Event viewer is a built in snap in windows operating system to log errors, changes, warnings and information. It will list events of services, applications and security events of the operating system. These events are helpful to identify a system issue or root cause of an ongoing error. And according to the events troubleshooting practice can be started.
Event viewer is a popular tool in windows so actually it doesn’t need an introduction, but most of the administrator’s does not get full use of it when come to troubleshoot. From this post I’m going to explain the features of event viewer and how to use it effectively to identify and troubleshoot an issue.
Ease of access
Event viewer can be accessed by all programs – Administrative Tools – Event Viewer or simply by typing “eventvwr” in Run.
Event types
Event viewer divided events according to following log files
When the server is installed with specific roles, events according to the role is further divided in to its specific roles. Like
Event viewer generate bulk of events in some short period of time. So to troubleshoot a issue, related events need to be filtered form the event log file. There are few options to segregate the events.
Find option is useful when identifying an event using a keyword. This is less complex.
Event filtering is much broader rather than find. Using filtering you can filter event on event level, Event ID, Event source, keyword and computer name. If you know the event id, you can use it to get all the events and start the troubleshoot on event generated time or event source. Select Filter current log from action panel.
When a specific event is generated, a task can be triggered to run. Such as an email is send when an unexpected server shutdown event generated. Or message displayed when a service failed to start.
This is really easy to configure, and it can be useful in day to day Operations.
Event viewer custom views are helpful when you want to group all events of a particular application or a service. It’s useful when you identified a problem and need to monitor it closely. And it’s really easy to implement.
Export the event log
When it’s required to escalate an issue or asking technical help from a 3rd party, you can send the exported event log for troubleshoot. This is save time and no need to provide the remote access. Events logs can be saved by selecting save all events as from action panel.
By default windows event log Maximum file size is defined as 20Mb’s. After it reach the defined value, it will over right the historical events with the latest ones. When it’s a critical system or a domain controller, best practice is to save logs for at least 6 months. So to maintain this, you have to increase the maximum log file size.
Microsoft has recommended maximum event log file size for windows server 2008 and above is 4GB. Regarding how critical is the log file to the company and the relevant time period, you can select the size of the log file. Event log size can be changed using event properties or Group policy.
Using GPO
Using New GPO you can define the event log size to many number of servers, if you edit he default domain controllers GPO, all the domain controllers Event log file sizes can be modifies. Use the following GPO path and edit.
Computer Configuration->Policies->Administrative Templates->Windows Components->Event Log Service
Hope this information is useful. Good hunting :)
Asitha De Silva