1.2 Creating a New Custom View
To create a new custom view in Event Viewer,
right-click the Custom View folder and select Create Custom View.
Alternatively, select Custom View from the Action menu. This results in
the Custom View Properties box, as shown in Figure 2.
First, decide whether
you want to filter events based on date; if so, specify the date range
by using the Logged drop-down list. Options include Any Time, Custom
Range, and specific time intervals. The next step is to specify the
event level criteria to include in the custom view. Options include
Critical, Error, Warning, Information, and Verbose. After the event
level settings are specified, the next area to focus on is the By Log
and By Source sections. By leveraging the drop-down lists, specify the
event log and event log sources to be included in this custom filter.
To further refine the custom filter, enter specific event IDs, task
categories, keywords, users, computers, and then click OK and save the
filter by providing it a name, description, and the location of where
to save the view.
Tip
Performance and memory consumption might be negatively affected if you have included too many events in the custom view.
After you define a custom view, you can
export it as an XML file, which can then be imported into other
systems. Filters can also be written or modified directly in XML; but
keep in mind, after a filter has been modified using the XML tab, it
can no longer be edited using the GUI described previously.
1.3 The Windows Logs Folder
The Windows Logs folder contains the
traditional application, security, and system logs. Windows Server 2012
also includes two out-of-the-box logs, which can also be found under
the Windows Logs folder: the Setup and Forwarded Events logs. The
following is a brief description of the different types of Windows logs
that are available:
• Application log—This log contains events based on applications or programs residing on the system.
• Security log—Depending on the auditing settings configured, the security log captures events specific to authentication and object access.
• Setup log—This log captures information tailored toward installation of applications, server roles, and features.
• System log—Events
associated with Windows system components are logged to the system log.
This might include driver errors or other components failing to load.
• Forwarded Events log—Because
computers can experience the same issues, this feature consolidates and
stores events captured from remote computers into a single log to
facilitate problem isolation, identification, and remediation.
1.4 The Applications and Services Logs Folder
The Applications and Services Logs folder
introduces a way to logically organize, present, and store events based
on a specific Windows application, component, or service instead of
capturing events that affect the whole system. An administrator can
easily drill into a specific item such as DFS Replication or DNS Server
and easily review those events without being bombarded or overwhelmed
by all the other systemwide events.
These logs include four
subtypes: Admin, Operational, Analytic, and Debug logs. The events
found in Admin logs are geared toward end users, administrators, and
support personnel. This log is very useful because it not only
describes a problem, but also identifies ways to deal with the issues.
Operational logs are also a benefit to systems administrators but they
typically require more interpretation.
Analytic and Debug logs are more complex.
Analytic logs trace an issue and often a high number of events are
captured. Debug logs are primarily used by developers to debug
applications. Both Analytic and Debug logs are hidden and disabled by
default. To view them, right-click Applications and Services Logs, and
then select View, Show Analytic and Debug Logs.
1.5 The Subscriptions Folder
The final folder in the Event Viewer console
tree is called Subscriptions. Subscriptions is another feature included
with the Windows Server 2012 Event Viewer. It allows remote computers
to forward events; therefore, they can be viewed locally from a central
system. For example, if you are experiencing issues between two Windows
Server 2012 systems, diagnosing the problem becomes challenging because
both systems typically log data to their respective event logs. In this
case, it is possible to create a subscription on one of the servers to
forward the event log data from the other server. Therefore, both
system event logs can be reviewed from a central system.
1.6 Configuring Event Subscriptions
To configure event subscriptions between two
systems, you must first prepare each source computer to send events to
remote computers:
1. Log on to the
source computer. Best practice is to log on with a domain account that
has administrative permissions on the source computer.
2. Open a PowerShell console session and ensure Remote Management is enabled by executing the Enable-PSRemoting command.
3. Add the collector computer to the local administrators group of the source computer.
4. Log on to the collector computer following the steps outlined previously for the source system.
5. From an elevated command prompt, run wecutil qc.
6. If you intend to manage event delivery optimization options such as Minimize Bandwidth or Minimize Latency, also run Enable-PSRemoting on the collector computer.
After the collector and source computers are
prepared, a subscription must be made identifying the events that will
be pulled from the source computers. To create a new subscription,
follow these steps:
1. On the collector computer, run Event Viewer with an account with administrative permissions.
2.
Click the Subscriptions folder in the console tree and select Create
Subscription or right-click and select the same command from the
context menu.
3. In the Subscription Name box, type a name for the subscription.
4. In the Description box, enter an optional description.
5. In the Destination
Log box, select the log file where collected events will be stored. By
default, these events are stored in the forwarded events log in the
Windows Logs folder of the console tree.
6. Click Select
Computers to select the source computers that will be forwarding
events. Add the appropriate domain computers, and then click OK.
7. Click Select Events and configure the event logs and types to collect. Click OK.
8. Click OK to create the subscription.
