Use The Event Viewer

Understanding Event Viewer

Careful monitoring of event logs located in the event viewer of Window 2000 and
Windows XP can help you predict and identify the source of system problems. The Event
Log services starts automatically when you start Windows 2000 or Windows XP. Three
types of logs are recorded: Application, System and security logs.

Using the event logs in Event Viewer, you can gather information about hardware,
software, and system problems. You can also monitor Windows XP security events.

A computer running any version of Windows XP records events in three kinds of logs:

Application log

The application log contains events logged by applications or programs. For example, a
database program might record a file error in the application log. Program developers
decide which events to monitor.

Security log

The security log records events such as valid and invalid logon attempts, as well as events
related to resource use such as creating, opening, or deleting files or other objects. An
administrator can specify what events are recorded in the security log. For example, if
you have enabled logon auditing, attempts to log on to the system are recorded in the
security log.

System log

The system log contains events logged by Windows XP system components. For
example, the failure of a driver or other system component to load during startup is
recorded in the system log. The event types logged by system components are
predetermined by Windows XP.

A computer running Windows configured as a domain controller records events in two

additional logs:

Directory service log

The directory service log contains events logged by the Windows directory service. For
example, connection problems between the server and the global catalog are recorded in
the directory service log.

File Replication service log

The File Replication service log contains events logged by the Windows File Replication
service. For example, file replication failures and events that occur while domain
controllers are being updated with information about sysvol changes are recorded in the
file replication log.

A computer running Windows configured as a Domain Name System (DNS) server

records events in an additional log:

DNS server log

The DNS server log contains events logged by the Windows DNS service. Events
associated with resolving DNS names to Internet Protocol (IP) addresses are recorded in
this log.

The format and contents of the event description vary, depending on the event type. The
description is often the most useful pieces of information, indicating what happened or
the significance of the event.

Event Viewer displays these types of events:

Error

A significant problem, such as loss of data or loss of functionality. For example, if a

service fails to load during startup, an Error event will be logged.

Warning

An event that is not necessarily significant, but may indicate a possible future problem.
For example, when disk space is low, a Warning event will be logged.

Information

An event that describes the successful operation of an application, driver, or service. For
example, when a network driver loads successfully, an Information event will be logged.

Success Audit

An audited security access attempt that succeeds. For example, a user's successful attempt
to log on to the system will be logged as a Success Audit event.
Failure Audit

An audited security access attempt that fails. For example, if a user tries to access a
network drive and fails, the attempt will be logged as a Failure Audit event.

The Event Log service starts automatically when you start Windows. All users can view
application and system logs. Only administrators can gain access to security logs.

By default, security logging is turned off. You can use Group Policy to enable security
logging. The administrator can also set auditing policies in the registry that cause the
system to halt when the security log is full.

Procedure

1. Searching for specific types of Events

Using the Windows interface

1. Open Event Viewer.

2. In the console tree, click the log you want to search.
3. On the View menu, click Find.
4. Under Types, click the types of events you want to find.
5. In Event source, Category, Event ID, User, Computer, or Description, specify
additional information about the event or events you want to find.
6. Click Find Next.

Notes

 To open Event Viewer, click Start, click Control Panel, click Performance and
Maintenance, click Administrative Tools, and then double-click Event Viewer.
 In Description, you can type any text that matches a portion of an event record
description. For more information about the other fields, right-click the name of
the field, and then click What's This.
 To restore the default search criteria, click Restore Defaults before clicking Find
Next.
 Your search parameters remain in Find throughout the current session. The
default settings are restored the next time you start Event Viewer.
 If you are looking for groups of events instead of a small number of individual
events, you can also filter the log. For more information, see Related Topics.
 Using a command line

1. Open Command Prompt.

2. Type:

eventquery[.vbs] [-?] [-s Computer [-u Domain\User [-p Password]]] [-fi

FilterName ] [-fo {TABLE|LIST|CSV}] [-r EventRange [-nh] [-v] [-l
{APPLICATION|SYSTEM|SECURITY|"DNS Server"|LOG|
DirectoryLogName|*}]

Value Description
Displays Help on
-?
Eventquery.vbs
Specifies the name of one or
-s Computer more remote computers. The
default is the local computer.
This is used when a password
-u Domain\User
is required.
This is used when required by
-p Password
network security policy.
Specifies the types of events
-fi FilterName to include in or exclude from
the query.
The format to use for the
-fo {TABLE|LIST|CSV}
output.
-r EventRange The range of events to list.
Supresses column headers in
-nh the output of table and .csv
formats.
Specifies that verbose task
-v information be displayed in
the output.
-l {APPLICATION|SYSTEM|
SECURITY|"DNS Server"|LOG| Specifies the logs to monitor.
DirectoryLogName|*}

Notes

 To open a command prompt, click Start, point to All Programs, point to

Accessories, and then click Command Prompt.
 To view the complete syntax for this command, at a command prompt, type:

eventquery.vbs -?

