Windows Server 2008 R2 Unleashed (267 page)

lems quickly and efficiently.

The filter was first introduced with Windows Server 2008. The new Administrative Events

filter groups all events associated with the system from an administrative perspective. By

33

drilling down to the Administrative Events filter, an administrator can quickly decipher

issues associated with all administrative events.

Creating a New Custom View

To create a new custom view, in Event Viewer, right-click on the Custom View folder and

select Create Custom View. Alternatively, select Custom View from the Action menu. This

results in the Custom View Properties box, as illustrated in Figure 33.4.

First, decide whether you want to filter events based on date; if so, specify the date range

by using the Logged drop-down list. Options include Any Time, Custom Range, and

specific time intervals. The next step is to specify the Event Level criteria to include in the

ptg

custom view. Options include Critical, Error, Warning, Information, and Verbose. After the

Event Level settings are specified, the next area to focus on is the By Log and By Source

sections. By leveraging the drop-down lists, specify the event log and event log sources to

be included in this custom filter. To further refine the custom filter, enter specific event

IDs, task categories, keywords, users, computers, and then click OK and save the filter by

providing it a name, description, and the location of where to save the view.

TIP

Performance and memory consumption might be negatively affected if you have includ-

ed too many events in the custom view.

After the custom view is defined, it can be exported as an XML file, which can then be

imported into other systems. Filters can also be written or modified directly in XML but

keep in mind, after a filter has been modified using the XML tab, it can no longer be

edited using the GUI described previously.

The Windows Logs Folder

The Windows Logs folder contains the traditional application, security, and system logs.

Windows Server 2008 R2 also includes two out-of-the-box logs, which can also be found

under the Windows Logs folder—the Setup and Forwarded Events logs. The following is a

brief description of the different types of Windows logs that are available:

.
Application log—
This log contains events based on applications or programs resid-

ing on the system.

1354

CHAPTER 33

Logging and Debugging

.
Security log—
Depending on the auditing settings configured, the security log

captures events specific to authentication and object access.

.
Setup log—
This log captures information tailored toward installation of applica-

tions, server roles, and features.

.
System log—
Events associated with Windows system components are logged to the

system log. This might include driver errors or other components failing to load.

.
Forwarded Events log—
Because computers can experience the same issues, this

feature consolidates and stores events captured from remote computers into a single

log to facilitate problem isolation, identification, and remediation.

The Applications and Services Logs Folder

The Applications and Services Logs folder introduces a new way to logically organize,

present, and store events based on a specific Windows application, component, or service

instead of capturing events that affect the whole system. An administrator can easily drill

into a specific item such as DFS Replication or DNS Server and easily review those events

without being bombarded or overwhelmed by all the other systemwide events.

These logs include four subtypes: Admin, Operational, Analytic, and Debug logs. The

events found in Admin logs are geared toward end users, administrators, and support

ptg

personnel. This log is very useful because it not only describes a problem, but also identi-

fies ways to deal with the issues. Operational logs are also a benefit to systems administra-

tors but they typically require more interpretation.

Analytic and Debug logs are more complex. Analytic logs trace an issue and often a high

number of events are captured. Debug logs are primarily used by developers to debug

applications. Both Analytic and Debug logs are hidden and disabled by default. To view

them, right-click Applications and Services Logs, and then select View, Show Analytic and

Debug Logs .

The Subscriptions Folder

The final folder in the Event Viewer console tree is called Subscriptions. Subscriptions is

another new feature included with the Windows Server 2008 R2 Event Viewer. It allows

remote computers to forward events; therefore, they can be viewed locally from a central

system. For example, if you are experiencing issues between two Windows Server 2008 R2

systems, diagnosing the problem becomes challenging as both systems typically log data

to their respective event logs. In this case, it is possible to create a subscription on one of

the servers to forward the event log data from the other server. Therefore, both system

event logs can be reviewed from a central system.

Configuring Event Subscriptions

Use the following steps to configure event subscriptions

between two systems.

First, each source computer must be prepared to send events to remote computers:

1. Log on to the source computer. Best practice is to log on with a domain account that

has administrative permissions on the source computer.

Using Event Viewer for Logging and Debugging

1355

2. From an elevated command prompt, run winrm quickconfig. Exit the command

prompt.

3. Add the collector computer to the local administrators group of the source computer.

4. Log on to the collector computer following the steps outlined previously for the

source system.

5. From an elevated command prompt, run wecutil qc.

6. If you intend to manage event delivery optimization options such as Minimize

Bandwidth or Minimize Latency, then also run winrm quickconfig on the collec-

tor computer.

33

After the collector and source computers are prepared, a subscription must be made identi-

fying the events that will be pulled from the source computers. To create a new subscrip-

tion, do the following:

1. On the collector computer, run Event Viewer with an account with administrative

permissions.

2. Click on the Subscriptions folder in the console tree and select Create Subscription

or right-click and select the same command from the context menu.

3. In the Subscription Name box, type a name for the subscription.

ptg

4. In the Description box, enter an optional description.

5. In the Destination Log box, select the log file where collected events will be stored.

By default, these events are stored in the forwarded events log in the Windows Logs

folder of the console tree.

