Monitoring and Analysing System Events

Table of Contents

1. Monitoring and Analysing System Events
2. Event Viewer
   1. Viewing Event Logs
   2. Event Log SAQs
3. System Monitor
4. Real-Time Monitoring
5. Logged Monitoring
6. Managing Software Updates and Site Licensing
7. Managing Servers Remotely
8. Monitoring File and Print Servers
9. Monitoring Application Performance
10. Managing a Web Server

Event Viewer

You can launch the Event Viewer snap-in by clicking Start > (All) Programs > Administrative Tools > Event Viewer, or by clicking Start > Run, typing eventvwr.msc and clicking OK. Events are recorded in log files by the Event Log service, which runs automatically when the system is started. By default these log files are stored in the %systemroot%\system32\config folder and have the .evt extension. On standalone Windows Server 2003 computers and member servers, there are only three event logs:

• Application: records events generated by application programs and network application services such as SQL Server and Exchange Server. The log file is named AppEvent.Evt.

• Security: records the success or failure of audited events, configured by Administrators through local or group policies. The log file is named SecEvent.Evt. Only those users who have the Manage Auditing and the Security Log user right can access the security log. Members of the Administrators group have this right by default.

• System: records events generated by the operating system and its subsystems, such as device drivers and services. The log file is named SysEvent.Evt.

If a server is promoted to a domain controller the Active Directory Installation Wizard (DCPROMO.exe) adds three more event logs which monitor critical components of Active Directory:

• Directory Service: records events generated by the Active Directory service itself. The log file is named NTDS.Evt.

• File Replication Service: records activities related to the File Replication Service, including messages about replication problems between DCs. The log file is named NtFrs.Evt.

• DNS Server: records Domain Name System (DNS) queries, DNS replies and other DNS-related activities is DND is installed on the DC. The log file is named DnsEvent.Evt.

The maximum size for an event log is 16,384KB, so the logs will eventually fill up. Once this happens, the log starts to overwrite earlier events. You can clear a log manually by right-clicking it in the left pane of the Event Viewer and selecting Clear All Events. You will be asked whether you want to save the events before you clear them. If you click Yes, the Save As dialog box prompts you to choose a location on disk, a filename for this log and the file type to save this log as: Event Log (.evt), Text (tab delimited, .txt) or CSV (comma delimited, .csv).

Logs saved in the .evt file format can be opened within the Event Viewer by right-clicking a log, selecting Open Log File and specifying the location and name of the file. Or you can right-click the Event Viewer root node and select Open Log File to open a log file without closing any of the existing logs. Event Viewer cannot open logs saved as .txt or .csv files, but .txt files can be opened in any text editor or word-processing program and .csv files format can be opened in applications such as Excel or Notepad.

Next: Viewing Event Logs