Event Viewer


Event Viewer

Infobox Software
name = Event Viewer



caption = Event Viewer in Windows Vista SP1
collapsible =
author =
developer = Microsoft
released =
latest release version = 6.0.6001
latest release date = February 4, 2008
latest preview version =
latest preview date =
frequently updated =
programming language =
operating system = Microsoft Windows
platform =
size =
language =
status =
genre = Event Viewer
license = Microsoft EULA
website =

Event Viewer is a component of Microsoft's Windows NT line of operating systems that lets administrators and users view the event logs on a local or remote machine. With Windows Vista, the event system was overhauled and renamed to Windows Event Log. [http://www.microsoft.com/technet/technetmag/issues/2006/11/EventManagement/ New tools for Event Management in Windows Vista] ]

Overview

Event logs have been a feature of Windows NT since its original release in 1993. Applications and operating system components can make use of this centralized log service to report events that have taken place, such as a failure to start a component or complete an action. The system defines three log sources, "System", "Application", and "Security". The System and Application log sources are intended for use by the Windows operating system and Windows applications respectively; the Security log source, however, is only directly writable by the Local Security Authority Subsystem Service (lsass.exe). Event ID's are used to define the uniquely identifiable events that a Windows computer can encounter. An example of an event ID creation could be when a users authentication fails, such as Event ID 672.

Windows NT 4.0 added support for defining "event sources" (i.e. the application which created the event) and performing backups of logs.

Windows 2000 added the capability for applications to create their own log sources in addition to the three system-defined "System", "Application", and "Security" log files. NT4's Event Viewer was also replaced with a Microsoft Management Console snap-in.

Windows Server 2003 added the AuthzInstallSecurityEventSource() API calls so that applications could register with the security event logs, and write security audit entries. [cite web | url = http://msdn2.microsoft.com/en-us/library/Aa376314.aspx | title = AuthzInstallSecurityEventSource Function | accessdate = 2007-10-05]

Versions of Windows based on the Windows NT 6.0 kernel (Windows Vista and Windows Server 2008) are no longer limited in their total size to 300 megabytes. Prior to NT 6.0, the on-disk files were opened as memory-mapped files in kernel memory space, which used the same memory pools as other kernel components.

Windows Event Log

Windows Event Log is the rewritten event tracing and logging architecture introduced with Windows Vista. ] Windows Event Log has been rewritten around a well-defined structured XML log format and a designated log type to allow applications to more precisely log events and make it easier for support technicians and developers to interpret the events. The XML representation of the event can be viewed on the "Details" tab in an event's properties. It is also possible to view all potential events, their structures, registered "event publishers" and their configuation using the "wevtutil" utility, even before the events are fired. There are a large number of different types of event logs including Administrative, Operational, Analytic, and Debug log types. Selecting the "Application Logs" node in the "Scope" pane reveals numerous new subcategorized event logs, including many labeled as diagnostic logs. Analytic and Debug events which are high frequency are directly saved into a trace file while Admin and Operational events are infrequent enough to allow additional processing without affecting system performance, so they are delivered to the Event Log service. Events are published asynchronously to reduce the performance impact on the "event publishing" application. Event attributes are also much more detailed and show EventID, Level, Task, Opcode, and Keywords properties.

Event logs can be filtered by one or more criteria or a standard XPath expression, and custom views can be created for one or more events. Using XPath as the query language allows viewing logs related only to a certain subsystem or an issue with only a certain component, archiving select events and sending traces on the fly to support technicians.

Two main "event subscribers" include the Event Collector service and Task Scheduler 2.0. The Event Collector service can automatically forward event logs to other remote systems, running Windows Vista, Windows Server 2008 or Windows Server 2003 R2 on a configurable schedule. Event logs can also be remotely viewed from other computers or multiple event logs can be centrally logged and monitored agentlessly and managed from a single computer. Events can also be directly associated with tasks, which run in the redesigned Task Scheduler and trigger automated actions when particular events take place.

See also

* List of Microsoft Windows components
* Microsoft Management Console

References

External links

* [http://kb.prismmicrosys.com Event Knowledge Base] — Database of cause-resolution information on over 19000 events
* [http://www.syslog.org/wiki/Eventlog/EventLogWiki Event Log Wiki] — Contains useful developer and administrator resources for event log management.
* [http://msdn2.microsoft.com/en-us/library/aa363652.aspx Event Logging] — Developer documentation for event logging (NT 3.1 through XP)
* [http://msdn2.microsoft.com/en-us/library/aa385780.aspx Windows Event Log] — Developer documentation for the new event log system in Windows Vista
* [http://www.myeventlog.com Windows Event Log Resource] — A collection of Windows event messages, various solutions and tips & tricks that help when using the Event Viewer
* [http://www.eventid.net/search.asp A database of Windows event log entries] — Contains several thousands Windows event log entries along with troubleshooting suggestions for each of them
* [http://support.microsoft.com/?kbid=299475 Windows 2000 Security Event Descriptions (Part 1 of 2)]
* [http://support.microsoft.com/?kbid=301677 Windows 2000 Security Event Descriptions (Part 2 of 2)]
* [http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch06n.mspx Windows Server 2003 Security - Threats and Countermeasures - Chapter 6: Event Log] from Microsoft TechNet


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Event Viewer —    In Microsoft Windows 2000, a utility that displays the contents of the system logs.    See also application log; Directory Service log; DNS Server log; File Replication Service log; security log; system log …   Dictionary of networking

  • Event data — is a synonym to an audit trail. Modern computer software applications and IT infrastructure have adopted the term event data over audit trail. Events are typically recorded in logs and there is no standard for the format of event type data.… …   Wikipedia

  • The Event — This article is about the television series. For the film, see The Event (film). The Event Genre …   Wikipedia

  • Impact event — Artist s impression of a major impact event. The collision between Earth and an asteroid a few kilometers in diameter may release as much energy as several million nuclear weapons detonating simultaneously. An impact event is the collision of a… …   Wikipedia

  • List of Microsoft Windows components — The following is a list of Microsoft Windows components. Contents 1 Configuration and maintenance 2 User interface 3 Applications and utilities 4 Windows Server components …   Wikipedia

  • Tracing (software) — In software engineering, tracing is a specialized use of logging to record information about a program s execution. This information is typically used by programmers for debugging purposes, and additionally, depending on the type and detail of… …   Wikipedia

  • Management features new to Windows Vista — This article is part of a series on Windows Vista New features Overview Technical and core system Security and safety Networking technologies I/O technologies Management and administration Removed features …   Wikipedia

  • Windows Task Scheduler — Task Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre defined times or after specified time intervals. It was first introduced in the Windows 95 Plus! pack as System… …   Wikipedia

  • Microsoft Management Console — A component of Microsoft Windows …   Wikipedia

  • Component Object Model — Not to be confused with COM file. Component Object Model (COM) is a binary interface standard for software componentry introduced by Microsoft in 1993. It is used to enable interprocess communication and dynamic object creation in a large range… …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.