Monitor event logsOctober 20, 2019
In this section I will look at the event viewer. The event viewer has been in windows since windows N T and has not changed much until recent editions of windows. With windows vista, Microsoft added a lot of new features to the event viewer and these were included in windows server 2008. These includes the new logs setup and forwarded event. The set up log contains events from when windows was first installed and software installs after that.
The forwarded event log contains events that were generated on one computer and then forwarded to another computer to be looked at. Later in this video I will be looking at the forwarded events log in more detail including how to set it up. The event viewer also allows you to create custom views. This allows you to filter an existing log or event access multiple logs in the same viewer. If you have a particular application or service that you want to keep a close eye on, this can be a really useful feature.
The event log can also be exported to XML. This is a useful feature if you want import that data into anther program, for example into excel. Lastly the event viewer can now work with the task scheduler. This means when an event occurs you can run a program or sent an e-mail. For example, when a hard disk and event is generated. When this event is generated you may want to automatically run an archiving program.
Let’s have a look at to use the event viewer. First of all, I need to start the event viewer by running it from administrative tools under the start menu. On the first screen of the event viewer, I can access some statistics on events that have occurred on this server. Notice that a tally is keep of the number of events generated in the last hour, last 24 hours and last 7 days. This gives you a quick indication of how reliable your server has been.
If your server is experiencing problems you are more than likely going to be receiving a lot of critical and error events. If I go down to warnings I can expand it and view statics on each of the warning that have been occurring on this server. If I select one of these warnings, I will be taken in a filtered view showing me all occurrences of that warning on this server As you can see, this warning has been occurring for quite a long time. Viewing a summary like this is a great way to tell how long an event has been occurring. Often you may get lost when looking at too much information. If you want to look at the original logs, I can select windows logs on the left hand side and select the log I want to view.
The application log is used by applications, including 3rd party applications, to log events. For example the disk defragger will log an event after it has run and a 3rd party application may log an event with details about software updates it has preformed. Next you have the security log. This contains events relating to invalid login attempts and creating and editing objects on the system. For example user accounts and certain system files. Depending on how you configured auditing on your system, will determine how many events and the type of events you will see in here. The set up log contains events relating to application setups performed on that system. For example, if you add a role through server manager, you will find details in regards to the install in this log. Windows updates and other installations will also appear in here. The system log contains events relating to windows. Events in the system log are determined by windows meaning 3rd party programs can’t store their events in this log.
Failed drivers, events relating to windows services failing to start or crashing will appear in here. Lastly you have the log forwarded events. This log file contains events that have been forwarding from anther computer to this one. Later in this video I will cover this in more detail. If I right click on the applications log and then select create custom view, I can create a view filtering out any events that I don’t want to see. For example, I could choose to only see critical and error events. You will notice down the bottom you can also filter based on event id’s, keywords, users and computers. Once I press o.k. I can enter in a name for the custom view. I will now have a new custom view created. You will notice the dialog is the same as when I created the custom view, this time I will select critical, error and warnings. Notice that when I apply the filter only these events will be shown.
At the top of the screen your will notice that filtered has been added to the title bar to let me know that events have been filtered from this view. If you later on decide that you no longer want the filter, you can select the option clear filter. When looking through the event viewer, make sure that you are aware of any filters that have been applied to your views. A filter may prevent you from seeing the event that is related to the problem you are trying to troubleshoot. If I right click a log file, I can go down and select properties for that log file. You will notice that there is some information in regards to the log file.
Information about the location of the log file, when it was created, modified last and also when it was lasted accessed. One of the options you may want to set is the size of the log file. Depending on which log file it is and how many events are been logged, you may want to increase the default size of the log file. The next option you may want to configure is what windows will do when the log file is full. By default, windows will overwrite events as needed. This does mean that events will be lost as time goes on. If you need to keep events for records, for example some companies like to keep their security logs, you can select the option archive the log when full. When this option is selected, when the log file is full it will be saved and a new log file is created.
The last option, do not overwrite events will stop logging events when the log file is full. When this option is selected, you will need to manually clear the log files yourself. You can do this by selecting the button at the bottom clear log. Be warned, if you do not clear your logs files when they are full, you system will stop logging events. If I go back to the event viewer, one of the great new features is the ability to attach tasks to events. If I go to the application event log and scroll down to an error I received with the shadow copy service. I can right click the event and select attach task to this event. In the task wizard, I can first enter in a name and description for the task. On the next screen of the wizard, the details of the log, source and event ID have already been entered.
The next screen of the wizard allows me to select what I want to happen when this event is logged in the application log. I can start a program, send an e-mail to an administrator for example or simply display a message on the server. In this case I will leave it on the default, start a program and move on. The next screen allows me to enter in the name of the program that I want to run. I can also enter in arguments if I wish. On the last screen of the wizard, I can tick the tick box open the properties dialog box for this task when I press finish.
