Chapter 37 - Monitoring Events
An event is any significant occurrence in the system (or in an application) that requires users to be notified. Some critical events, such as a full disk drive or an interrupted power supply, are noted in an on-screen message. Those events not requiring immediate attention are noted in an event log. Event logging starts automatically each time you start Windows NT Workstation. With an event log and a tool called Event Viewer, you can troubleshoot various hardware and software problems and monitor Windows NT Workstation security events. You can also archive logs in various file formats.
Windows NT Workstation records events in three kinds of logs:
System and application logs can be viewed by all users; security logs are accessible only to system administrators.
Enabling Security Logging
By default, security logging is turned off. To enable security logging, run User Manager to set the Audit policy.
Note The Windows NT Workstation Resource Kit includes Crystal Reports Event Log Viewer, a full-featured report writer that provides an easy way to extract, view, save, and publish information from event logs in a variety of formats. For more information on Crystal Reports Event Log Viewer, see Readme.hlp in the \Crystal\Disk1 folder on the Windows NT Workstation Resource Kit 4.0 compact disc.
Interpreting an Event
Event logs consist of a header, a description of the event (based on the event type), and optionally, additional data. Most security log entries consist of the header and a description.
Event Viewer displays events from each log separately. Each line shows information about one event, including date, time, source, event type, category, Event ID, user account, and computer name.
For more information about Windows NT Workstation events, see the Messages Database Help file on the Windows NT Workstation Resource Kit 4.0 compact disc.
The Event Header
The event header contains the following information.
The format and contents of the event description vary, depending on the event type. The description is often the most useful piece of information, indicating what happened or the significance of the event.
The symbol on the left side of the Event Viewer screen indicates the event type:
The optional data field, if used, contains binary data, which can be displayed in bytes or words. This information is generated by the application that was the source of the event record. Because the data appears in hexadecimal format, its meaning can be interpreted only by a support technician familiar with the source application.
When viewing an error log on a LAN Manager 2.x server, only the date, time, source, and event ID are shown. When viewing an audit log on a LAN Manager 2.x server, only the date, time, category, user, and computer are shown.
Using Event Viewer
You determine which event log to view by switching between the system, security, and application logs. You can also use Event Viewer to view logs on other computers.
Selecting a Log
Use the Log menu to select a log for event viewing. Although the system log of the local computer appears the first time you start Event Viewer, you can choose to view the security or application log.
Selecting a Computer
When you first start Event Viewer, the events for the local computer appear.
To view events for another computer, click Select Computer on the Log menu. (It can be a computer running Windows NT Workstation or Windows NT Server, or a LAN Manager 2.x server.)
If the computer you select is across a link with slow transmission rates, select Low Speed Connection. If this option is selected, Windows NT Workstation does not list all the computers in the default domain, thereby minimizing network traffic across the link. (If slow transmission rates are commonplace, click Low Speed Connection on the Options menu.)
If you select a LAN Manager 2.x server for viewing, Event Viewer can display its error (system) log and its audit (security) log.
For information on how to select a computer for event viewing, see "Select Computer" in Event Viewer Help.
Refreshing the View
When you first open a log file, Event Viewer displays the current information for that log. This information is not updated automatically. To see the latest events and to remove overwritten entries, choose the Refresh command.
For more information, see "Refresh" in Event Viewer Help.
Changing the Font
You can change the font used in Event Viewer. Changing this font affects only the display of the list of events in the main Event Viewer window.
For more information, see "Changing the Font Selection" in Event Viewer Help.
Viewing Specific Logged Events
After you select a log to view in Event Viewer, you can:
Viewing Details About Events
For many events, you can view more information than is displayed in Event Viewer by double-clicking the event.
The Event Detail dialog box shows a text description of the selected event and any available binary data for the selected event. This information is generated by the application that was the source of the event record. Because the data appears in hexadecimal format, its meaning can be interpreted only by a support technician familiar with the source application. Not all events generate such data. For more information, see "Viewing Event Details" in Event Viewer Help.
To control the types of security events that are audited, click Audit on the Policies menu in User Manager. To control the auditing of file and folders access, click Auditing on the Security tab in the Windows NT Explorer Properties dialog box.
