Accessing Event Viewer on a Remote Computer
To make your work as an administrator easier, you can view from your workstation the logs of remote computers on which you have administrative privileges. The remote computer must be running Windows 2003, Windows XP, Win2K Professional, Win2K Server, Windows NT Server, or NT Workstation.
In your local Event Viewer console, right-click Event Viewer (Local), and select Connect to another computer. Type the name of the remote computer you want to work on, or click Browse to open the screen that Figure 2 shows, then select the desired computer. Incidentally, if you know the name of the remote computer, you don't have to enter it as a Universal Naming Convention (UNC) name. Event Viewer's console changes to reflect the remote computer's UNC name. You can perform on the remote computer all actions that are available on your local Event Viewer. To return to the local computer, right-click Event Viewer (ComputerName), choose Connect to another computer, then select Local computer.
What to Look for in Event Viewer
Most real or potential problems make themselves apparent by writing an event to a log. When you see an Error or Warning event, pay attention; search for information about the event in the Microsoft Knowledge Base or on the Windows & .NET Magazine Web site. If you wait until after a problem occurs to view the event logs, you lose the opportunity to prevent the problem. For example, during my periodic peek into Event Viewer on all my network computers, I found in the System log the event that Figure 3 shows. The computer hadn't shown any symptoms of a problem.
I quickly backed up the data on the computer and ran Chkdsk, which moved files (they were system files) from bad blocks and marked the blocks as bad to prevent further writes to that part of the disk. I checked the System log daily for a few weeks, and when no additional Error events appeared, I returned to weekly Event Viewer checks. If I'd seen more Error events, I would have replaced the disk. If I hadn't been checking the computer's Event Viewer periodically, the disk probably would have continued to fall apart and data backups would have been useless because of file corruption.
Incidentally, when I examine Event Viewer, I sort by Type and check the Error events first, then the Warning events. In this case, I also found a Warning event dated 1 day before the Error event appeared that said an error on the disk was detected when Windows was writing to the paging file. If I'd checked the Event Viewer a day earlier, I probably would have had fewer bad blocks for Chkdsk to fix.
You should also look for any event in the Security log. Unless you've established security audits, that log should remain empty. If you do establish security audits, look for significant events related to the audit settings. (The Security log is the only log in Event Viewer that requires administrative rights for viewing.) For more information about auditing security events, see
"Monitoring Important Security Events," October 2003, http://www.winnetmag.com, InstantDoc ID 40046. For a list of security event IDs, visit http://www.secadministrator.com/articles/index.cfm?articleid=15361.
Stop Logging Unimportant Events
By default, Windows configures computers that act as print servers to log all events related to printing. In addition, the computer's System log records an informational event every time a document is sent to a printer and again when the spool file is deleted after the print job finishes.
Personally, I don't care about any printing events, but some administrators want to know if and when printing fails; they also want notification if someone adds or deletes a printer. I doubt whether any administrator finds it necessary to log an informational event every time a print job is sent to the spooler and is later deleted.
You can change the print events that the System log records by opening the computer's Printers folder (called Printers and Faxes in Windows 2003 and XP). Choose File, Server Properties, and move to the Advanced tab, which Figure 4 shows. Simply deselect the events you don't want to log.
Get into the Routine
Put Event Viewer on your list of maintenance tasks and check your network computers periodically. If you're responsible for many computers, make sure you check servers (especially DCs) at least weekly and rotate workstation checks so that you get to each workstation every few weeks. Although this task might sound time-consuming, it's actually an investment in saving time because fixing a problem that's become severe is much more difficult and time-consuming than checking Event Viewer to gain advanced information about problems in the making.
Register