6. Click Select Computers to select the source computers that will be forwarding

events. Add the appropriate domain computers, and click OK.

7. Click Select Events and configure the event logs and types to collect. Click OK.

8. Click OK to create the subscription.

Conducting Additional Event Viewer Management Tasks

Now that we understand the functionality of each of the new folders associated with the

newly improved Event Viewer included with Windows Server 2008 R2, it is beneficial to

review the upcoming sections for additional management tasks associated with Event

Viewer. These tasks include the following:

. Saving event logs

. Organizing data

. Viewing logs on remote servers

. Archiving events

. Customizing the event log

. Understanding the security log

1356

CHAPTER 33

Logging and Debugging

Saving Event Logs

Event logs can be saved and viewed at a later time. You can save an event log by either

right-clicking a specific log and choosing Save Events As or by picking individual events

from within a log, right-clicking on the selected events, and choosing Save Selected Items.

Entire logs and selected events can also be saved by selecting the same command from the

Actions pane. After being saved, these logs can be opened by right-clicking the appropriate

log and selecting Open Saved Log or by clicking on the same command in the Actions

pane. After a log has been opened, it will be displayed in a new top-level folder called

Saved Logs from within Event Viewer.

Organizing Data

Vast numbers of logs can be collected by Windows and displayed in the central pane of

Event Viewer. New tools or enhancement to old ones make finding useful information

much easier than in any other iteration of Event Viewer:

.
Sorting—
Events can be sorted in many ways, for example, by right-clicking the

folder or Custom View icon and then selecting View, Sort By, or by selecting the

column name on which to sort in the left pane or clicking the column to be sorted

or the heading. Sorting is a quick way to find items at a very high level (for example,

by time, source, or event ID). The new features for finding and sorting data are more

robust and well worth learning.

ptg

.
Selection and sorting of column headings—
Various columns can be added to or

removed from any of the event logs. The order in which columns are displayed from

left to right can be altered as well by selecting the column in the Select Column

dialog box and clicking the up or down arrow button.

.
Grouping—
A new way to view event log information is through the grouping func-

tion. By right-clicking on column headings, an administrator can opt to group the

event log being viewed by any of the columns in view. By isolating events, desired

and specific criteria trends can be spotted that can help in isolating issues and ulti-

mately resolving problems.

.
Filtering—
As mentioned earlier, filtering, like grouping, provides a means to isolate

and only display the data you want to see in Event Viewer. Filtering, however, gives

the administrator many more options for determining which data should be

displayed than grouping or sorting. Filters can be defined based on any or all of the

event levels, log or source, event ID(s), task category, keywords, or user or

computer(s). After being created, filters can be exported for use on other systems.

.
Tasks—
By attaching tasks to events, logs, or custom views, administrators can bring

some automation and notification into play when certain events occur. To create a

task, simply right-click on the custom view, built-in log, or specific event of your

choice, then right-click on Attach a Task to This Custom View, Log, or Event. The

Create a Basic Task Wizard then launches; on the first tab, simply select a name and

description for the task. Click Next to view the criteria that will trigger the task

action (this section cannot be edited and is populated based on the custom view,

log, or task selected when the wizard is initiated). Click Next and select Start a

Program, Send an E-mail or Display a Message as desired.

Using Event Viewer for Logging and Debugging

1357

Viewing Logs on Remote Servers

You can use Event Viewer to view event logs on other computers on your network. To

connect to another computer from the console tree, right-click Event Viewer (Local) and

click Connect to Another Computer. Select Another Computer and then enter the name of

the computer or browse to it and click OK. You must be logged on as an administrator or

be a member of the Administrators group to view event logs on a remote computer. If you

are not logged on with adequate permissions, you can select the Connect as Another User

check box and set the credentials of an account that has proper permissions to view the

logs on the remote computer.

33

Archiving Events

Occasionally, you might need to archive an event log. Archiving a log copies the contents

of the log to a file. Archiving is useful in creating benchmark records for the baseline of a

server or for storing a copy of the log so it can be viewed or accessed elsewhere. When an

event log is archived, it is saved in one of four forms:

.
Comma-delimited text file (.csv)—
This format allows the information to be used

in a program such as Microsoft Excel.

.
Text-file format (.txt)—
Information in this format can be used in a program such

as a word processing program.

ptg

.
Log file (.evtx)—
This format allows the archived log to be viewed again in the

Windows Server 2008 R2 or Windows 7 Event Viewer. Note that the new event log

format is XML, which earlier versions of Windows cannot read.

.
XML (.xml)—
This format saves the event log in raw XML. XML is used throughout

Event Viewer for filters, tasks, and logging.

The event description is saved in all archived logs. To archive, right-click the log to be

archived and click Save Log File As. In the File Name field of the resulting property page,

type in a name for the archived log file, choose a file type from the file format options of

.csv, .txt, .evtx, or .xml, and then click Save.

Other books

Series Craft 101 by Gilliam, Patricia
The Marriage Mistake by Jennifer Probst
An Ocean in Iowa by Peter Hedges
Mr. Monk in Outer Space by Goldberg, Lee
Walking Through Walls by Philip Smith
The Boy from Earth by Richard Scrimger