Monitoring Microsoft Windows Server 2003 : Using Event Viewer

8/8/2012 6:20:03 PM
Windows Server 2003 includes a set of log files that are configured and presented within the Event Viewer. By configuring the options on each of the logs to meet the requirements of your environment, you can collect data appropriate for troubleshooting hardware, application, system, and resource access.

Logs Available in Event Viewer

The Windows Server 2003 Event Log service, present and started automatically on all Windows Server 2003 computers, records events in one of three log files:

  • Application Developers of an application can program their software to report configuration changes, errors, or other events to this log.

  • System The Windows Server 2003 operating system will report events (service start or abnormal shutdown, device failures, and so on) to this log. The events reported to this log are preconfigured.

  • Security Logon and resource access events (audits) are reported to this log. Configuration for most of these events is at the discrimination of the system administrator.


Although the Application and System log events are determined by the application developer and operating system, respectively, the Security log must first be configured for the type of events to record (Success or Failure for each). If File and Object Access events are selected, the security properties of each object must be configured to record auditing events to the Security log.

Windows Server 2003 computers filling the role of a Domain Controller contain two additional logs:

  • Directory Service This log contains events related to the Microsoft Active Directory directory service, such as irreconcilable object replication or significant events within the directory.

  • File Replication Service This log contains errors or significant events reported by the File Replication Service related to the copying of information between Domain Controllers during a replication cycle.

Lastly, a Windows Server 2003 computer filling the role of a Domain Name System (DNS) server will contain one additional log:

  • DNS Server This log contains errors or significant events reported by the DNS server.

Configuring Event Viewer Logs

When you first start Event Viewer, all events that are recorded in the selected log are displayed. Such a list may be lengthy, containing many entries of both informational and warning types. You can locate events by type using the Filter command on the shortcut menu’s View menu for the log you want to view. The Filter properties page for the Security log is shown in Figure 1.

Figure 1. Filter settings for the Security log

Adjacent to the Filter tab in the properties of a log is the General tab, which provides access to the behaviors of the log, including

  • The display name for the view of the log.

  • The maximum size of the log.

  • Whether the oldest events in the log should be overwritten when the maximum log size is reached. There are three overwrite options:.

    • Overwrite Events As Needed (default) This behavior will overwrite the oldest entries in the log with newer ones when the log reaches the maximum size.

    • Overwrite Events Older Than n Days This configuration will overwrite events that exceed the age setting when the log reaches the maximum size.

    • Do Not Overwrite Events (Clear Log Manually) This configuration will halt event logging when the log reaches the maximum size.

Security Alert

Leaving the default setting of Overwrite Events As Needed on the Security log could overwrite important resource access or other security-related data if the log is not checked often. A regular schedule of analysis is recommended. Log files can be archived (that is, saved to disk) if needed for record-keeping or other administrative purposes.

For better assurance that no Security log entries have been lost, Windows Server 2003 Group Policy provides a setting in the Computer Configuration Policy: Security Settings that will force a computer to shutdown if it is unable to write to the Security log with audit information. This setting forces disciplined administrative practice if the Security log is set to be cleared manually.

The General tab for the Security log is shown in Figure 2.

Figure 2. The General settings for the Security log

Practice: Event Monitor

In this practice, you will configure the Security log for File and Object Access, and filter the data displayed in the Security log.

Exercise 1: Configuring the Security Log

In this exercise, you will configure the auditing of File and Object Access.

Logged on to Server01 as an administrator, open Active Directory Users And Computers.

Right-click the Domain Controllers Organizational Unit (OU), and then choose Properties from the shortcut menu.

On the Group Policy tab, select the Default Domain Controllers Policy, and then click Edit.

Under the Computer Configuration node, expand Windows Settings, Security Settings, Local Policies, and then click Audit Policy.

In the details pane, right-click Audit Object Access, and then select Properties from the shortcut menu.

In the Audit Object Access Properties dialog box, select Audit These Attempts: Failure, and then click OK.

Close the Group Policy Object Editor, click OK to close the Domain Controllers Properties dialog box, and then close Active Directory Users And Computers.

Open a command window, type gpupdate, and then press Enter.

When the Computer Policy reports as refreshed, close the command window.

You have now enabled the auditing of failed Object Access attempts on Server01 (as part of the Domain Controllers OU), and refreshed Group Policy so that the settings take effect immediately.

Exercise 2: Setting File and Object Auditing

In this exercise, you will configure auditing on a folder that you will create. Permissions will be set so as to simulate a user attempting to gain unauthorized access to the resource.

On your desktop, create a folder called Data.

