choose whether you want the log file to appear in the System, Security, or Application log. If the correct log type is not specified, the description in the Event Detail dialog box will be incorrect.

Once a file is archived, you cannot use Refresh to update the display or Clear All Events to clear the log file. If you want to delete the events in an archived log file, you must delete the file itself.

Conclusion
Event logs should be checked daily to ensure the health of your system. Over time, Event Viewer will become easier to use, and you will learn to recognize specific errors that affect your system. This tool allows you to be reactive to errors and to also be proactive in recognizing potential system problems. In this Daily Drill Down, I showed you how to use this handy utility to manage your log files.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks