7 ways to save time with event viewer

When you first open Event Viewer you can save time by starting your investigation with the Summary of Administrative Events panel. It will immediately show you what types of events have been logged over some specific time frames: Last Hour, 24 Hours, and 7 Days.

Image created by Greg Shultz for TechRepublic.

When you expand a branch in the summary, you’ll see that the events come from all of the applicable event logs. To get more details about a particular event, just double-click it.

Image created by Greg Shultz for TechRepublic.

Event Viewer does such a good job at logging events, that the number of items in its logs can be staggering. You can save yourself time by creating filters.

For example, suppose that you’re troubleshooting a Kerberos problem and want to see all events in the System event log related to the Time Service for the last week.  Select the System log in the Tree panel and select Filter Current Log in the Action panel. When you see the Filter Current Log dialog box, select Last 7 days from the Logged drop down, select the check boxes for Event Levels of Critical, Error and Warning, and from the Event Sources drop down select Time Service. Then, click OK.

Image created by Greg Shultz for TechRepublic.

When you are using a Filter, you’ll only see those events in the chosen event log.

Image created by Greg Shultz for TechRepublic.

Filters will remain active until you click Clear Filter or exit Event Viewer. If the filter will be useful over a longer period, you can save yourself time by turning the Filter into a Custom View.

While the Filter is active, select Save Filter to Custom View in the Action panel. When you see the Save Filter to Custom View dialog box, just give it a name and description and click OK.

Image created by Greg Shultz for TechRepublic.

You can now find the new view in the Custom Views branch in the Tree panel.

Image created by Greg Shultz for TechRepublic.

Filters and Custom Views are great features, but they are designed for discovering an event after it has already happened. If you want to know exactly when an event occurs, you can save yourself time by attaching a task to an event.

While the Filter or Custom View is active, select the Attach Task To This Event in the Action panel. When you see the Create Basic Task Wizard dialog box, just give it a name and description and click Next.

Image created by Greg Shultz for TechRepublic.

You can choose to Start a program, Send an email or Display a message. When you finish the wizard, Event Viewer creates a scheduled Task in Task Scheduler that will run whenever the event occurs.

Image created by Greg Shultz for TechRepublic.

If there is another computer on your network that you want to investigate, you can save yourself time by using Event Viewer’s remote connection feature.

To begin, right click on the Event Viewer (Local) in the Tree panel and select Connect to another computer. When you see the Select Computer dialog box, type or Browse for name of the computer, and click OK.

Image created by Greg Shultz for TechRepublic.

When you are connected, you can use any of your Filters or Custom Views to view events on the remote computer.

Image created by Greg Shultz for TechRepublic.

If there are multiple computers on your network that you want to gather information from, you can save yourself time by using Event Viewer’s Subscription feature.

To begin, right click on Subscriptions in the Tree panel and select Create Subscription. When you do, you may be prompted to start the Windows Event Collector service.

Image created by Greg Shultz for TechRepublic.

When you see the Subscription Properties dialog box, enter a name and description and then click the Select Computers button and use the controls in the Computers dialog box to choose the computers you want. Then, click the Select Events button/drop down, choose the Copy from existing Custom View command and choose your view from the Open Custom Views dialog box. Click OK in the Subscription Properties dialog box to complete the operation.

Image created by Greg Shultz for TechRepublic.

As soon as you create a Subscription, Event Viewer will automatically collect information from those computers on the network. To see the event subscription, select the Forwarded Events log. Keep in mind that the Windows Remote Management and Windows Event Collector services must also be running on the remote computers. For specific details, see the Event Viewer Help system.

Image created by Greg Shultz for TechRepublic.

Even with Filters and Custom Views to help you sift through an event log, there can be so much old data in a log that it gets cumbersome. You can save yourself time by using Event Viewer’s Save and Clear feature.

To do so, select Clear Log in the Action panel. When you see the Event Viewer dialog box, click the Save and Clear button. In the Save As dialog box, enter a descriptive name and select any one of the available file types.

Image created by Greg Shultz for TechRepublic.