Scribd
Upload
208 views

Windows Logging Guide

This document provides an overview of Windows event logging and how to use the Windows Event Viewer application. It describes how Event Viewer can be accessed through different methods and interfaces. Key points covered include the different event logs displayed in Event Viewer, how to navigate, filter, and export log entries. Custom views can also be created to focus on specific event types or severity levels.

Uploaded by

Ciprian Martau
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
208 views

Windows Logging Guide

This document provides an overview of Windows event logging and how to use the Windows Event Viewer application. It describes how Event Viewer can be accessed through different methods and interfaces. Key points covered include the different event logs displayed in Event Viewer, how to navigate, filter, and export log entries. Custom views can also be created to focus on specific event types or severity levels.

Uploaded by

Ciprian Martau
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 12

Windows Logging Guide for understanding, analyzing, and

troubleshooting system logs

Windows Logging Basics


Logs are records of events that happen in your computer, either by a person or by a
running process. They help you track what happened and troubleshoot problems.
The Windows event log contains logs from the operating system and applications such as
SQL Server or Internet Information Services (IIS). The logs use a structured data format, making
them easy to search and analyze. Some applications also write to log files in text format. For
example, IIS Access Logs.

Windows Event Logs


Windows Event Viewer displays the Windows event logs. Use this application to view
and navigate the logs, search and filter particular types of logs, export logs for analysis, and
more.
Starting Windows Event Viewer
It can be accessed in several ways:
1. Windows Control Panel
2. Server Manager
3. Windows Admin Center
4. Computer Management
5. Component Services
6. Command Prompt
Windows Control Panel
To access the Event Viewer:
1. Open Control Panel
2. Click Administrative Tools
3. Double-click Event Viewer
Server Manager
The Server Manager console lets you manage settings on the local server and on remote
servers. To access Event Viewer from Server Manager:
1. Open Server Manager
2. Open Tools > Event Viewer

Windows Admin Center


Windows Admin Center is a browser-based application for managing servers, clusters,
desktop PCs, and other infrastructure components. To access Event Viewer from the Windows
Admin Center:
1. Open Windows Admin Center in a supported browser.
2. Click Events
Computer Management
The Computer Management console provides access to administrative tasks on a local or
remote server. To open Event Viewer from Computer Management:
1. Open Computer Management
2. Click Event Viewer
Windows Component Service
Another built-in application is the Windows Component Services Manager that enables
us to configure DCOM applications running on Windows. Windows Event Viewer is accessible
from Component Services Manager as well:
1. Open Component Services
2. Click Event Viewer

Command Prompt
Lastly, you can open the Event Viewer directly from a command prompt. To do so:
1. Open a Command Prompt
2. Type: eventvwr

Using the Windows Event Viewer Interface


Event Viewer has an intuitive user interface. The main screen is divided into three sections:
1. Navigation pane
2. Detail pane
3. Action pane
You can create Summary and Custom views.

Navigation Pane
The Navigation pane is where you choose the event log to view. By default, there are five
categories of Windows logs:
 Application – Information logged by applications hosted on the local machine.
 Security – Information related to login attempts (success and failure), elevated privileges,
and other audited events.
 Setup – Messages generated when installing and upgrading the Windows operating
system. If the Windows system is a domain controller, those messages are also logged
here.
 System – Messages generated by the Windows operating system.
 Forwarded Events – Events forwarded by other computers when the local machine is
functioning as a central subscriber.
There is also a section for Applications and Services Logs, including categories for
Hardware Events, Internet Explorer and Windows PowerShell events.
Event Viewer Navigation pane

Detail Pane
When Event Viewer is open, the Detail pane displays the Overview and Summary. We’ll
discuss the Summary Views later. Select an item from the Navigation pane to see a list of events.
Event entries are listed by default in chronological order with the latest events at the top.
Click on any column header to sort events by that field in ascending or descending order.
Clicking a second time in the same column head reverses the sort order. For example, click on
Level to sort by severity. A caret ^ symbol or reverse caret indicates the sort field and direction
of the sort.
Each event has a severity Level:

Information messages
indicate a successful action.

Warning messages indicate an event occurred that might become a problem.

Error messages indicate a significant problem occurred.

Critical messages indicate a severe problem occurred.

Audit success is associated with security events.

Audit failure is associated with security events.

Event Viewer Detail pane showing errors and warnings:


Click on an event to display the detailed information. In this example, we can see the highlighted
event’s source (TerminalServices-Printers) and the date and time it occurred. The General tab
shows more information: a printer driver needs to be installed.

Event Viewer Detail pane General tab

Open the Details tab to view the raw event data. You can switch between Friendly View and
XML View.
You can right-click on an event and select Copy > Copy Details as Text then paste the results
into a text editor. The system fields are listed, followed by the entire event as XML. For this
critical error, we can see the system had shut down unexpectedly.
Actions Pane
The Actions pane provides quick access to actions available for your current selections. The
Action pane is divided into two sections:
 Actions available for the selected Navigation pane log
 Actions available for the selected Detail pane event
In this example, we have selected the Application log and Event 9027, Desktop Window
Manager:

As you can see, there are a number of actions possible when a particular event log is active. For
example, click Filter Current Log to search for a particular event or group of events. The pop-up
window enables you to specify query criteria. When you click OK, your filtered results are
shown in the Details pane.
Clearing Large Logs
You can do some housekeeping on the selected log with the Clear Log action if it becomes too
large. This deletes all events stored in the log. To check the size of your log files, select
Windows Logs or Applications and Services Logs from the Navigation pane. The Number of
Events and Size are shown in the Detail pane.
Exporting Events
You can click Save All Events As or Save All Events in Custom View As (selected events) or
Save All Events As (all events) to export events from the current log to an event file. The event
file has an EVTX extension.
Where would you use such functionality? Suppose you want to send your system’s health status
to a third-party vendor—you can provide them with an exported event file. Or, you can archive
your logs before deleting them, or send your saved logs to a centralized backup medium. Saving
event logs to an event file comes in handy. Administrators click on Open Saved Log and
navigate to the log location to open the saved log.

Custom Views
Event Viewer enables you to easily create custom views. This provides quick access if you are
interested in certain types of event or events based on severity level.

You might also like