Conducting Additional Event Viewer Management Tasks
Now that we understand
the functionality of each of the new folders associated with the newly
improved Event Viewer included with Windows Server 2008 R2, it is
beneficial to review the upcoming sections for additional management
tasks associated with Event Viewer. These tasks include the following:
Saving Event Logs
Event
logs can be saved and viewed at a later time. You can save an event log
by either right-clicking a specific log and choosing Save Events As or
by picking individual events from within a log, right-clicking on the
selected events, and choosing Save Selected Items. Entire logs and
selected events can also be saved by selecting the same command from the
Actions pane. After being saved, these logs can be opened by
right-clicking the appropriate log and selecting Open Saved Log or by
clicking on the same command in the Actions pane. After a log has been
opened, it will be displayed in a new top-level folder called Saved Logs
from within Event Viewer.
Organizing Data
Vast numbers of logs can be
collected by Windows and displayed in the central pane of Event Viewer.
New tools or enhancement to old ones make finding useful information
much easier than in any other iteration of Event Viewer:
Sorting—
Events can be sorted in many ways, for example, by right-clicking the
folder or Custom View icon and then selecting View, Sort By, or by
selecting the column name on which to sort in the left pane or clicking
the column to be sorted or the heading. Sorting is a quick way to find
items at a very high level (for example, by time, source, or event ID).
The new features for finding and sorting data are more robust and well
worth learning.
Selection and sorting of column headings—
Various columns can be added to or removed from any of the event logs.
The order in which columns are displayed from left to right can be
altered as well by selecting the column in the Select Column dialog box
and clicking the up or down arrow button.
Grouping—
A new way to view event log information is through the grouping
function. By right-clicking on column headings, an administrator can opt
to group the event log being viewed by any of the columns in view. By
isolating events, desired and specific criteria trends can be spotted
that can help in isolating issues and ultimately resolving problems.
Filtering—
As mentioned earlier, filtering, like grouping, provides a means to
isolate and only display the data you want to see in Event Viewer.
Filtering, however, gives the administrator many more options for
determining which data should be displayed than grouping or sorting.
Filters can be defined based on any or all of the event levels, log or
source, event ID(s), task category, keywords, or user or computer(s).
After being created, filters can be exported for use on other systems.
Tasks—
By attaching tasks to events, logs, or custom views, administrators can
bring some automation and notification into play when certain events
occur. To create a task, simply right-click on the custom view, built-in
log, or specific event of your choice, then right-click on Attach a
Task to This Custom View, Log, or Event. The Create a Basic Task Wizard
then launches; on the first tab, simply select a name and description
for the task. Click Next to view the criteria that will trigger the task
action (this section cannot be edited and is populated based on the
custom view, log, or task selected when the wizard is initiated). Click
Next and select Start a Program, Send an E-mail or Display a Message as
desired.
Viewing Logs on Remote Servers
You
can use Event Viewer to view event logs on other computers on your
network. To connect to another computer from the console tree,
right-click Event Viewer (Local) and click Connect to Another Computer.
Select Another Computer and then enter the name of the computer or
browse to it and click OK. You must be logged on as an administrator or
be a member of the Administrators group to view event logs on a remote
computer. If you are not logged on with adequate permissions, you can
select the Connect as Another User check box and set the credentials of
an account that has proper permissions to view the logs on the remote
computer.
Archiving Events
Occasionally, you might need
to archive an event log. Archiving a log copies the contents of the log
to a file. Archiving is useful in creating benchmark records for the
baseline of a server or for storing a copy of the log so it can be
viewed or accessed elsewhere. When an event log is archived, it is saved
in one of four forms:
Comma-delimited text file (.csv)— This format allows the information to be used in a program such as Microsoft Excel.
Text-file format (.txt)— Information in this format can be used in a program such as a word processing program.
Log file (.evtx)—
This format allows the archived log to be viewed again in the Windows
Server 2008 R2 or Windows 7 Event Viewer. Note that the new event log
format is XML, which earlier versions of Windows cannot read.
XML (.xml)— This format saves the event log in raw XML. XML is used throughout Event Viewer for filters, tasks, and logging.
The event description is
saved in all archived logs. To archive, right-click the log to be
archived and click Save Log File As. In the File Name field of the
resulting property page, type in a name for the archived log file,
choose a file type from the file format options of .csv, .txt, .evtx, or .xml, and then click Save.
Note
You must be a member of the Backup Operators group at the minimum to archive an event log.
Logs archived in the new log-file format (.evtx)
can be reopened using the Windows Server 2008 R2 Event Viewer utility.
Logs saved in log-file format retain the XML data for each event
recorded. Event logs, by default, are stored on the server where the
Event Viewer utility is being run. Data can, however, be archived to a
remote server by simply providing a UNC path (such as
\\servername\share\) when entering a filename.
Logs archived in comma-delimited (.csv) or text (.txt)
format can be reopened in other programs such as Microsoft Word or
Excel. These two formats do not retain the XML data or formatting.
Customizing the Event Log
The
properties of an event log can be configured. In Event Viewer, the
properties of a log are defined by general characteristics: log path,
current size, date created, when last modified or accessed, maximum
size, and what should be done when the maximum log size is reached.
To customize the event log,
access the properties of the particular log by highlighting the log and
selecting Action and then Properties. Alternatively, you can right-click
the log and select Properties to display the General tab of the log’s
property page, as shown in Figure 3.
The Log Size section specifies
the maximum size of the log and the subsequent actions to take when the
maximum log size limit is reached. The three options are as follows:
Overwrite Events as Needed (Oldest Events First)
Archive the Log When Full, Do Not Overwrite Events
Do Not Overwrite Events (Clear Logs Manually)
If you select the Do Not
Overwrite Events option, Windows Server 2008 R2 stops logging events
when the log is full. Although Windows Server 2008 R2 notifies you when
the log is
full, you need to monitor the log and manually clear the log
periodically so new events can be tracked and stored in the log file.
In addition, log file sizes
must be specified in multiples of 64KB. If a value is not in multiples
of 64KB, Event Viewer automatically sets the log file size to a multiple
of 64KB.
When you need to clear the event log, click the Clear Log button in the lower right of the property page.
Understanding the Security Log
Effectively logging an
accurate and wide range of security events in Event Viewer requires an
understanding of auditing in Windows Server 2008 R2. It is important to
know events are not audited by default. You can enable auditing in the
local security policy for a local server, the domain controller security
policy for a domain controller machine, and the Active Directory (AD)
Group Policy Object (GPO) for a domain. Through auditing, you can track
Windows Server 2008 R2 security events. It is possible to request that
an audit entry be written to the security event log whenever certain
actions are carried out or an object such as a file or printer in AD is
accessed. The audit entry shows the action carried out, the user
responsible for the action, and the date and time of the action.