Creating a New Custom View
To create a new custom
view, in Event Viewer, right-click on the Custom View folder and select
Create Custom View. Alternatively, select Custom View from the Action
menu. This results in the Custom View Properties box, as illustrated in Figure 2.
First, decide whether you want
to filter events based on date; if so, specify the date range by using
the Logged drop-down list. Options include Any Time, Custom Range, and
specific time intervals. The next step is to specify the Event Level
criteria to include in the custom view. Options include Critical, Error,
Warning, Information, and Verbose. After the Event Level settings are
specified, the next area to focus on is the By Log and By Source
sections. By leveraging the drop-down lists, specify the event log and
event log sources to be included in this custom filter. To further
refine the custom filter, enter specific event IDs, task categories,
keywords, users, computers, and then click OK and save the filter by
providing it a name, description, and the location of where to save the
view.
Tip
Performance and memory consumption might be negatively affected if you have included too many events in the custom view.
After the custom view is
defined, it can be exported as an XML file, which can then be imported
into other systems. Filters can also be written or modified directly in
XML but keep in mind, after a filter has been modified using the XML
tab, it can no longer be edited using the GUI described previously.
The Windows Logs Folder
The Windows Logs folder
contains the traditional application, security, and system logs. Windows
Server 2008 R2 also includes two out-of-the-box logs, which can also be
found under the Windows Logs folder—the Setup and Forwarded Events
logs. The following is a brief description of the different types of
Windows logs that are available:
Application log— This log contains events based on applications or programs residing on the system.
Security log— Depending on the auditing settings configured, the security log captures events specific to authentication and object access.
Setup log— This log captures information tailored toward installation of applications, server roles, and features.
System log—
Events associated with Windows system components are logged to the
system log. This might include driver errors or other components failing
to load.
Forwarded Events log—
Because computers can experience the same issues, this feature
consolidates and stores events captured from remote computers into a
single log to facilitate problem isolation, identification, and
remediation.
The Applications and Services Logs Folder
The Applications and Services
Logs folder introduces a new way to logically organize, present, and
store events based on a specific Windows application, component, or
service instead of capturing events that affect the whole system. An
administrator can easily drill into a specific item such as DFS
Replication or DNS Server and easily review those events without being
bombarded or overwhelmed by all the other systemwide events.
These logs include four
subtypes: Admin, Operational, Analytic, and Debug logs. The events found
in Admin logs are geared toward end users, administrators, and support
personnel. This log is very useful because it not only describes a
problem, but also identifies ways to deal with the issues. Operational
logs are also a benefit to systems administrators but they typically
require more interpretation.
Analytic and Debug logs are
more complex. Analytic logs trace an issue and often a high number of
events are captured. Debug logs are primarily used by developers to
debug applications. Both Analytic and Debug logs are hidden and disabled
by default. To view them, right-click Applications and Services Logs,
and then select View, Show Analytic and Debug Logs.
The Subscriptions Folder
The final folder in the Event
Viewer console tree is called Subscriptions. Subscriptions is another
new feature included with the Windows Server 2008 R2 Event Viewer. It
allows remote computers to forward events; therefore, they can be viewed
locally from a central system. For example, if you are experiencing
issues between two Windows Server 2008 R2 systems, diagnosing the
problem becomes challenging as both systems typically log data to their
respective event logs. In this case, it is possible to create a
subscription on one of the servers to forward the event log data from
the other server. Therefore, both system event logs can be reviewed from
a central system.
Configuring Event Subscriptions
Use the following steps to configure event subscriptions between two systems.
First, each source computer must be prepared to send events to remote computers:
1. | Log
on to the source computer. Best practice is to log on with a domain
account that has administrative permissions on the source computer.
|
2. | From an elevated command prompt, run winrm quickconfig. Exit the command prompt.
|
3. | Add the collector computer to the local administrators group of the source computer.
|
4. | Log on to the collector computer following the steps outlined previously for the source system.
|
5. | From an elevated command prompt, run wecutil qc.
|
6. | If you intend to manage event delivery optimization options such as Minimize Bandwidth or Minimize Latency, then also run winrm quickconfig on the collector computer.
|
After the collector and
source computers are prepared, a subscription must be made identifying
the events that will be pulled from the source computers. To create a
new subscription, do the following:
1. | On the collector computer, run Event Viewer with an account with administrative permissions.
|
2. | Click
on the Subscriptions folder in the console tree and select Create
Subscription or right-click and select the same command from the context
menu.
|
3. | In the Subscription Name box, type a name for the subscription.
|
4. | In the Description box, enter an optional description.
|
5. | In
the Destination Log box, select the log file where collected events
will be stored. By default, these events are stored in the forwarded
events log in the Windows Logs folder of the console tree.
|
6. | Click
Select Computers to select the source computers that will be forwarding
events. Add the appropriate domain computers, and click OK.
|
7. | Click Select Events and configure the event logs and types to collect. Click OK.
|
8. | Click OK to create the subscription. |