Events and Event Log Administration

Here are my notes on Administering Microsoft's Windows 2000 product.

Topics this page:

Site Map  
About this site  

Windows Logging Architecture

Audit logs are created by the Audit process monitoring behavior by applications. It creates logs for trigger events defined.

Log entries can also be generated by Applications referring to filters which specify what to log. Triggers and filters are defined by Group Policies.

Group policies are created and edited using the Group Policy MMC.

Logs can be examined using the MMC Viewer.

Microsoft Visual Studio 2007 (Orcas) features a high performance trace listener which logs XML to disk in the event schema. The System.Diagnostics. EventSchemaTraceListener is the first listener in the namespace which is highly tuned for logging performance. Similar to the XMLWriterTraceListenter, this trace listener logs XML to disk. In particular, this type logs in the event schema, which is shared by some other new technologies. This tracelistener has performance which is drastically improved over previous logging tracelisteners, especially on machines with multiple processors. Additionally, this is the first trace listener which allows many different disk logging options, such as circular logging across multiple files.

Download this Visio 2000 file.

Event Logs

Listed alphabetically as in the Event Viewer:

Name	Contains events such as
Application Log	program errors and missing data information.
Security Log	logon attempts and folder access.
System Log	startup information, shutdown information, and driver information.
Directory Service	.
DNS Service	.
File Replication Service	.

Event Log Analysis

The Windows 2000 System Monitor Administrative tool replaces the NT 4 Performance Monitor with these improvements:
• Log specific counters and instances of an object rather than an entire group. This will reduce the size of log files a LOT.
• Use Performance Logs and Alerts to trigger events, such as send a message, start a performance data log, or run a program, if a counter exceeds a certain value.
• New Performance objects have been added. Example: the Print Queue object allows print queue monitoring.
• Sample log file included with Windows 2000 install.

To create a new log:

From Q248345 How to Create a Log Using System Monitor in Windows 2000
1. Right-click Counter Logs, click New Log Settings, type a name for the log, and then click OK.
2. On the General tab, click Add to add the counters you want.
3. On the Log Files tab, click the logging options you want.
4. On the Schedule tab, click the scheduling options you want.

The default size of an audit log is 512KB.

The Event Log Query Tool dumps to screen all entries in a user-specified log type (application, security, or system):

ElogDmp.exe \\C1 application

Dumpel.exe from the Resource Kit can selectively dump various event logs from a local or remote computer to a text file. These example dump to -file event.out ...

the system event -log on remote -server \\EVENTSVR in the last 3 -days in default space delimited format:

dumpel -f event.out -s eventsvr -l system -d 3

the local system event -log named, filtering -events 2013 in -tab delimited format:
dumpel -f event.out -l system -m rdr -e 2013 -t

the local application -log, -filtering (-r) records named (-m) Garbase, in -comma delimited format:
dumpel -f event.out -l application -m garbase -r -c

Frank Heyne's excellent Eventlog FAQ

Schedule an automatic save and delete of event logs (of the entire domain) using Frank Heyne's “EventSave” freeware

Get informed about the 6572 Microsoft Windows 2000 Event Log Message Text by Event ID, Event Source, Event Type, in an
Access file or
Excel file or
HTML page of KB Q174074 or
Comma Delimited file or (my favorite)
online website EventID.Net, which provides detailed descriptions and contributor comments.

Event Log Group Policies

Winzapper selectively deletes event entries.

The $159 Event Reader 2.0 downloads and organizes Windows Event Logs

LanGuard Security Event Log Manager performs intrusion detection through network-wide security event log monitoring.

Sunbelt's Security Event Log Monitor allows remote administration as well as automated notification while it monitors server event logs, system services, and active processes.

Event Log Policies

The NSA recommends using its .inf file to set each type of log with the same policy:

Policy	.inf	Recommended	Default
	MaximumLogSize	4194240
Restrict guest access to application log	RestrictGuestAccess	1=Yes
Retain application log	AuditLogRetentionPeriod	2=
Retain	RetentionDays	7
Retention method for application log		-
Retention method for security log		?=Overwrite as needed
Retention method for system log	-

DHCP Log handling, however, is controlled with registry entries

Other Group Policies

Microsoft Enterprise Instrumentation Framework (EIF)

The NSA recommends using its .inf file to set each type of log with the same policy:

Logging Application Block for .NET from Microsoft's Patterns & Practices
Building useful logging capabilities into your applications can be a significant challenge. At the very least, you need to determine what information is appropriate to log, design the events themselves, and make them available for analysis in an appropriate format. Effective logging is useful for troubleshooting problems with an application as well as provides useful data for analysis, helping to ensure that the application continues to run efficiently and securely. To help provide effective logging for enterprise applications, Microsoft has designed the latest patterns & practices applications block: The Logging Application Block. This block is a reusable code component that uses the Microsoft Enterprise Instrumentation Framework (EIF) and the Microsoft .NET Framework to help you design instrumented applications.

Unix Log

Splunk is like Google for logs, but only in Unix environments (Solaris, Linux).

Splunk.base community.

MS Log File Merge tool

Related Topics: