In system administrators daily work there is often need for researching causes of problems that users report. Windows OS offers a few tools which can make your admin life easier and enables quick and efficient problem solving. In case of problems caused by high hardware utilization, Windows Performance Monitor described in one of the previous articles can be helpful. But in many cases Performance Monitor cannot help for problem solving because cause of problem is deeper in system. Then, on scene appears Windows Event Viewer, tool which can help you in solving many problems related to your Windows and its services and applications. In this article I will make brief description of using and managing this tool.
Event logs in Windows Server 2008 are available through Server Manager Window. To open it go to Start, right click on Computer than Manage. Server Manager window opens:
In Server Manager tree expand Diagnostic then Event Viewer. Now you have next window:
Appears sub-trees with events which you can chose to view and research to find cause of problems. There are four sub-trees: Custom Views, Windows Logs, Applications and Services Logs and Subscriptions. When expand one you get files with log events you have chosen. What sub-tree you chose depends on problem you research.
Custom views are created by system administrators to separate some important events from other events. Usually these events are generated from one of the installed server roles in your Windows Server 2008. Then, If the problem for which you try to find solution is related to some of the server roles of your Windows Server 2008 then event logs related to that role can be found in Custom Views sub tree, for example event generated by Network Policy and Access Server. You can create custom views for your installed roles and that is good practice in administration your Windows Server 2008 roles.
Windows Logs are related to e vents generated by your Windows Server 2008 system. When expand this sub-tree you have Application, Security, Setup, System and Forwarded Events. All these types of events are generated by windows and researching it can help you in solution of problems in system functioning. To view events click on group you want to view. In most cases events you should view are System events. To view that click on System. In right window all system events of your sever appear:
In event list you can see columns that give you information about events: severity date and time of event, source of event which shows what service generated event ID and task created by event. You can do sorting events by information form columns. To do that click on column name and sorting will be performed. After double click on event appears window with detailed information about event which can help you to find if that event is cause of problem you research. One of the most important information about event is event ID by which you can do internet research for problem solution.
Third log group are Windows Applications and Service Logs in which are events generated from installed applications and its services. These events can help you to do problem solving if you suspect that some application is problem cause or if you want to examine your application functioning
Next sub-tree is Subscriptions. By expanding it events from other computer can be viewed. To collect events from other computers you should subscribe when collection of events from other computers starts.
On described way event logs from system and applications can be viewed. Event by default are stored in files in system folder %SystemRoot%\System32\Winevt\Logs. There are rules which define way for log collection. These rules define size of log files, place of log collecting in computer hard disk etc. There is possibility to define and change these rules, To do that right click on group of events and Properties. For example let say we want to change size and place of storing Windows system logs. To do that right click on System under Windows Logs and Properties. Appears next window:
In Log Properties – System window are information about log file: path, size, date of creation, modification and accessing. Here you can change settings for log file. If you want to change path where file should be saved in path field enter directory path where you want to save file. There is possibility to change size of log file. To do that enter size of log file in KB in field Maximum log size (KB). Also, behavior of log file when maximum size is reached can be defined. Old events can be overridden or archived or cleared manually. To choose appropriate option click on option from window. When you have your log file saved, you can read it when you want. To choose log file for reading you can do right click on log type (windows, system application etc.) and choose option Open Saved Log.
This article was short description of Windows Event Viewer. System administrator of windows system often use it in problem solving and researching and this tool proved as one of the most powerful tools for windows system problem solving. Hope it will help you to keep track on what’s wrong things are going on your system.
