In this section I will look at the event viewer.
The event viewer has been in windows since windows N T and has not changed much until
recent editions of windows. With windows vista, Microsoft added a lot
of new features to the event viewer and these were included in windows server 2008. These
includes the new logs setup and forwarded event. The set up log contains events from
when windows was first installed and software installs after that.
The forwarded event log contains events that were generated on one computer and then forwarded
to another computer to be looked at. Later in this video I will be looking at the forwarded
events log in more detail including how to set it up.
The event viewer also allows you to create custom views. This allows you to filter an
existing log or event access multiple logs in the same viewer. If you have a particular
application or service that you want to keep a close eye on, this can be a really useful
feature. The event log can also be exported to XML.
This is a useful feature if you want import that data into anther program, for example
into excel. Lastly the event viewer can now work with the task scheduler. This means when
an event occurs you can run a program or sent an e-mail.
For example, when a hard disk and event is generated. When this event is generated you
may want to automatically run an archiving program. Let’s have a look at to use the
event viewer. First of all, I need to start the event viewer
by running it from administrative tools under the start menu. On the first screen of the
event viewer, I can access some statistics on events that have occurred on this server.
Notice that a tally is keep of the number of events generated in the last hour, last
24 hours and last 7 days. This gives you a quick indication of how reliable your server
has been. If your server is experiencing problems you are more than likely going to be receiving
a lot of critical and error events. If I go down to warnings I can expand it and
view statics on each of the warning that have been occurring on this server. If I select
one of these warnings, I will be taken in a filtered view showing me all occurrences
of that warning on this server As you can see, this warning has been occurring
for quite a long time. Viewing a summary like this is a great way to tell how long an event
has been occurring. Often you may get lost when looking at too much information.
If you want to look at the original logs, I can select windows logs on the left hand
side and select the log I want to view. The application log is used by applications, including
3rd party applications, to log events. For example the disk defragger will log an
event after it has run and a 3rd party application may log an event with details about software
updates it has preformed. Next you have the security log. This contains events relating
to invalid login attempts and creating and editing objects on the system. For example
user accounts and certain system files. Depending on how you configured auditing on
your system, will determine how many events and the type of events you will see in here.
The set up log contains events relating to application setups performed on that system.
For example, if you add a role through server manager, you will find details in regards
to the install in this log. Windows updates and other installations will also appear in
here. The system log contains events relating to windows.
Events in the system log are determined by windows meaning 3rd party programs can’t
store their events in this log. Failed drivers, events relating to windows services failing
to start or crashing will appear in here. Lastly you have the log forwarded events.
This log file contains events that have been forwarding from anther computer to this one.
Later in this video I will cover this in more detail.
If I right click on the applications log and then select create custom view, I can create
a view filtering out any events that I don’t want to see. For example, I could choose to
only see critical and error events. You will notice down the bottom you can also
filter based on event id’s, keywords, users and computers. Once I press o.k. I can enter
in a name for the custom view. I will now have a new custom view created.
You will notice the dialog is the same as when I created the custom view, this time
I will select critical, error and warnings. Notice that when I apply the filter only these
events will be shown. At the top of the screen your will notice that filtered has been added
to the title bar to let me know that events have been filtered from this view.
If you later on decide that you no longer want the filter, you can select the option
clear filter. When looking through the event viewer, make sure that you are aware of any
filters that have been applied to your views. A filter may prevent you from seeing the event
that is related to the problem you are trying to troubleshoot.
If I right click a log file, I can go down and select properties for that log file. You
will notice that there is some information in regards to the log file. Information about
the location of the log file, when it was created, modified last and also when it was
lasted accessed. One of the options you may want to set is
the size of the log file. Depending on which log file it is and how many events are been
logged, you may want to increase the default size of the log file. The next option you
may want to configure is what windows will do when the log file is full.
