New Year greetings and salutations from Hilde and the rest of the PFEs out there! This is the first posting to this blog in 2012 and the second post in a multi-part series on troubleshooting. In this installment, I’ll be covering a real gem – the Event Viewer.
NOTE: The details of the tools covered in this series will be specific to the versions in Win7/W2k8 R2.
A prize in every box!
In Windows 7 and/or Windows Server 2008 R2, you are able to utilize many excellent troubleshooting tools without additional AdminPacks, Support Tools or other add-ins. These tools are part of the OS and you can count on them just being there.
Installment #2 – The Event Viewer
Many IT Pros are well-versed in translating data they find in the Event Viewer into actionable information. The newer Event Viewer offers some GREAT enhancements and features, and is even more helpful to IT Pros.
Event Log “Sub-system”
Completely re-done back in Vista/2K8 - known as “Windows Eventing 6.0”
Like many aspects of newer Microsoft products, the new Eventing subsystem relies heavily on XML standards
This makes searching, filtering and overall performance of the Event Viewer much speedier
Especially apparent in large event-volume situations such as the Security Event Log
In W2k3, trying to “massage” the Security Event log on an enterprise-scale DC with best-practice auditing enabled in AD was painful and in many cases, not really even workable.
In Win7/2K8 R2, you can manipulate/filter/sort/search the Event Logs and actually have it be an effective and valuable use of your time
Searches quickly return results
Filtering or re-sorting the Events doesn’t lock up the box while it processes
Older versions of the 32-bit OS had a maximum combined size for ALL Event Log files of around 300-400mb. If the files got near that limit, unpredictable results could occur including missing events. Those space/file-size limitations are no longer present (up to 2 TB event logs can be set – not recommended, but possible).
They’ll persist after you close the Event Log – you won’t lose your favorite View(s) when you close the Event Viewer
Use “Filtering” to narrow down the results you’re looking for to quickly weed out the noise and find only what you’re looking for.
Import/export them – make your favorite Views(s) and share them with your team
Consider this idea:
Combine Filtering with a Custom View and you can make “application-specific” views of Events that you can save/export across a server farm or distribute to the application-specific team who supports the app.
Subscriptions (aka ‘Event Forwarding’)
Ever wish you could gather specific Events (even from multiple machines) to a central machine with relative ease? Now you can!
Note – this is not a viable alternative for an enterprise monitoring system like SCOM but in a pinch or for a small-scale or narrowly-focused situation, this could be just the ticket
Ever wish you could kick off a script or command, or even an email, right when an event occurs? Now you can!
Basic Task – from the Event Log entry itself > right-click > “Attach a Task to this Event” (or log)
For more advanced options, open Task Scheduler and drill-down to Event Viewer Tasks > Create Task
Enter all appropriate info and on the ‘Triggers” tab, choose “On an event”
· Application and Services Logs
Provide detail on a vast array of OS activities
Why aren’t my GPO(s) applying?
Don’t need to enable this like USERENV logging
DNS Client processing
Why isn’t my DNS record(s) updating in DNS?
Scheduled Tasks processing
Why is my Scheduled Task failing?
Windows Backup processing
Why isn’t my Backup job completing?
Why isn’t my client getting an IP?
· Save Selected Events
Save a subset of Events to their own EVTX file for further analysis/filtering and easier portability
Instead of copying a 250MB file across the WAN from a remote server, you can copy over a 32kb one
· FIND the needle in the haystack
Right-click a Log, click “Find”, enter a User ID, Event ID, keyword, etc and let the magic begin
Quickly find who rebooted the server recently?
Don’t wait another minute - jump in and explore the Event Viewer. Progress your troubleshooting and glean more actionable information and details about the system/situation with these great features.
Come back next time for a discussion of yet another tool waiting for you “in the box” of Win7 and 2K8 R2…