By default, Event Viewer lists events by date and time of occurrence from the newest event to the oldest. To change the order from oldest to newest, click Oldest First on the View menu. If the Save Settings On Exit command on the Options menu is checked when you quit, the current sort order is used the next time you start Event Viewer.
When a log is archived, the sort order affects the order in which event records are archived in a text format or comma-delimited text format file; sort order does not affect the order of event records archived in log file format. For more information, see "Using Archived Log Files" later in this chapter.
For information on how to specify the sort order, see "Sorting Events" in Event Viewer Help.
By default, Event Viewer lists all events recorded in the selected log. To view a subset of events that have specific characteristics, click Filter Events on the View menu. When filtering is on, a check mark appears by the Filter command on the View menu and "(Filtered)" appears on the title bar. If Save Settings On Exit on the Options menu is checked when you quit Event Viewer, the filters remain in effect the next time you start Event Viewer.
Filtering has no effect on the actual contents of the log: It changes only the view. All events are logged continuously, whether the filter is active or not. If you archive a log from a filtered view, all records are saved, even if you select a text format or comma-delimited text format file. For more information on archiving, see "Using Event Viewer with Archived Log Files" later in this chapter.
The following table describes the options available in the Filter dialog box
1 This option is not available for LAN Manager 2.x servers.
2 This option is not available for audit logs on LAN Manager 2.x servers.
3 This option is not available for error logs on LAN Manager 2.x servers.
For information on how to filter for events and turn off filtering of events, see "Filtering Events" in Event Viewer Help.
For information on how to return to the default criteria, see "Reset to Default Settings" in Event Viewer Help.
Searching for Events
To search for events that match a specific type, source, or category, click Find on the View menu. Searches can be useful when you are viewing large logs: For example, you can search for all Warning events related to a specific application, or search for all Error events from all sources.
Your choices in the Find dialog box are in effect throughout the current session. If Save Settings On Exit on the Event Viewer Options menu is checked when you quit, the current filter settings are available the next time you start Event Viewer.
For more information, see "Searching for Events" in Event Viewer Help.
Setting Options for Logging Events
Logging starts automatically when you start the computer. Logging stops when an event log becomes full and cannot overwrite itself either because you've set it for manual clearing or because the first event in the log is not old enough.
Use the Log Settings command on the Log menu to define logging parameters for each kind of log. You can set the maximum size of the log and specify whether the events are overwritten or stored for a certain period of time.
The Event Log Wrapping option lets you define how events are retained in the log selected in the Change Settings For dialog box. (The default logging policy is to overwrite logs as needed, provided events are at least seven days old.) You can customize this policy for different logs.
The options include the following.
Note When a log is full (when no more events can be logged), you can free the log by clearing it. Reducing the amount of time you keep an event also frees the log if it allows the next record to be overwritten.
For information on how to clear a log, see "Clearing All Events" in Event Viewer Help.
Although you can increase (to the capacity of the disk and memory) or decrease the maximum log size, each log file has an initial maximum size of 512K. Before decreasing a log's size, you must clear the log.
Using Event Logs to Troubleshoot Problems
Careful monitoring of event logs can help you predict and identify the sources of system problems. For example, if log warnings show that a disk driver can only read or write to a sector after several retries, the sector will likely go bad eventually. Logs can also confirm problems with application software: If an application crashes, an application event log can provide a record of activity leading up to the event.
The following are suggestions to help you use event logs to diagnose problems:
Monitoring Windows NT Security Events
You enable auditing from the User Manager Auditing Policy dialog box. Through auditing, you can track Windows NT Workstation security events. You can specify that an audit entry is to be written to the security event log whenever certain actions are performed or files are accessed. The audit entry shows the action performed, the user who performed it, and the date and time of the action. You can audit both successful and failed attempts at actions, so the audit trail can show who actually performed actions on the network and who tried to perform actions that are not permitted.
Events are not audited by default. If you have Administrator permission, you can specify what types of system events are audited through User Manager. The Audit policy determines the amount and type of security logging Windows NT Workstation performs. For file and object access, you can then specify which files and printer to monitor, which types of file and object access to monitor, and for which users or groups. For example, when File and Object Access auditing is enabled, you can use the Security tab in a file or folder's Properties dialog box (accessed through Windows NT Explorer) to specify which files are audited and what type of file access is audited for those files.
