3. Configuring and analyzing event logs
The operating system and many applications use the event log in
Windows to record various activities. The event log is a busy place;
it’s not uncommon to see hundreds or thousands of new entries written
to the various Windows event logs, depending on what is happening with
the computer.
Events in Windows 8 are catalogued and configured by Event Viewer. You can open it by using either of the following methods:
-
Power Users menu Open the Power Users menu (press and hold or right-click the lower-left corner of the screen) and choose Event Viewer.
-
Start screen The Event Viewer is part of the Windows administrative tools. Open the Start screen and either select or search for Event Viewer.
Event Viewer is shown in Figure 10.
The Event Viewer window is divided into a number of discrete panes.
The leftmost pane provides the primary navigation for Event Viewer.
From here, you can choose which event logs you want to view or configure.
After you select the event log you want to view, the related events
are displayed in the middle pane. When you select an event in the list
of events, the details for that event appear below the list.
The rightmost pane is the Actions
pane, which lists all the actions that you can take with regard to the
selected event log and specific event. You have a number of options
within each of the event logs.
First, event logs can fill up. Each log is preconfigured with a
limit. By default, when that limit is reached, Windows starts to
overwrite the oldest log entries with newer ones. If you want to change
this behavior, complete the following steps:
-
Open Event Viewer.
-
Select the event log you’d like to reconfigure. Each event log is configured separately.
-
From the Actions pane, tap or click Properties to open the Log Properties page, as shown in Figure 11.
-
Choose the behavior you want for how full log files should be handled:
-
Overwrite Events As Needed (Oldest Events First) This is the default behavior.
-
Archive The Log When Full, Do Not Overwrite Events Save the log file when it fills up so that older items are preserved.
-
Do Not Overwrite Events (Clear Logs Manually) This option requires
constant administrator intervention. Log files must be cleared manually
before new events can be written to a full log.
-
Tap or click the OK button.
If a log fills up or you just want to clear the log’s contents, tap or click the Clear Log button on the log’s Properties page.
You can also increase the amount of disk space dedicated to the log file by adjusting the Maximum Log Size (KB) field shown in Figure 11.
Suppose a user contacts you with a complaint about a program she
needs that won’t operate, but the last time she tried to run it was a
couple of days ago. Since that time, Windows has probably written
hundreds of new entries to the event log. You can filter the event log based on a number of factors.
To filter an event log, open Event Viewer, select the log, and then tap or click Filter Current Log in the Actions pane. This opens a screen (Figure 12) from which you can filter the current log.
To filter by date, click the down arrow in the Logged field. You can
choose from a number of predefined time ranges, or you can choose a
specific time range. After you do so, only events from your selected range are displayed.
After you’ve decided what you want to view, you must interpret what
you’re looking at. Every log entry includes several kinds of
information, including:
-
Level The severity of the item.
-
Critical These are the most severe kinds of items written to the
event log, and they require attention. For example, if your system
fails for what appears to be no reason, a critical error will be
written to the event log. Although that alone won’t fix the situation,
it aids you in your troubleshooting efforts because you might be able
to identify a pattern of behavior that helps you determine the cause of
the problem.
-
Error An error isn’t as severe as a critical event, but it still
requires attention. An error can be the result of a program not loading
properly at startup, for example. Errors can create system stability
issues if ignored.
-
Warning A warning is written to the event log when the system thinks
that an administrator needs to know about a particular situation. In
most cases, warnings don’t result in system stability issues, but they
might require attention at some point.
-
Information In general, informational events are just that—informational. They are written to the event log just to inform you that something took place, but they are rarely associated with an error.
-
Audit Failure You see this in the security log; it indicates a sign-in failure.
-
Audit Success You also see this in the security log; it indicates a sign-in success.
-
Date and Time The date and time that Windows experienced the issue that resulted in the log entry.
-
Source The source
of the event log entry. This could be the name of a program component,
a full program, or some component of the system.
-
Event ID Every event has an event ID. Sometimes you can use this to help identify the event and find solutions.
-
Task Category
This field is used primarily by the Security log. It identifies the
kind of task that was taking place, such as sign-in, sign-out, and so
on.
Saving events to an archive
Some events call
for an administrator to archive system log files immediately for
analysis. For example, if your organization suffers a security breach,
you might be asked to salvage log files from one or more Windows
8–based computers so that they can undergo forensic analysis to
determine the source of the breach.
To save the full contents of a log file to a separate location, complete the following steps:
-
Open the Event Viewer.
-
Select the event log that you need to archive.
-
From the Actions pane, tap or click Save All Events As.
-
When prompted, provide a location at which the log file should be saved.
-
Tap or click the Save button.
