Section 10.3: Using Event Viewer
You can use Event Viewer to perform a number of tasks, including viewing the audit logs that are generated as a result of setting the audit policy and auditing events. You can also use Event Viewer to view the contents of security log files and find specific events within log files. Event Viewer has three logs available to view:
• The Application Log, which contains errors, warnings, or information that programs, such as a database program or an e-mail program, generate. The program developer presets which events to record.
• The Security Log, which contains information about the success or failure of audited events. The events that Windows Server 2003 records are a result of your audit policy.
• The System Log, which contains errors, warnings, and information that Windows Server 2003 generates. Windows Server 2003 presets which events to record.
10.3.1: Viewing Security Logs
Windows Server 2003 records information about events that are monitored by an audit policy, such as failed and successful logon attempts in the security log. To view the security log, do the following:
• Click on the START button
• Point to ALL PROGRAMS
• Click on ADMINISTRATIVE TOOLS
• Click on EVENT VIEWER
• Select security log
In the details pane, Event Viewer displays a list of log entries and summary information for each item. Successful events appear with a key icon and unsuccessful events appear with a lock icon. Other important information that is recorded in the log includes the date and time that the event occurred, the category of the event, and the user who generated the event.
Note: Windows Server 2003 records events in the security log on the computer at which the event occurred. You can view these events from any computer if you have administrative privileges on the computer where the events occurred. To view the security log on a remote computer, start the MMC and create a custom console; point Event Viewer to a remote computer when you add this snap-in to a console.
10.3.2: Locating Events
By default, Event Viewer displays all events that were recorded in the selected log. You can change the type of events that appears in the log by using the Filter command in the view menu. You can also search for specific events by using the Find command. The filter and find commands have a number of options; these are listed in Table 10.1
Table 10.1: Options for Filtering and Finding Events
| Option | Description |
|---|---|
| From and To | The date range for which to view events (Filter tab only). |
| Event Types | The types of events to view |
| Event Source | The software or component driver that logged the event |
| Category | The type of event, such as a logon or logoff attempt or a system event. |
| Event ID | An event number to identify the event. This number helps product support representatives track events. |
| Computer | A computer name. |
| User | A user logon name. |
| Description | The text that is in the description of the event (Find dialog box only). |
| Search Direction | The direction (up or down) in which to search the log (Find dialog box only). |
10.3.3: Managing Audit Logs
You can track trends in Windows Server 2003 by archiving event logs and comparing logs from different periods. Viewing trends can be used to determine resource use and to plan for growth. Windows Server 2003 also allows you to control the size of each audit log and to specify the action that Windows Server 2003 takes when the log becomes full. These can be configured in the properties of each individual audit log. To configure the settings for logs:
• Click on the START button to display the Start Menu
• Point to ALL ROGRAMS
• Click on ADMINISTRATIVE TOOLS
• Click on EVENT VIEWER
• Right-click the Log you want to configure
• Select properties from the pop-up menu
• Set the maximum log size
• Set the Action that should be taken when the log file become full
The default the maximum log size is 512 KB but you can set it to be from 64 KB to 4,194,240 KB (4 GB) in size.
The action that you can specify for when a log file becomes full are:
• Overwrite Events As Needed. This setting requires no maintenance but you could lose information if the log becomes full before you archive it.
• Overwrite Events Older Than [number] Days. This is the default setting. You must select the number of days for this option; the default is seven. You could lose information if the log becomes full before you archive it.
• Do Not Overwrite Events (Clear Log Manually). With this option no security log entries will be overwritten therefore there will be no information loss. It however requires that you to clear the log manually. When the log becomes full, Windows Server 2003 will stop.
Note: When the log file becomes full and you have specify the Do Not Overwrite Events (Clear Log Manually) action, Windows Server 2003 stops. You can therefore use this configuration to ensure that Windows Server 2003 only operates while auditing occurs.