Note You can audit file and folder access on only Windows NT File System (NTFS) drives.
Because the security log is limited in size, select the events to be audited carefully, and consider the amount of disk space you are willing to devote to the security log. The maximum size of the security log is defined in Event Viewer.
Note When administering domains, the Audit policy applies to the security log of the primary and backup domain controllers in the domain because they share the same Audit policy. When administering a computer running Windows NT Workstation or a computer running Windows NT Server as a member server, this policy applies only to the security log of that computer.
The following table describes the types of events that can be audited.
Auditing File and Folder Access
You can audit the access of files and folders on NTFS volumes to identify who took various types of actions with the files and folders and hold those users accountable for their actions.
To set auditing on a file or folder, use User Manager to enable auditing of File and Object Access, and then use Windows NT Explorer to specify which files to audit and which type of file access events to audit. To view audit entries, use the Event Viewer.
You can audit successful and failed attempts of the following types of directory and file access:
To audit the following activities on a directory, select the events shown.
To audit the following activities on a file, select the events shown.
Note To audit files and directories, you must be logged on as a member of the Administrators group.
Auditing Printer Access
By auditing a printer, you track its usage. For a particular printer, you can specify which groups or users and which actions to audit. You can audit both successful and failed actions.
Important To audit a printer, you must set the audit policy to audit file and object access.
To audit the following activities for a printer, select the events shown in the following table.
Halting the Computer When the Security Log is Full
If you have set the security log either to "Overwrite Events Older than n Days" or "Do Not Overwrite Events (Clear Log Manually)", you can prevent auditable activities while the log is full. No new audit records can be written. To do so, use the Registry Editor to create or assign the following registry key value:
The changes take effect the next time the computer is started. You can update the Emergency Repair Disk to reflect these changes.
If Windows NT Workstation halts as a result of a full security log, the system must be restarted and reconfigured to prevent auditable activities from occurring again while the log is full. After the system is restarted, only administrators can log on until the security log is cleared. For more information on recovering after Windows NT halts, see the "Recovering After Windows NT Halts Because it Cannot Generate an Audit Event Record" in Event Viewer Help.
Using Event Viewer with Archived Log Files
You can archive security logs so that you can monitor security events over a period of time. Or you can archive application logs so that you can track the Warning and Error events that occur for specific applications.
When you archive a log file, the entire log is saved, regardless of any filtering options specified in Event Viewer. If you changed the sort order in Event Viewer, event records are saved exactly as displayed if you archive the log in a text or comma-delimited text file.
Archiving a Log
When you archive an event log, you save it in one of three file formats:
The binary event data is saved if you archive a log in log file format, but it is discarded if you archive the log in text file format or in comma-delimited text file format. The event description is saved in all archived logs. When you archive a sorted log, the sort order affects the order in which event records are archived in a text file format or comma-delimited text file format. However, sort order does not affect the order of event records in a log archived in log file format. In either case, the sequence of data within each individual event record is record in the following order:
1 Depends on the sort order specified on the View menu.
Archival has no effect on the current contents of the active log. To clear the original log, you must click Clear All Events on the Log menu. To remove an archived log file, delete the file as you would other kinds of files.
For information on how to archive an event log, see "Archiving Event Logs" in Event Viewer Help.
Viewing a Log Archived in Log File Format
You can view an archived file in Event Viewer only if the log was saved in event log-file format. You cannot click the Refresh or Clear All Events commands to update the display or to clear an archived log.
Note If you do not specify the correct log type (application, security, or system), the Description displayed for the archived log in the Event Detail dialog box will not be correct.
For information on how to display an archived log in Event Viewer, see "Viewing a Log Archived in Log File Format" in Event Viewer Help.
Using Logs Archived in a Text Format
An event log saved in text- or comma-delimited text format can be opened in other applications. These applications can be used to filter, sort, and format the archived event records. You can also combine event records from two or more archived text files to create reports.
For example, you can copy lines of text from an archived log to include as supporting information in an electronic mail message. Or you can archive a security log in comma-delimited format so that you can place the information in a spreadsheet and produce a chart showing the archived information.