1. Examining the Event Viewer User Interface
The interface for Event Viewer in Windows
Server 2008 R2 has changed significantly from earlier versions, and
those changes remain intact for Windows Server 2012. Although the
information produced by logged events remains much the same, it’s
important to be familiar with the interface to take advantage of the
features and functionality.
Administrators accustomed to using
the latest Microsoft Management Console (MMC) 3.0 will notice
similarities in the new look and feel of the Event Viewer user
interface. The navigation tree on the left pane of the Event Viewer
window lists the event logs available to view and also introduces new
folders for creating custom event views and subscriptions from remote
systems. The central details pane, located in the center of the
console, displays relevant event information based on the folder
selected in the navigation tree. The home page central details pane
also includes a layout to bolster the administrator’s experience by
summarizing administrative events by date and criticality, providing
log summaries and displaying recently viewed nodes. Finally, the tasks
pane, located on the extreme right side of the window, contains
context-sensitive actions depending on the focus in the Event Viewer
snap-in.
The folders residing in the left pane of the Event Viewer are organized as follows:
• Custom Views
• Windows Logs
• Applications and Services Logs
• Subscriptions
1.1 The Custom Views Folder
Custom views are filters either
created automatically by Windows Server 2012 when new server roles or
applications such as Active Directory Certificate Services (AD CS) and
Dynamic Host Configuration Protocol (DHCP) servers are added to the
system or manually by administrators. It is important for
administrators to have the ability to create filters that target only
the events they are interested in viewing to quickly diagnose and
remediate issues on the Windows Server 2012 system and infrastructure.
By expanding the Custom Views folder in the Event Viewer navigation
tree and right-clicking Administrative Events, selecting Properties,
and clicking the Edit Filter button, you can see how information from
the event log is parsed into a set of filtered events. The Custom View
Properties Filter tab is displayed in Figure 2.
In the built-in Administrative Events custom views, all critical,
error, and warning events are captured for all event logs. Instead of
looking at the large number of informational logs captured by Windows
Server 2012 and cycling through each Windows log, this filter gives the
administrator a single place to go and quickly check for any potential
problems contained on the system.
Figure 2. The Filter tab located in the Custom View Properties page.
Also listed in the Custom View section of
Event Viewer are predefined filters created by Windows Server 2012 when
new roles are added to the system. These queries cannot be edited;
however, they provide events related to all Windows Server 2012 roles
and the logical grouping can be used to quickly drill down into issues
affecting the performance of the system as it relates to specific
server roles. Again, this is a way of helping an administrator find the
information needed to identify and ultimately resolve server problems
quickly and efficiently.
The filter was first introduced with
Windows Server 2008. The Administrative Events filter groups all events
associated with the system from an administrative perspective. By
drilling down to the Administrative Events filter, an administrator can
quickly decipher issues associated with all administrative events.
