Evaluation of log files on Windows systems

[Xanty]

I am knowing that on a Windows - server log files by default, at least three related to: the application, the system and the security log. The applications and services use the application on a system log file while using the device driver system log file for their own purposes. Now I want to know more about the log files that gets created on Windows (Windows XP, Windows Vista and Windows 7) systems. I am sure that I will get some help from you members.

[RogerFielden]

The look in the Event Logs of Windows systems should belong to the standard procedures of the administrator. The investigation of this large amount of data, however, is complicated. This of course applies not only to the server, but also for the Windows client systems. If this control is activated, such a Windows system, both success and failure audit events will generate appropriate in the security log. The professional will also usually a number of other applications, such as the directory service Active Directory (AD), the server must be installed on, so computers are likely to find additional log files are standard on these. Furthermore, administrators can share your own self-defined log files on a local or remote computer on. If one now based on a not too large firm has 20 servers systems that are running full on average, five different log files 24 hours a day with event data, so you can quickly dimension to color the data to be managed, it to sift through in case of doubt. The following article helps to address this task a little more systematic.

[Suzane]

Unfortunately, Microsoft makes the system administrators not simple: How is exacerbated by the manufacturer with the release of Windows Vista and Windows Server 2008, extended file format for the log files has introduced new one. It was the old EVT format, since Windows NT 4, the log files was used for the new format EVTX replaced. What this format is better? It offers not only new event properties (Event Properties), but is also able to use so-called channels to output events. Another advantage is certainly that this EVTX format now also supports saving to XML. For the administrator, these changes mean, first, however, that he was especially in environments, which reflect both old and new Windows systems are used, faced with an additional workload for processing, managing and analyzing these log files. However, it is possible to open with the MMC (Microsoft Management Console) integrated event viewer of a current Windows system, an old EVT file that was created for example on an XP system - the reverse does not work of course. The software then assigns the users at once point out that a better navigation is possible in this file and an analysis of the new EVTX format, and automatically offers an appropriate conversion. Microsoft will continue on the current Windows systems, a command line tool with the name wevtutil.exe available. It also allows a conversion of the log files and can also be used for the analysis and manipulation of the event logs.

[Shutdown]

Microsoft will continue on the current Windows systems, a command line tool with the name wevtutil.exe available. It also allows a conversion of the log files and can also be used for the analysis and manipulation of the event logs.

However, these two standard ways of Windows operating systems in daily use neither easy nor particularly practical. So it is no secret that the search in the event logs do not just popular with administrators and system administrators happy. Therefore, it is hardly surprising that their support staff question "Have you looked in the event log?" usually with a "No" or "By this I did not think ..." get answered. But there are a number of techniques that can simplify the search in the log files. Event Viewer also provides for the release of Windows Server 2008, some additional, very useful skills, and ultimately it still exists, MSH, their use for system administrators in this case it can be helpful as a kind of universal tool.

[Mentos]

The Event Viewer can be reached on a Windows Server 2008 or 2008 R2 initially fast and easy:

1. Open the Start menu of the server.
2. Then select the "Administration" on that offers you a list of the default management programs available.
3. You can then select the Event Viewer.

Faster it goes on a Windows Server 2008, as well as on the Windows 7 systems, when in the search box in the Start menu simply typing the first letter of the program and then click the link to the system presented. Now you, as Managers, but the problem, for example, for a proof for a specific task on your server or even a Security incident in this vast amount of data to look for: What can one look best to produce results quickly come to? After a certain string? For messages, data or event-types?

[Rixwel]

In practice it will often be so, an administrator suspects that an event has occurred and that his system has to also created an entry in a log, but he does not sure what evidence of the alleged incident in the log file exists. For troubleshooting, or for the basic monitoring and control of a Windows server using the event logs, it is important to know very words, that one has to look for: added It is the practice as the most efficient way proved in each case by means of the event ID (Event ID) to look for a specific incident on the lookout. What this means for the administrator that he needs to know which event ID is available for a specific event. All Event IDs of Windows Server 2008 on the TechNet documented by Microsoft, but no complete list available of all real IDs, separated only by event categories.

[Abraham.J]

The event IDs used on systems running Windows Server 2008, a different system for numbering as the previous versions of Windows. For example, an "Account Lockout" (access to a user account after a certain number blocked by attempts) on servers running Windows 2000 and Windows 2003 with the ID 644 recorded, while the new Windows systems from Windows Server 2008. This means, unfortunately, that existing scripts that so far the event logs in Windows Server 2003 systems to a specific ID have been searched or older, now under Windows Server 2008 can not be used.