 The following are valid for use with the -fi FilterName value:
 eq,
ne,
ge,
Datetime mm/dd/yy(yyyy), hh:mm:ssAM(/PM)
le,
gt,
lt
eq,
Type ERROR|INFORMATION|WARNING|SUCCESSAUDIT|FAILUREAUDIT
ne
eq,
ne,
ge,
ID non-negative integer
le,
gt,
lt
eq,
User Any valid string.
ne
eq,
Computer Any valid string.
ne
eq,
Source Any valid string.
ne
eq,
Category Any valid string
ne

2. Filtering Event in an Event Log

To filter events in an event log

Using the Windows interface

1. Open Event Viewer.

2. In the console tree, select the log you want to filter.
3. On the View menu, click Filter.
4. On the Filter tab, specify the characteristics you want.

Notes

 To open Event Viewer, click Start, click Control Panel, click Performance and
Maintenance, click Administrative Tools, and then double-click Event Viewer.
 To return to the default criteria, click Restore Defaults.
 To turn off event filtering, on the View menu, click All Records.

Notes
  To open a command prompt, click Start, point to All Programs, point to
Accessories, and then click Command Prompt.
 To view the complete syntax for this command, at a command prompt, type:

eventquery.vbs -?

 The following are valid for use with the -fi FilterName value:

eq,
ne,
ge,
Datetime mm/dd/yy(yyyy), hh:mm:ssAM(/PM)
le,
gt,
lt
eq,
Type ERROR|INFORMATION|WARNING|SUCCESSAUDIT|FAILUREAUDIT
ne
eq,
ne,
ge,
ID non-negative integer
le,
gt,
lt
eq,
User Any valid string.
ne
eq,
Computer Any valid string.
ne
eq,
Source Any valid string.
ne
eq,
Category Any valid string
ne

To specify a sort order in an event log

1. Open Event Viewer.

2. In the console tree, click the log you want to sort.
3. Click the column heading you want to sort by.

Notes

 To open Event Viewer, click Start, click Control Panel, click Performance and
Maintenance, click Administrative Tools, and then double-click Event Viewer.
 To reverse the sort order, click the column heading a second time.
  To sort chronologically, on the View menu, click Newest First or Oldest First.
The default is Newest First.
 When a log is archived, the sort order is not saved.

To view more details about an event

1. Open Event Viewer.

2. In the console tree, click the log you want.
3. In the details pane, click the event you want.
4. On the Action menu, click Properties.

Notes

 To open Event Viewer, click Start, click Control Panel, click Performance and
Maintenance, click Administrative Tools, and then double-click Event Viewer.
 To view binary data as characters, in the Data box, click Bytes. To view binary
data as DWORDS, click Words.
 To view details about the previous or next event, click the up or down arrow. To
copy the details of an event, click Copy.
 Not all events generate binary data. Binary data can be interpreted by an
experienced programmer or a support technician familiar with the source
application.
 To retain the event description in binary data form, archive logs in the log file
format (.evt). Saving logs in text format (.txt) or comma-delimited text format
(.csv) discards the binary data.

To refresh an event log

1. Open Event Viewer.

2. In the console tree, click the log you want to refresh.
3. On the Action menu, click Refresh.

Notes

 To open Event Viewer, click Start, click Control Panel, click Performance and
Maintenance, click Administrative Tools, and then double-click Event Viewer.
 You must be logged on as an administrator or as a member of the Administrators
group to refresh the security log.
 The Refresh command is not available for archived logs, because those files can
no longer be updated.
 When you open a log, Event Viewer displays the current information for the log.
While you view the log, the information is not updated unless you refresh it. If
you switch to another log and then return to the first log, the first log is
automatically refreshed.