By default, windows will overwrite events as needed. This does mean that events will
be lost as time goes on. If you need to keep events for records, for example some companies
like to keep their security logs, you can select the option archive the log when full.
When this option is selected, when the log file is full it will be saved and a new log
file is created. The last option, do not overwrite events will stop logging events when the log
file is full. When this option is selected, you will need to manually clear the log files
yourself. You can do this by selecting the button at
the bottom clear log. Be warned, if you do not clear your logs files when they are full,
you system will stop logging events. If I go back to the event viewer, one of the great
new features is the ability to attach tasks to events.
If I go to the application event log and scroll down to an error I received with the shadow
copy service. I can right click the event and select attach task to this event. In the
task wizard, I can first enter in a name and description for the task.
On the next screen of the wizard, the details of the log, source and event ID have already
been entered. The next screen of the wizard allows me to select what I want to happen
when this event is logged in the application log.
I can start a program, send an e-mail to an administrator for example or simply display
a message on the server. In this case I will leave it on the default, start a program and
move on. The next screen allows me to enter in the name of the program that I want to
run. I can also enter in arguments if I wish. On
the last screen of the wizard, I can tick the tick box open the properties dialog box
for this task when I press finish. With this option ticked I can view the properties for
this task. If you have worked with tasks in windows before,
you will recognize these properties. Event viewer has simply created a task in the task
scheduler for you. With the right know how you could create this task manually, however
it is easier to perform this step via the event viewer.
Notice that the default option will only run the task if the user is logged in. If you
are running a maintenance script like the one I selected, you will probably want to
change this option to run whether or not the user is logged in or not.
You also have the option not to store the users password. This essentially limits the
task to that computer. In other words the task can’t access other network resources
on the network like file shares. By default, the task will run with minimum
privileges using user account control. If the task requires additional privileges not
available to the general user, you will need to tick the tick box run with highest privileges.
The option “configure for”, will determine which options will appear in the task. If
I select the tab triggers, you can set a trigger which is linked to the event viewer. I could
add additional triggers to this task if I wanted to.
For example, I could configure this task to run at a certain time during the day. On the
actions tab I can determine what will happen when the trigger is meet. At the moment when
a trigger requirement is meet my maintenance script will be run.
I could if I wanted to, add additional programs, sent e-mails or display a message on the server.
On the conditions tab I can determine what condition must be meet for the task to be
run. Firstly I can select the tick box start the
task only if the computer is idle. If the server is under heavy load the task will not
be run. Notice below this you have power options. This determines if the task will be run only
if the computer is plugged into the mains or to stop the task if the computer starts
running off batteries. If you want the computer to be woken up when
it is sleeping to run a task, you can tick the tick box, wake the computer to run this
task. Lastly you can select if you want the task to only run when a network connection
is available. If you server is connecting to anther server via a V P N connection, you
may only want to run this task when that V P N connection is up.
On the setting tab, you can set some general settings for the task. These allow you to
set what will happen when the task is missed, should the task be stopped if it is running
to long and how many times should the task be re run if it fails.
On the last tab, the history tab, you can see how many times the task has been run and
the result. That concludes all the options for this task. If I go back to the event viewer,
you will notice at the bottom Microsoft has created a number of filtered logs.
If I choose the log D N S server, I can see all the events that are related to the D N
S service. When troubleshooting problems on your server, remember that a filter may have
already been created for the service that you are attempting to troubleshoot. That is
the basics for event viewer, let’s have a look now at how to configure the next feature
of the event viewer, event forwarding. Event forwarding allows a computer to forward
events on to another computer. The computer that is forwarding the events is called the
forwarder. The computer receiving the events is called the collector. It should be noted
here that it is only a copy of the event that is sent on to the collector. The original
events are still on the forwarding computer and can be viewed at any time using the event
viewer. The communication protocol used to transfer
these events is HTTP or HTTPS. When HTTP is used, the data is encrypted giving you protection
from ears dropping. The ht t p s option is there if you want to use additional security.
