Microsoft

Working with the Windows 2000 Event Viewer

If you're ready to get serious about monitoring and troubleshooting Windows 2000 networks, you need to start with the Event Viewer. This article introduces the Win2K Event Viewer and explains how to customize it to meet your network's needs.


As a network administrator, one of your biggest responsibilities is to monitor network and system events for suspicious activity so you can preempt potential disasters. One tool that can make this task easier is the Windows 2000 Event Viewer. In this article, I'll discuss how to use the Windows 2000 Event Viewer for monitoring, troubleshooting, and managing a Windows 2000 network.

The Event Viewer in Windows NT
For more information on the Windows NT 4.0 Event Viewer, see Troy Thompson's article "Monitor your servers with the Windows NT Event Viewer."

The Event Viewer in Windows 2000
In Windows 2000, the Microsoft Management Console (MMC) has become a common interface for tools used to manage networks, hardware, users, services, etc. The Win2K Event Viewer is no exception, as it now works as an MMC module.

The Event Viewer can be accessed by clicking Start | Programs | Administrative Tools | Event Viewer or by accessing the Computer Management console and clicking Event Viewer. (An easy way to get to the Computer Management console is to right-click on My Computer and select Manage.)

Other major features of the MMC-based Event Viewer include arrows to scroll through the events and the ability to copy the contents of an event to the clipboard, as seen by the buttons in Figure A.

Figure A
Viewing an event


Putting the Event Viewer to work
The Event Viewer is essentially a tool for monitoring log files. It enables you to track hardware, software, and system problems and to pinpoint problems that are causing your network or your hardware to slow, fail, or in some instances halt. The Event Viewer is used to view and/or manage three main logs: the System, Security, and Application logs (Figure B). You can also monitor specific services like DNS and open event logs on different machines.

Figure B
Looking at the Event Viewer console


To use the Event Viewer:
  1. From the Start menu, select Program | Administrative Tools | Event Viewer.
  2. Choose a log type (Application, Security, or System).
  3. From the View menu, select Newest First or Oldest First to sort your records.
  4. Select or highlight a log.
  5. From the Action menu, choose properties to view the details of the event, as seen in Figure A.

Using the Application Log
The Application Log records events that are logged by applications. For example, a SQL Server database might have a log that is full, which would trigger a database error in the Application Log. Basically, any errors that occur in any applications on your system will generate an application error. This is enabled by default.

Using the Security Log
The Security Log records all security events. This is useful in detecting changes to your security and locating where your systems are getting compromised. By default, the security log is disabled. An Administrator with the appropriate rights can enable the log to record events. In Windows 2000, this is accomplished by creating a group policy. When you have the audit policies created, you can track valid and invalid login attempts and find out what users on your network are deleting files that are not their own.

To enable security policies for a local computer:
  1. Click Start and select Run.
  2. Type mmc and click OK.
  3. Select Add/Remove Snap-in from the Console Window.
  4. Click Add.
  5. Select Group Policy and click Add.
  6. Click Finish, Close, and OK.
  7. To turn on an audit policy for a local machine, expand Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies and highlight Audit Policy.
  8. Right-click on an audit policy in the directory and choose Security (Figure C).
  9. Select the boxes in your Local Policy Settings and click OK.

Figure C
Setting up security log items for a local machine


To enable security policies for a domain controller:
  1. Click Start | Programs | Administrative Tools | Active Directory Users And Computers.
  2. In the console tree, highlight Domain Controllers.
  3. Click Action and then click Properties.
  4. On the Group Policy tab, select the policy you want to change and click Edit.
  5. Expand Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policy.
  6. Right-click on an audit policy and choose Security (Figure D).
  7. Select your Local Policy Settings and click OK.

Figure D
Setting up security log for a domain controller


Now that you've turned on auditing for specific events, you must enable auditing for files and folders. When selecting auditing for specific users, you have the ability to capture events based on Take Ownership, Read Permissions, Delete, Write Attributes, Create Files, etc. (Figure E).

To audit files and folders:
  1. Right-click on any shared folder and select Properties.
  2. Select the Security tab and click the Advanced button.
  3. Select the Auditing tab and click Add.
  4. Select a user, computer, or group.
  5. Choose the appropriate access for the user, computer, or group you selected.
  6. Click OK, Apply, and OK.

Figure E
Auditing security settings for files and folders


Using the System Log
The System Log records events logged by the Windows 2000 system components. For example, a driver that fails will log an entry in the System Log. This is enabled by default. It is usually the first place to check when you suspect a system problem.

Customizing the Event Viewer
By default, the Event Viewer has a maximum size of 512 KB for each log and is set to overwrite events older than seven days. You can customize the size and specify whether your events are archived or overwritten. In addition, you can use the Event Viewer to open an archived log, clear the contents of a log, and even connect to another computer to view its logs.

To change the default size of a log:
  1. Open Event Viewer.
  2. Select either Application, System, or Security.
  3. From the Action menu, choose Properties.
  4. Enter a new log size in increments of 64 KB.
  5. Click Apply and OK.

To save or archive an event log:
  1. Open Event Viewer.
  2. Right-click on the appropriate event log and choose Save Log File As.
  3. Enter a filename and choose the appropriate file type:
    Event Log (EVT) allows you to open in Event Viewer.
    Comma Delimited (CSV) allows you to view in a spreadsheet.
    Text File (TXT) allows you to view in a word processing program.
  4. Click Save.

To view an archived event log:
  1. Open Event Viewer.
  2. From the Action menu select Open Log File.
  3. Browse to find your file and select a file type.
  4. Select the Log Type and choose Open/

To clear the contents of an event log:
  1. Open Event Viewer.
  2. Right-click on the appropriate log (Application, Security, System)
  3. Choose Clear All Events.

To search for specific types of events:
  1. Open Event Viewer.
  2. In the console tree, click the log you want to search.
  3. From the View menu, click Find.
  4. Select the Event Types you want to find.
  5. In Event Source, Category, Event ID, User, Computer, or Description, specify additional information you want to find.
  6. Click Find Next.

To select another computer:
  1. Click Start and select Run.
  2. Type mmc and click OK.
  3. Select Add/Remove Snap-in from the Console window.
  4. Click Add.
  5. Select Event Viewer and click Add.
  6. Choose the Another Computer option and enter the computer name.
  7. Click Finish, Close, and OK.

In summary
The Windows 2000 Event Viewer is a robust tool with endless possibilities for monitoring and troubleshooting your systems. This article introduced you to the three main logs that are managed with the Event Viewer and showed you how to customize various aspects of the Event Viewer. This should help you get started with effective monitoring and troubleshooting of your Windows 2000 systems.

Do you have tips for working with the Event Viewer?
How do you use the Event Viewer to monitor your systems? We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.


Editor's Picks