Event Viewer is the next tool to use when debugging,
problem solving, or troubleshooting to resolve a problem with a Windows
Server 2008 R2 system. Event Viewer, as shown in Figure 1,
is a built-in Windows Server 2008 R2 tool completely rewritten based on
an Extensible Markup Language (XML) infrastructure, which is used for
gathering troubleshooting information and conducting diagnostics. Event
Viewer was completely rewritten in Windows Server 2008 and many new
features and functionality were introduced, including a new user
interface and a home page, which includes an overview and summary of the
system.
The upcoming sections focus on
the basic elements of an event, including detailed sections covering the
new features and functionality.
Microsoft defines an event as
any significant occurrence in the operating system or an application
that requires tracking of the information. An event is not always
negative. A successful logon to the network, a successful transfer of
messages, or replication of data can also generate an event in Windows.
It is important to sift through the events to determine which are
informational events and which are critical events that require
attention.
When server or application
failures occur, Event Viewer is one of the first places to check for
information. Event Viewer can be used to monitor, track, view, and audit
security of your server and network. It is used to track information of
both hardware and software contained in your server. The information
provided in Event Viewer can be a good starting point to identify and
track down the root cause of any system errors or problems.
Event
Viewer can be accessed through the Administrative Tools menu or by
expanding the Diagnostics section of the new Server Manager MMC snap-in.
You can also launch Event Viewer by running the Microsoft Management
Console (Start, Run, mmc.exe) and adding the snap-in or through a command line by running eventvwr.msc.
Each log has common properties associated with its events. The following bullets define these properties:
Level—
This property defines the severity of the event. An icon appears next
to each type of event. It helps to quickly identify whether the event is
informational, a warning, or an error.
Date and Time—
This property indicates the date and time that the event occurred. You
can sort events by date and time by clicking this column. This
information is particularly helpful in tracing back an incident that
occurred during a specific time period, such as a hardware upgrade
before your server started experiencing problems.
Source—
This property identifies the source of the event, which can be an
application, remote access, a service, and so on. The source is very
useful in determining what caused the event.
Event ID—
Each event has an associated event ID, which is a numeral generated by
the source and is unique to each type of event. You can use the event ID
on the Microsoft Support website (www.microsoft.com/technet/) to find topics and solutions related to an event on your server.
Task Category—
This property determines the category of an event. Task Category
examples from the Security log include Logon/Logoff, System, Object
Access, and others.
Examining the New Event Viewer User Interface
The interface for Event
Viewer in Windows Server 2008 R2 has changed significantly from earlier
versions. Although the information produced by logged events remains
much the same, it’s important to be familiar with the new interface to
take advantage of the new features and functionality.
Administrators accustomed to
using the latest Microsoft Management Console (MMC) 3.0 will notice
similarities in the new look and feel of the Event Viewer user
interface. The navigation tree on the left pane of the Event Viewer
window lists the event logs available to view and also introduces new
folders for creating custom event views and subscriptions from remote
systems. The central details pane, located in the center of the console,
displays relevant event information based on the folder selected in the
navigation tree. The home page central details pane also includes a new
layout to bolster the administrator’s experience by summarizing
administrative events by date and criticality, providing log summaries
and displaying recently viewed nodes. Finally, the tasks pane, located
on the extreme right side of the window, contains context-sensitive
actions depending on the focus in the Event Viewer snap-in.
The folders residing in the left pane of the Event Viewer are organized by the following elements:
The Custom Views Folder
Custom views are filters
either created automatically by Windows Server 2008 R2 when new server
roles or applications such as Active Directory Certificate Services and
DHCP Server are added to the system or manually by administrators. It is
important for administrators to have the ability to create filters that
target only the events they are interested in viewing to quickly
diagnose and remediate issues on the Windows Server 2008 R2 system and
infrastructure. By expanding the Custom Views folder in the Event Viewer
navigation tree and right-clicking Administrative Events, selecting
Properties, and clicking the Edit Filter button, you can see how
information from the event log is parsed into a set of filtered events.
The Custom View Properties Filter tab is displayed in Figure 2.
In the built-in Administrative Events custom views, all critical,
error, and warning events are captured for all event logs. Rather than
looking at the large number of informational logs captured by Windows
Server 2008 R2 and cycling through each Windows log, this filter gives
the administrator a single place to go and quickly check for any
potential problems contained on the system.
Also
listed in the Custom View section of Event Viewer are predefined
filters created by Windows Server 2008 R2 when new roles are added to
the system. These queries cannot be edited; however, they provide events
related to all Windows Server 2008 R2 roles and the logical grouping
can be used to quickly drill down into issues affecting the performance
of the system as it relates to specific server roles. Again, this is a
way of helping an administrator find the information needed to identify
and ultimately resolve server problems quickly and efficiently.
The filter was first
introduced with Windows Server 2008. The new Administrative Events
filter groups all events associated with the system from an
administrative perspective. By drilling down to the Administrative
Events filter, an administrator can quickly decipher issues associated
with all administrative events.