2. Conducting Additional Event Viewer Management Tasks
Now that you understand the functionality of
each of the folders associated with the Event Viewer included with
Windows Server 2012, it is beneficial to review the upcoming sections
for additional management tasks associated with Event Viewer. These
tasks include the following:
• Saving event logs
• Organizing data
• Viewing logs on remote servers
• Archiving events
• Customizing the event log
• Understanding the security log
2.1 Saving Event Logs
Event logs can be saved and viewed at a later
time. You can save an event log by either right-clicking a specific log
and choosing Save Events As or by picking individual events from within
a log, right-clicking the selected events, and choosing Save Selected
Items. Entire logs and selected events can also be saved by selecting
the same command from the Actions pane. After being saved, these logs
can be opened by right-clicking the appropriate log and selecting Open
Saved Log or by clicking the same command in the Actions pane. After a
log has been opened, it will be displayed in a new top-level folder
called Saved Logs from within Event Viewer.
2.2 Organizing Data
Vast numbers of logs can be collected by
Windows and displayed in the central pane of Event Viewer. New tools or
enhancement to old ones make finding useful information much easier
than in any other iteration of Event Viewer:
• Sorting—Events
can be sorted in many ways, for example, by right-clicking the folder
or Custom View icon and then selecting View, Sort By, or by selecting
the column name on which to sort in the left pane or clicking the
column to be sorted or the heading. Sorting is a quick way to find
items at a very high level (for example, by time, source, or event ID).
The features for finding and sorting data are more robust and well
worth learning.
• Selection and sorting of column headings—Various
columns can be added to or removed from any of the event logs. The
order in which columns are displayed from left to right can be altered
as well by selecting the column in the Select Column dialog box and
clicking the up- or down-arrow button.
• Grouping—A way to
view event log information is through the grouping function. By
right-clicking on column headings, an administrator can opt to group
the event log being viewed by any of the columns in view. By isolating
events, desired and specific criteria trends can be spotted that can
help in isolating issues and ultimately resolving problems.
• Filtering—As
mentioned earlier, filtering, like grouping, provides a means to
isolate and only display the data you want to see in Event Viewer.
Filtering, however, gives the administrator many more options for
determining which data should be displayed than grouping or sorting
does. Filters can be defined based on any or all the event levels, log
or source, event IDs, task category, keywords, or user or computers.
After being created, filters can be exported for use on other systems.
• Tasks—By attaching
tasks to events, logs, or custom views, administrators can bring some
automation and notification into play when certain events occur. To
create a task, simply right-click the custom view, built-in log, or
specific event of your choice, and then right-click Attach a Task to
This Custom View, Log, or Event. The Create a Basic Task Wizard then
launches; on the first tab, just select a name and description for the
task. Click Next to view the criteria that will trigger the task
action. (This section cannot be edited and is populated based on the
custom view, log, or task selected when the wizard is initiated.) Click
Next and select Start a Program, Send an E-mail, or Display a Message
as desired.
2.3 Viewing Logs on Remote Servers
You can use Event Viewer to view event logs
on other computers on your network. To connect to another computer from
the console tree, right-click Event Viewer (Local) and click Connect to
Another Computer. Select Another Computer and then enter the name of
the computer or browse to it and click OK. You must be logged on as an
administrator or be a member of the Administrators group to view event
logs on a remote computer. If you are not logged on with adequate
permissions, you can select the Connect as Another User check box and
set the credentials of an account that has proper permissions to view
the logs on the remote computer.
2.4 Archiving Events
Occasionally, you might need to archive an
event log. Archiving a log copies the contents of the log to a file.
Archiving is useful in creating benchmark records for the baseline of a
server or for storing a copy of the log so it can be viewed or accessed
elsewhere. When an event log is archived, it is saved in one of four
forms:
• Comma-delimited text file (.csv)—This format allows the information to be used in a program such as Microsoft Excel.
• Text-file format (.txt)—Information in this format can be used in a program such as a word processing program.
• Log file (.evtx)—This
format allows the archived log to be viewed again in the Windows Server
2012 or Windows 8 Event Viewer. Note that the event log format is XML,
which earlier versions of Windows, prior to Windows Server 2008 or
Windows 7, cannot read.
• XML (.xml)—This format saves the event log in raw XML. XML is used throughout Event Viewer for filters, tasks, and logging.
The event description is saved in all
archived logs. To archive, right-click the log to be archived and click
Save Log File As. In the File Name field of the resulting property
page, type in a name for the archived log file, choose a file type from
the file format options of .csv, .txt, .evtx, or .xml, and then click
Save.
Note
You must be a member of the Backup Operators group at the minimum to archive an event log.
Logs archived in the log-file format (.evtx)
can be reopened using the Windows Server 2012 Event Viewer utility.
Logs saved in log-file format retain the XML data for each event
recorded. Event logs, by default, are stored on the server where the
Event Viewer utility is being run. Data can, however, be archived to a
remote server by simply providing a UNC path (such as
\\servername\share\) when entering a filename.
Logs archived in comma-delimited (.csv) or
text (.txt) format can be reopened in other programs such as Microsoft
Word or Excel. These two formats do not retain the XML data or
formatting.
