Event Viewer
Encyclopedia
Event Viewer, a component of Microsoft
's Windows NT
line of operating system
s, lets administrators and users view the event logs
on a local or remote machine. In Windows Vista
, Microsoft overhauled the event system.
s and operating system components can make use of this centralized log service to report events that have taken place, such as a failure to start a component or complete an action. The system defines three log sources: System, Application and Security.
Microsoft intends the System and Application log sources for use by the Windows operating system and Windows applications respectively. Only the Local Security Authority Subsystem Service
(lsass.exe) can directly write to the Security log
.
The Event Viewer uses event IDs to define the uniquely identifiable events that a Windows computer can encounter. For example, when a user's authentication
fails, the system may generate Event ID 672.
Windows NT 4.0
added support for defining "event sources" (i.e. the application which created the event) and performing backups of logs.
Windows 2000
added the capability for applications to create their own log sources in addition to the three system-defined "System", "Application", and "Security" log files. Windows 2000 also replaced NT4's Event Viewer with a Microsoft Management Console
(MMC) snap-in.
Windows Server 2003
added the
Versions of Windows based on the Windows NT 6.0 kernel (Windows Vista
and Windows Server 2008) no longer have a 300-megabyte limit to their total size. Prior to NT 6.0, the on-disk files were opened as memory-mapped file
s in kernel memory space, which used the same memory pools as other kernel components.
log-format and a designated log type to allow applications to more precisely log events and to help make it easier for support technicians and developers to interpret the events. The XML representation of the event can be viewed on the Details tab in an event's properties. It is also possible to view all potential events, their structures, registered event publishers and their configuration using the wevtutil utility, even before the events are fired. There are a large number of different types of event logs including Administrative, Operational, Analytic, and Debug log types. Selecting the Application Logs node in the Scope pane reveals numerous new subcategorized event logs, including many labeled as diagnostic logs. Analytic and Debug events which are high frequency are directly saved into a trace file while Admin and Operational events are infrequent enough to allow additional processing without affecting system performance, so they are delivered to the Event Log service. Events are published asynchronously to reduce the performance impact on the event publishing application. Event attributes are also much more detailed and show EventID, Level, Task, Opcode, and Keywords properties.
Users can filter event logs by one or more criteria or by a limited XPath 1.0 expression, and custom views can be created for one or more events. Using XPath as the query language allows viewing logs related only to a certain subsystem or an issue with only a certain component, archiving select events and sending traces on the fly to support technicians.
Here are examples of simple custom filters for the new Window Event Log:
Caveats:
2.0. The Event Collector service can automatically forward event logs to other remote systems, running Windows Vista
, Windows Server 2008 or Windows Server 2003 R2 on a configurable schedule. Event logs can also be remotely viewed from other computers or multiple event logs can be centrally logged and monitored agentlessly and managed from a single computer. Events can also be directly associated with tasks, which run in the redesigned Task Scheduler
and trigger automated actions when particular events take place.
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
's Windows NT
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
line of operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, lets administrators and users view the event logs
Computer data logging
Computer data logging is the process of recording events, with an automated computer program, in a certain scope in order to provide an audit trail that can be used to understand the activity of the system and to diagnose problems....
on a local or remote machine. In Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, Microsoft overhauled the event system.
Overview
Windows NT has featured event logs since its release in 1993. ApplicationApplication software
Application software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with...
s and operating system components can make use of this centralized log service to report events that have taken place, such as a failure to start a component or complete an action. The system defines three log sources: System, Application and Security.
Microsoft intends the System and Application log sources for use by the Windows operating system and Windows applications respectively. Only the Local Security Authority Subsystem Service
Local Security Authority Subsystem Service
Local Security Authority Subsystem Service , is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens...
(lsass.exe) can directly write to the Security log
Windows Security Log
The Security Log, in Microsoft Windows, is a log that contains records of login/logout activity or other security-related events specified by the system's audit policy. Auditing allows administrators to configure Windows to record operating system activity in the Security Log. The Security Log is...
.
The Event Viewer uses event IDs to define the uniquely identifiable events that a Windows computer can encounter. For example, when a user's authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
fails, the system may generate Event ID 672.
Windows NT 4.0
Windows NT 4.0
Windows NT 4.0 is a preemptive, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was the next release of Microsoft's Windows NT line of operating systems and was released to manufacturing on 31 July 1996...
added support for defining "event sources" (i.e. the application which created the event) and performing backups of logs.
Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
added the capability for applications to create their own log sources in addition to the three system-defined "System", "Application", and "Security" log files. Windows 2000 also replaced NT4's Event Viewer with a Microsoft Management Console
Microsoft Management Console
Microsoft Management Console is a component of Windows 2000 and its successors that provides system administrators and advanced users an interface for configuring and monitoring the system.- Snap-ins and consoles :...