Basically encryption on top of encryption. In order to configure event forwarding you
need to ensure your firewall allows HTTP or HTTPS and also any firewalls between the forwarder
and collector allows the protocol you choose through. In a lot of cases, most firewalls
will allow these protocols through without having to change any firewall rules.
In order to use event forwarding your operating system must support it. Event forwarding is
support on windows server 2008, windows vista and windows 7. If you are running and older
operating system like windows xp and Windows server 2003, event forwarding is not support
by default. In order to use these system to forward events,
you need to install WS management 1 point 1. If this is installed you will be able to
use these operating system to forward events onto the collector computer.
In order to use event forwarding you need to configure the forwarding and collecting
computer. On the forwarding computer you need to run win R M with the switch quick config.
This will configure the service required for event forwarding and also make changes to
the firewall. For the collecting computer to access the
forwarding computer it requires access. In order to provide access, the collectors computer
account needs to be added to the local group event log readers. Once these two steps are
complete, you need to configure the collector computer.
This can be performed by running the command WECUtil with the switch qc. This will perform
a quick config which will change the collector service to delayed start. Let’s have a look
at how to configure a windows 7 computer to forward events to a windows server 2008 computer.
This windows 7 computer will be configured to forward events on to a windows server 2008
R2 computer. To do this, first of all open a command prompt making sure you right click
on c m d and select run as administrator. Once you have a command prompt open with administrator
rights, run the command win e m with the switch quick config. Win r m will first ask you if
you want to set the Windows Event collector service to delayed start.
This means that when windows starts up, this service will be given a lower priority then
the other services. This gives other services time to start up and also reduced the load
on the system when the user first logs in making the system more responsive when the
computer first starts up. Once I answer yes to this request, I will
be asked if I want to also make changes to the windows firewall. These changes to the
firewall will allow the service to communicate with the collector computer.
The collector will now be allowed access to this computer through the firewall, but it
still needs access to the computer. In order to achieve this, I need to add the collector
computer to a security group. To achieve this, open computer management
from the start menu and go into local user and groups. Next I need to expand in groups
and select the properties of the group event log readers.
This is the group that needs to have the computer account added to, in this case my collecting
computer is called report 1. If the computer account is not found, you may need to select
object types and ensure that computers is ticked.
Once ticked, I will be able to add the computer account for my collector computer. Once I
exit out of the properties for the group, the computer will be added to the security
group. Just to recap, the forwarding computer has
windows remote management service running to process requests, the collector computer
has been granted access to the computer by adding it to the group event log readers and
the firewall has been altered to allow access. Now that the forwarding computer has been
set up, I need to switch to my windows server 2008 to set up the collecting computer.
On the collector computer the service windows event collector needs to be enabled. To do
this, Microsoft provides us a command line tool. Once I open a command prompt from the
start menu, I can run the program WECUtil with the switch q c. Q c short for quick configure.
Windows will now prompt me to change the windows event collector services to delayed start.
This is the service that is responsible for collecting data from the forwarding computer.
Now that the computer is configured to collect events I can now create a subscription to
collect events. To do this, first I need to open event viewer
from administrative tools under the start menu. At the bottom is a section called subscription.
Right click on this and select create subscription. For this subscription, I first need to enter
in a name. I will call this one critical and error and configure it to capture only critical
and error events. For the destination you can see that I can store the collected events
in any log I wish. For example I could store them in the application
log. In most cases you will not want to mix events up from two computers in the same event
log. For this reason I will select forwarded events and store the events in this log.
In the area below this, you can select who will trigger the data transfer. If I were
to select source computer initiated, the forwarding computer would contact this computer when
it wanted to transfer event data. When this option is selected, the source computer is
generally configured via group policy. If I select the button, select computer groups,
I can decide which computers or groups will be able to transfer events to this computer.
I can also add computers that are not part of the domain and use certificates if I wished.
