Windows Server

Using the Windows Server 2003 Computer Management Console Event Viewer snap-in

Windows Server 2003 admins can benefit from using the various snap-ins included with the Computer Management Console. Learn about one of these snap-ins: Event Viewer.

Windows Server 2003 admins can benefit from using the various snap-ins included with the Computer Management Console. This tip offers a more detailed introduction to one of these snap-ins: Event Viewer. (To access the Computer Management Console in Windows Server 2003, right-click the My Computer Icon on the Start menu and select Manage with the left button.)

Event Viewer displays items logged by the system when actions happen within a Windows Server 2003 system. You can access the tool from the Run dialog by entering eventvwr and clicking OK.

By default, the events logged are captured in one of these log files:

  • System: Shows Windows system events.
  • Application: Shows events recorded by applications that are installed on the system.
  • Security: Contains records of logon/logoff actions and privilege use.

(Other applications -- which include later versions of Microsoft Office and Internet Explorer, Microsoft Active Directory, and File Replication Services -- may create their own logs, which will appear in the event log.)

Each of the logs included in Event Viewer by default allow you to quickly view actions taking place on a system. For example, the starting and stopping of services are recorded as informational entries in the System log.

The System and Application logs also record warning events and critical events. Warning events display events that are not immediate problems but could cause more serious issues if left unchecked. Critical events occur when a component or application fires an error when performing a task. An example of a critical event within the Directory Services log might be an error that occurs when the Domain Controllers in your Active Directory environment cannot replicate directory service information between each other. While this error can be caused by several things, including network outages or problems with DNS, it is classified as critical because it becomes a significant point of possible failure in your environment.

Backing up, clearing, and altering the size of event logs

You can also use Event Viewer to back up and clear the event logs. You may want to do this if a given log has reached its maximum size limit.

To clear a log of all the events it currently holds, follow these steps:

  1. In the left pane of the Computer Management Console, right-click the event log you want to clear and select Clear Log.
  2. Windows Server 2003 will ask you if you want to save the contents of the file before clearing it. Click Yes and then choose a location to save the contents of the log.
  3. Click Save. This will back up the contents of that log and clear it.

Follow these steps to change the size of a log:

  1. Right-click the log file object for which you wish to adjust the size and select Properties.
  2. Enter the new file size in the Maximum Size box (the default is 512 KB), then click OK.

Maintaining log files automatically

When the log files are created, they are assigned a default size of 512 KB. This size is usually easy to manage; however, if the system is accessed frequently and processes many logons, the Security log may become full more often than you like. If this happens, the PC will prevent logons by anyone who is not a member of the administrators group. (This is typically not an issue on a server system, but I'm using it as an example of an event that can occur that will fill the log file.)

To remedy full log files, you can assign one of the following actions to each log file:

  • Overwrite events as needed (overwrite the oldest events first)
  • Overwrite events older than xx days
  • Do not overwrite events (clear logs manually)

If you assign either of the first two options, it will allow the logs to manage themselves in terms of disk space.

Note: It's important to review log files on a regular basis to ensure that your Windows Server 2003 systems are functioning properly. The log archiving option will allow you to review the log files, while keeping the active logs manageable with little intervention.

Miss a Windows Server 2003 tip?

Check out the Windows Server 2003 archive, and catch up on the most useful tips from this newsletter.

Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

5 comments
pravinsangwan
pravinsangwan

Hi Guys, Could you please help me understand whats the basic difference between below two options: ->Overwrite events as needed (overwrite the oldest events first) ->Overwrite events older than xx days Thanks Reason why I am posting this query is, it might look simple difference but it doesn't happen what it says on server events. Hence if anybody could suggest on this, it would be great.

Piyush.Agrawal
Piyush.Agrawal

To set console file options: From the Console menu, select Options. 1. Change the Console Mode by selecting User Modelimited access, single window from the drop-down dialog box. This will prevent a user from adding new snap-ins to the console file or rearranging the windows. 2. You can change the name from Console1. Click OK to continue. 3. Save the console file. The changes will not take effect until the console file is opened again. Piyush Lepide.com

david_scott
david_scott

that's a good question actually. i thought mabye it was an R2 feature only but it isn't an option on that either

najeebuddin
najeebuddin

I dont see any option in 2003 Server for Automatic Archiving of Event Viewer Logs. The options i see for Log management are : 1. Overwrite events as needed 2) Overwrite events older than xx days 3) Do not overwrite events (clear logs manually) So where does this option comes from as mentioned in the blog " Archive log when full (do not overwrite events) " I would like to know this Am i missing something ?

Leee
Leee

It's been fixed. Thanks for bringing it to our attention.

Editor's Picks