With this option ticked I can view the properties for this task. If you have worked with tasks in windows before, you will recognize these properties. Event viewer has simply created a task in the task scheduler for you. With the right know how you could create this task manually, however it is easier to perform this step via the event viewer. Notice that the default option will only run the task if the user is logged in. If you are running a maintenance script like the one I selected, you will probably want to change this option to run whether or not the user is logged in or not. You also have the option not to store the users password.
This essentially limits the task to that computer. In other words the task can’t access other network resources on the network like file shares. By default, the task will run with minimum privileges using user account control. If the task requires additional privileges not available to the general user, you will need to tick the tick box run with highest privileges. The option “configure for”, will determine which options will appear in the task. If I select the tab triggers, you can set a trigger which is linked to the event viewer.
I could add additional triggers to this task if I wanted to. For example, I could configure this task to run at a certain time during the day. On the actions tab I can determine what will happen when the trigger is meet. At the moment when a trigger requirement is meet my maintenance script will be run. I could if I wanted to, add additional programs, sent e-mails or display a message on the server. On the conditions tab I can determine what condition must be meet for the task to be run. Firstly I can select the tick box start the task only if the computer is idle. If the server is under heavy load the task will not be run. Notice below this you have power options. This determines if the task will be run only if the computer is plugged into the mains or to stop the task if the computer starts running off batteries.
If you want the computer to be woken up when it is sleeping to run a task, you can tick the tick box, wake the computer to run this task. Lastly you can select if you want the task to only run when a network connection is available. If you server is connecting to anther server via a V P N connection, you may only want to run this task when that V P N connection is up. On the setting tab, you can set some general settings for the task.
These allow you to set what will happen when the task is missed, should the task be stopped if it is running to long and how many times should the task be re run if it fails. On the last tab, the history tab, you can see how many times the task has been run and the result. That concludes all the options for this task. If I go back to the event viewer, you will notice at the bottom Microsoft has created a number of filtered logs. If I choose the log D N S server, I can see all the events that are related to the D N S service.
When troubleshooting problems on your server, remember that a filter may have already been created for the service that you are attempting to troubleshoot. That is the basics for event viewer, let’s have a look now at how to configure the next feature of the event viewer, event forwarding. Event forwarding allows a computer to forward events on to another computer. The computer that is forwarding the events is called the forwarder. The computer receiving the events is called the collector. It should be noted here that it is only a copy of the event that is sent on to the collector.
The original events are still on the forwarding computer and can be viewed at any time using the event viewer. The communication protocol used to transfer these events is HTTP or HTTPS. When HTTP is used, the data is encrypted giving you protection from ears dropping. The ht t p s option is there if you want to use additional security. Basically encryption on top of encryption. In order to configure event forwarding you need to ensure your firewall allows HTTP or HTTPS and also any firewalls between the forwarder and collector allows the protocol you choose through. In a lot of cases, most firewalls will allow these protocols through without having to change any firewall rules. In order to use event forwarding your operating system must support it. Event forwarding is support on windows server 2008, windows vista and windows 7. If you are running and older operating system like windows xp and Windows server 2003, event forwarding is not support by default. In order to use these system to forward events, you need to install WS management 1 point 1. If this is installed you will be able to use these operating system to forward events onto the collector computer. In order to use event forwarding you need to configure the forwarding and collecting computer.
On the forwarding computer you need to run win R M with the switch quick config. This will configure the service required for event forwarding and also make changes to the firewall. For the collecting computer to access the forwarding computer it requires access. In order to provide access, the collectors computer account needs to be added to the local group event log readers. Once these two steps are complete, you need to configure the collector computer. This can be performed by running the command WECUtil with the switch qc. This will perform a quick config which will change the collector service to delayed start. Let’s have a look at how to configure a windows 7 computer to forward events to a windows server 2008 computer. This windows 7 computer will be configured to forward events on to a windows server 2008 R2 computer. To do this, first of all open a command prompt making sure you right click on c m d and select run as administrator. Once you have a command prompt open with administrator rights, run the command win e m with the switch quick config. Win r m will first ask you if you want to set the Windows Event collector service to delayed start. This means that when windows starts up, this service will be given a lower priority then the other services.
This gives other services time to start up and also reduced the load on the system when the user first logs in making the system more responsive when the computer first starts up. Once I answer yes to this request, I will be asked if I want to also make changes to the windows firewall. These changes to the firewall will allow the service to communicate with the collector computer. The collector will now be allowed access to this computer through the firewall, but it still needs access to the computer. In order to achieve this, I need to add the collector computer to a security group. To achieve this, open computer management from the start menu and go into local user and groups.
Next I need to expand in groups and select the properties of the group event log readers. This is the group that needs to have the computer account added to, in this case my collecting computer is called report 1. If the computer account is not found, you may need to select object types and ensure that computers is ticked. Once ticked, I will be able to add the computer account for my collector computer. Once I exit out of the properties for the group, the computer will be added to the security group. Just to recap, the forwarding computer has windows remote management service running to process requests, the collector computer has been granted access to the computer by adding it to the group event log readers and the firewall has been altered to allow access. Now that the forwarding computer has been set up, I need to switch to my windows server 2008 to set up the collecting computer. On the collector computer the service windows event collector needs to be enabled.
