Chapter 8. Event Logs

Introduction

Event logs provide a standard way for the operating system, services, and applications to record important actions (e.g., application failure), report status messages, keep track of security events, and log boot up messages. In this way, event logs are similar to syslog on the Unix and Linux platforms. They can be an extremely useful resource when you need to troubleshoot specific issues and are often the first places I look when trying to diagnose a problem. As a proactive measure, scan the event logs on your servers frequently to identify any problems that are logged, but may not have resulted in a failure caught by your monitoring software.

Using a Graphical User Interface

There are two graphical tools that you should be familiar with for querying and viewing event log messages. Event Viewer (eventvwr.msc) has been around since the days of Windows NT and is provided out of the box under Administrative Tools. It is a simple MMC snap-in that lets you view and filter messages in the available event logs. You can also view the event logs on a remote server with it, but depending on the log size on the remote server and your network connection, this can be a painfully slow process.

As part of the Windows Server 2003 Resource Kit, Microsoft made the Event Comb utility (eventcombmt.exe) publicly available. Event Comb is a powerful utility that lets you search the event logs across multiple servers at once. With it, you can restrict your search by event ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.