Right-click the folder and select Properties from the shortcut menu.

Select the Security tab, and then select your user account.

Select the check box indicating Deny:Full Control permissions for your user account, click Yes in the warning dialog box.

Click Advanced, and then select the Auditing tab. Add your user account to audit List Folder / Read Data: Failed, and then click OK to close all Property dialog boxes.

Double-click the Data folder to open it. You should receive an Access Denied warning message.

Exercise 3: Reading the Security Log

In this exercise, you will confirm the auditing of your failed access to the Data folder.

From Administratives Tools, open the Computer Management console.

Expand the Event Viewer node, and then click the Security log in the folder pane.

Near the top of the list of events, you should see several Failure Audit events (with ID 560) indicating your failed attempt to access the Data folder.

Right-click the Security log in the folder pane, select View from the shortcut menu, and then choose Filter.

In the Filter dialog box, select each of the following:

  • Event Source: Security

  • Category: Object Access

  • Event Types: Failure selected, all others cleared

Click OK to apply the filter to the Security log.

You have now filtered the Security log data to display only the events that apply to failed object access.

  •  HP Pavilion G6
  •  HP Pavilion Dv6
  •  Choosing A... Laptop
  •  Asus X53z
  •  Acer Aspire 5560G
  •  Samsung 305U1A
  •  Western Digital My Book Live Duo 4TB
  •  Thecus N4800
  •  Windows 7 : Changing a Printer's Properties
  •  Windows 7 : Burning Your Pictures to CD or DVD
  •  Tips, Tricks & Tweaks: Windows Media Player (Part 2)
  •  Tips, Tricks & Tweaks: Windows Media Player (Part 1)
  •  AG Neovo U-23 : monitor with a 1920x1080 Full HD resolution
  •  Philips E-line 237E3QPHSU : Full HD IPS display with white LED backlighting
  •  MacBook Pro - The Ultimate Combination
  •  LG IPS235V : Full HD monitor with an IPS panel
  •  IIYAMa Prolite XB2374HDS-1
  •  Gaming Laptop Recommendations (Part 2) - Intel HD Graphics, NVIDIA Geforce 6xxm Series, The Radeon HD 7xxxm Series
  •  Gaming Laptop Recommendations (Part 1) - Acer Aspire 5560G, HP Pavilion G6-1331EA, Lenovo IdeaPad Y570, Asus N53SV-SX858V, Dell XPS L702x
  •  Upgrading to Windows Server 2003 : Switching Forest and Domain Functional Levels
    Top 10
    Next – Gen Broadband – Optimizing Your Current Broadband Connection (Part 4)
    Next – Gen Broadband – Optimizing Your Current Broadband Connection (Part 3)
    Next–Gen Broadband – Optimizing Your Current Broadband Connection (Part 2)
    Next–Gen Broadband – Optimizing Your Current Broadband Connection (Part 1)
    Side Channel Attacks Explained
    Canon EOS M With Wonderful Touchscreen Interface (Part 3)
    Canon EOS M With Wonderful Touchscreen Interface (Part 2)
    Canon EOS M With Wonderful Touchscreen Interface (Part 1)
    Canon Powershot G15 With Immaculate Photos And Superb Controls
    Fujifilm XF1 - Compact Camera With Retro Design
    Most View
    Put A Padlock On Your Laptop
    7-inch iPad hitting the market?
    Programming .NET Security : Programming Digital Signatures (part 3) - Using the Signature Formatter Classes
    Lenovo Introduced Two AMD Trinity Chipped Laptops In Japan
    Upload a File with FTP
    5 Good-priced Android HD Players
    Track A Stolen Device (Part 2)
    Exploring the T-SQL Enhancements in SQL Server 2005 : New Data Types
    Introducing Windows Presentation Foundation and XAML : Investigating the WPF Assemblies
    Unifying: Greatest Challenge
    Installing HP-UX : Loading Patches
    Leveraging and Optimizing Search in SharePoint 2010 : Keywords and Best Bets
    Capacity Efficiency - Create Sustainable Storage and Mitigate Rising Costs
    IIS 7.0 : Securing Configuration - Controlling Configuration Delegation
    Windows Server 2003 : Domain Name System - The Split DNS Architecture
    Experience The Powerful And Classic LG Optimus LTE II
    Motorola Xoom 2 Media Edition
    Programming Security Policy (part 3) - Programming the Security Manager
    Windows Server 2003 : Active Directory - Understanding Operations Master Roles
    Personalizing Windows 7 (part 1) - Fine-Tuning Your Window Colors and Experience Level