To do this, Microsoft provides us a command line tool. Once I open a command prompt from the start menu, I can run the program WECUtil with the switch q c. Q c short for quick configure. Windows will now prompt me to change the windows event collector services to delayed start. This is the service that is responsible for collecting data from the forwarding computer. Now that the computer is configured to collect events I can now create a subscription to collect events.
To do this, first I need to open event viewer from administrative tools under the start menu. At the bottom is a section called subscription. Right click on this and select create subscription. For this subscription, I first need to enter in a name. I will call this one critical and error and configure it to capture only critical and error events. For the destination you can see that I can store the collected events in any log I wish. For example I could store them in the application log. In most cases you will not want to mix events up from two computers in the same event log. For this reason I will select forwarded events and store the events in this log. In the area below this, you can select who will trigger the data transfer.
If I were to select source computer initiated, the forwarding computer would contact this computer when it wanted to transfer event data. When this option is selected, the source computer is generally configured via group policy. If I select the button, select computer groups, I can decide which computers or groups will be able to transfer events to this computer. I can also add computers that are not part of the domain and use certificates if I wished. If I cancel out of here and go back and select the option collector initiated, this computer will contact the source computer when it wants to transfer event data. When you select this option, you can also determine which computer will be allowed by pressing the button select computers. In this case I will enter in my windows 7 computer, ws10. Once added, I can press the test button to ensure that there is a connection between this computer and the forwarding computer. Now that the connection has been tested successfully, I can now go back and select which events I want to collect.
You can see that currently no filter has been configured and thus all events will be captured. If I press select events and select edit, I can start filtering out events so I will receive only the events I am interested in. In this case I will select critical and error. If you want events only from a specific source, you can select by source and then select the source you want. For example, if I scroll down a bit I could select firewall. Now only firewall related events will be sent to this computer. These events will be selected regardless of which log they occurred in. This means if a firewall event was created in either the system or application log, that event would be displayed with this filter. Also notice that if I select the option by log, I can capture a complete log file, for example I could select the system log. If you want to see only certain log information you can enter the event id’s down here. You can also enter in a category or if neither of these suit your needs you can enter in some keywords. Certain events will be logged against a user. These are often the case with the security log.
You can filter out based on a certain user or a collection of users, for example all domain users. Lastly if you want to filter based on certain computers you can select them here. If I now press o.k. and go back to the previous screen, I can select the advanced button to set more options. In this case, the collecting computer has access to the forwarding computer because I added it’s computer account to the local group event log readers. If you are collecting events from a lot of computers, this computer account needs to be added to the local group event log readers on every computer that you will be reading events on. In a large enterprise environment, you may want to select the option specific user. When selected the option user account, this user account will be used to connect to the forwarding computer.
In this example I will leave it on the default, machine account. The section, event delivery optimization, determines how fast events will be transferred to this computer and how much bandwidth will be used. The first option, normal, does not attempt to save bandwidth. You should use this option if you are not worried about bandwidth. The normal option uses a pull delivery mode which means the collector computer, or this computer, will contact the forwarder computer and ask for events to be transferred. This will occur every 15 minutes. The next option, minimize bandwidth, use a push delivery mode. Every 6 hours the forwarding computer will contacted this computer and send it’s events.
This means traffic is only sent at certain times and does cause a delay of up to 6 hours from when the event was generated and is transferred to the collecting computer. The last option, minimize latency again uses a push method. When an event is generated on the forwarder computer, it will be transferred to the collector computer within 30 seconds of it occurring. This option is best use when you want to monitor critical events and you need to know about them as quickly as possible. By default the HTTP protocol will be used. The communication is encrypted but if your want additional encryption you can select the option HTTPS. Once I exit out you will notice that my new subscription has been configured. If I now select forwarded events and select refresh. You will notice that there are events under forwarded events. In order for events to show up, some must be transferred from the forwarding computer. Currently this subscription is set to the normal setting so there will be a delay before any events are transferred.
I will pause the video and wait 15 minutes. You will notice now at the top of the screen new events are available. If I now select refresh again, events will appear in the log. With the current settings in this subscription, only critical and error events will be transferred. I find it best to keep forwarded events in the forwarded events log. You can store them in the other logs on the computer, for example the system log, however this does make it confusing to work out which computer generated the event in the first place. Was it this computer or a forwarding computer? In summary, if you decide to use event forwarding, make sure the firewalls between the client and server are configured correctly.
Event forwarding does use HTTP or HTTPS which in most firewalls will be allowed. If you are using the HTTP protocol, remember traffic is encrypted however for additional encryption you can use HTTPS. It is important to understand the terms Microsoft uses. Remember that the forwarder is the computer that sends events to the collector. The collector stores events from the forwarder. On a large network, event forwarding can make reporting on your network a lot easier and is worth the time to look into. .
As found on Youtube