Use the Event Viewer

Introduction

Careful monitoring of event logs located in the Event Viewer of Windows 2000 and Windows XP can help you predict and identify the sources of system problems. The EventLog service starts automatically when you start Windows 2000 or Windows XP.

Three types of logs are recorded: Application, System, and Security. All users can view Application and System logs; only administrators can access Security logs.

Application log

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the Application log. The program developer decides which events to record.

System log

The System log contains events logged by the Windows 2000 system components. For example, the failure of a driver or other system component to load during startup is recorded in the System log. The event types logged by system components are predetermined by Windows 2000.

Security log

The Security log can record security events such as valid and invalid logon attempts as well as events related to resource use such as creating, opening, or deleting files. An administrator can specify what events are recorded in the Security log.

The format and contents of the event description vary, depending on the event type. The description is often the most useful piece of information, indicating what happened or the significance of the event.

The Event Viewer records five types of events:

Error

A significant problem, such as loss of data or loss of functionality. For example, if a service fails to load during startup, an Error will be logged.

Warning

An event that is not necessarily significant but may indicate a possible future problem. For example, when disk space is low, a Warning will be logged.

Information

An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, an Information event will be logged.

Success Audit

An audited security access attempt that succeeds. For example, a user's successful attempt to log on the system will be logged as a Success Audit event.

Failure Audit

An audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt will be logged as a Failure Audit event.

For more detailed information about using the Event Viewer see Microsoft's Event Viewer documentation page (www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/event_overview.htm?id=4022).

Procedure

1. Searching for Specific Types of Events
   
   
   1. Open Event Viewer. In Windows XP, click the Start menu button, click Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Event Viewer. In Windows 2000, click the Start menu button, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.
       
   2. In the console tree in the left-hand pane, click the log you want to search.
       
   3. Select the View menu, and click Find.
       
   4. In the Event types section, click the types of events you want to find.
       
   5. In the Event source, Category, Event ID, User, Computer, or Description boxes, specify additional information specific to the event or events you want to find.
       
   6. Click Find Next.
       
   7. Tips
      
      • In the Description box, you can type any text that matches a portion of an event record description. For more information about the other files, right-click the name of the field, and click What's This?.
      • To restore the default search criteria, click Restore Defaults before clicking Find Next.
      • Your search parameters remain in Find throughout the current session. The default settings are restored the next time you start Event Viewer.
      • If you are looking for groups of events instead of a small number of individual events, you can also filter the log.
         
2. Filtering Events in an Event Log
   
   
   1. Open Event Viewer. In Windows XP, click the Start menu button, click Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Event Viewer. In Windows 2000, click the Start menu, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.
       
   2. In the console tree in the left-hand pane, click the log you want to filter.
       
   3. Select the View menu, and click Filter.
       
   4. On the Filter tab, in the Event types section, click the types of events you want to filter by.
       
   5. In the Event source, Category, Event ID, User, Computer, or Description boxes, specify additional information specific to the event or events you want to filter by.
       
   6. Tips
      
      • To return to the default criteria, click Restore Defaults.
      • To turn off event filtering, select the View menu, and click All Records.
         
3. Specifying a Sort Order in an Event Log
   
   
   1. Open Event Viewer. In Windows XP, click the Start menu button, click Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Event Viewer. In Windows 2000, click the Start menu, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.
       
   2. In the console tree in the left-hand pane, click the log you want to sort.
       
   3. In the right-hand pane, click the column heading you want to sort by. To reverse the sort order, click the column heading a second time.
       
   4. Tips
      
      • To sort chronologically, select the View menu, and click Newest First or Oldest First. The default is Newest First.
      • When a log is archived, the sort order is not saved.
         
4. Viewing More Details About an Event
   
   
   1. Open Event Viewer. In Windows XP, click the Start menu button, click Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Event Viewer. In Windows 2000, click the Start menu, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.
       
   2. In the console tree in the left-hand pane, click the log you want to work with.
       
   3. In the right-hand pane, click the event you want to work with.
       
   4. Select the Action menu, and click Properties.
       
   5. Tips
      
      • To view binary data as characters, in the Data box, click Bytes. To view binary data as DWORDS, click Words.
      • To view details about the previous or next event, click the up or down arrow.
      • To copy the details of an event, click Copy.
      • Not all events generate binary data. Binary data can be interpreted by an experienced programmer or a support technician familiar with the source application.
      • To retain the event description in binary data form, archive logs in the log file format (*.evt). Saving logs in text format (*.txt) or comma-delimited text format (*.csv) discards the binary data.
         
5. Refreshing an Event Log
   
   
   1. Open Event Viewer. In Windows XP, click the Start menu button, click Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Event Viewer. In Windows 2000, click the Start menu button, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.
       
   2. In the console tree in the left-hand pane, click the log you want to refresh.
       
   3. Select the Action menu, and click Refresh.
       
   4. Tips
      
      • You must be logged on as an administrator or as a member of the Administrators group to refresh the Security log.
      • The Refresh command is not available for archived logs because those files can no longer be updated.
      • When you open a log, Event Viewer displays the current information for the log. While you view the log, the information is not updated unless you refresh it. If you switch to another log and then return to the first log, the first log is automatically refreshed.

Reviewed: 0706 By: CD