(MMC) snap-in.
Windows Server 2003
Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
added the
AuthzInstallSecurityEventSource API calls so that applications could register with the security event logs, and write security audit entries.Versions of Windows based on the Windows NT 6.0 kernel (Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and Windows Server 2008) no longer have a 300-megabyte limit to their total size. Prior to NT 6.0, the on-disk files were opened as memory-mapped file
Memory-mapped file
A memory-mapped file is a segment of virtual memory which has been assigned a direct byte-for-byte correlation with some portion of a file or file-like resource. This resource is typically a file that is physically present on-disk, but can also be a device, shared memory object, or other resource...
s in kernel memory space, which used the same memory pools as other kernel components.
Windows XP (commandline)
Windows XP provides a set of three commandline tools, useful to task automation:- eventquery.vbs - Official script to query, filter and output results based on the event logs. Discontinued after XP.
- eventcreate - a command (continued in Vista and Seven) to put custom events in the logs.
- eventtriggers - a command to create event driven tasks. Discontinued after XP, replaced by the "Attach task to this event" feature.
Windows Vista
Event Viewer consists of a rewritten event tracing and logging architecture on Windows Vista. It has been rewritten around a structured XMLXML
Extensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....
log-format and a designated log type to allow applications to more precisely log events and to help make it easier for support technicians and developers to interpret the events. The XML representation of the event can be viewed on the Details tab in an event's properties. It is also possible to view all potential events, their structures, registered event publishers and their configuration using the wevtutil utility, even before the events are fired. There are a large number of different types of event logs including Administrative, Operational, Analytic, and Debug log types. Selecting the Application Logs node in the Scope pane reveals numerous new subcategorized event logs, including many labeled as diagnostic logs. Analytic and Debug events which are high frequency are directly saved into a trace file while Admin and Operational events are infrequent enough to allow additional processing without affecting system performance, so they are delivered to the Event Log service. Events are published asynchronously to reduce the performance impact on the event publishing application. Event attributes are also much more detailed and show EventID, Level, Task, Opcode, and Keywords properties.
Users can filter event logs by one or more criteria or by a limited XPath 1.0 expression, and custom views can be created for one or more events. Using XPath as the query language allows viewing logs related only to a certain subsystem or an issue with only a certain component, archiving select events and sending traces on the fly to support technicians.
Filtering using XPath 1.0
- Open Windows Event Log
- Expand out Windows Logs
- Select the log file that is of interest to you (In the example below, we use the Security event log)
- Right-click on the Event Log and select Filter Current Log...
- Change the selected tab from Filter to XML
- Check the box to Edit query manually'
- Paste your query into the text box. You will find sample queries below.
Here are examples of simple custom filters for the new Window Event Log:
-
- Select all events in the Security Event Log where the account name involved (TargetUserName) is "JUser"
-
- Select all events in the Security Event Log where any Data node of the EventData section is the string "JUser"
-
- Select all events in the Security Event Log where any Data node of the EventData section is "JUser" or "JDoe"
-
- Select all events in the Security Event Log where any Data node of the EventData section is "JUser" and the Event ID is "4471"
-
- Real world example for a package called Goldmine which has two @Names
- Select all events in the Security Event Log where the account name involved (TargetUserName) is "JUser"
Caveats:
- There are limitations to Microsoft's implementation of Xpath
- Querries using Xpath string functions will result in error
Event subscribers
Major event subscribers include the Event Collector service and Task SchedulerTask Scheduler
Task Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals. It was first introduced in the Windows 95 Plus! pack as System Agent but was renamed to Task Scheduler in Windows 98...
2.0. The Event Collector service can automatically forward event logs to other remote systems, running Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, Windows Server 2008 or Windows Server 2003 R2 on a configurable schedule. Event logs can also be remotely viewed from other computers or multiple event logs can be centrally logged and monitored agentlessly and managed from a single computer. Events can also be directly associated with tasks, which run in the redesigned Task Scheduler
Task Scheduler
Task Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals. It was first introduced in the Windows 95 Plus! pack as System Agent but was renamed to Task Scheduler in Windows 98...
and trigger automated actions when particular events take place.
External links
- Windows Eventlog Viewer Free tool that can be run on Windows, Linux or Mac OS-X
- Event Logging — Developer documentation for event logging (NT 3.1 through XP)
- Windows Event Log — Developer documentation for the new event log system in Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
- A database of Windows event log entries — Contains several thousands Windows event log entries along with troubleshooting suggestions for each of them
- Windows 2000 Security Event Descriptions (Part 1 of 2)
- Windows 2000 Security Event Descriptions (Part 2 of 2)
- Windows Server 2003 Security - Threats and Countermeasures - Chapter 6: Event Log from Microsoft TechNet
- Events and Errors on Microsoft TechNet
- Trap to event log with eventcreate