If I cancel out of here and go back and select the option collector initiated, this computer
will contact the source computer when it wants to transfer event data. When you select this
option, you can also determine which computer will be allowed by pressing the button select
computers. In this case I will enter in my windows 7
computer, ws10. Once added, I can press the test button to ensure that there is a connection
between this computer and the forwarding computer. Now that the connection has been tested successfully,
I can now go back and select which events I want to collect. You can see that currently
no filter has been configured and thus all events will be captured.
If I press select events and select edit, I can start filtering out events so I will
receive only the events I am interested in. In this case I will select critical and error.
If you want events only from a specific source, you can select by source and then select the
source you want. For example, if I scroll down a bit I could
select firewall. Now only firewall related events will be sent to this computer. These
events will be selected regardless of which log they occurred in. This means if a firewall
event was created in either the system or application log, that event would be displayed
with this filter. Also notice that if I select the option by
log, I can capture a complete log file, for example I could select the system log. If
you want to see only certain log information you can enter the event id’s down here.
You can also enter in a category or if neither of these suit your needs you can enter in
some keywords. Certain events will be logged against a user.
These are often the case with the security log. You can filter out based on a certain
user or a collection of users, for example all domain users. Lastly if you want to filter
based on certain computers you can select them here. If I now press o.k. and go back
to the previous screen, I can select the advanced button to set more options.
In this case, the collecting computer has access to the forwarding computer because
I added it’s computer account to the local group event log readers. If you are collecting
events from a lot of computers, this computer account needs to be added to the local group
event log readers on every computer that you will be reading events on.
In a large enterprise environment, you may want to select the option specific user. When
selected the option user account, this user account will be used to connect to the forwarding
computer. In this example I will leave it on the default, machine account. The section,
event delivery optimization, determines how fast events will be transferred to this computer
and how much bandwidth will be used. The first option, normal, does not attempt
to save bandwidth. You should use this option if you are not worried about bandwidth. The
normal option uses a pull delivery mode which means the collector computer, or this computer,
will contact the forwarder computer and ask for events to be transferred. This will occur
every 15 minutes. The next option, minimize bandwidth, use a
push delivery mode. Every 6 hours the forwarding computer will contacted this computer and
send it’s events. This means traffic is only sent at certain times and does cause
a delay of up to 6 hours from when the event was generated and is transferred to the collecting
computer. The last option, minimize latency again uses
a push method. When an event is generated on the forwarder computer, it will be transferred
to the collector computer within 30 seconds of it occurring. This option is best use when
you want to monitor critical events and you need to know about them as quickly as possible.
By default the HTTP protocol will be used. The communication is encrypted but if your
want additional encryption you can select the option HTTPS. Once I exit out you will
notice that my new subscription has been configured. If I now select forwarded events and select
refresh. You will notice that there are events under forwarded events. In order for events
to show up, some must be transferred from the forwarding computer.
Currently this subscription is set to the normal setting so there will be a delay before
any events are transferred. I will pause the video and wait 15 minutes. You will notice
now at the top of the screen new events are available. If I now select refresh again,
events will appear in the log. With the current settings in this subscription, only critical
and error events will be transferred. I find it best to keep forwarded events in
the forwarded events log. You can store them in the other logs on the computer, for example
the system log, however this does make it confusing to work out which computer generated
the event in the first place. Was it this computer or a forwarding computer?
In summary, if you decide to use event forwarding, make sure the firewalls between the client
and server are configured correctly. Event forwarding does use HTTP or HTTPS which in
most firewalls will be allowed. If you are using the HTTP protocol, remember
traffic is encrypted however for additional encryption you can use HTTPS. It is important
to understand the terms Microsoft uses. Remember that the forwarder is the computer that sends
events to the collector. The collector stores events from the forwarder.
On a large network, event forwarding can make reporting on your network a lot easier and
is worth the time to look into.