View your event logs

If you have much Windows NT experience, you've seen the message At least one service or device failed to start. Perhaps you recently added a new network card or SCSI adapter. Or maybe you don't have an explanation for the error message. To determine the cause of the problem, you need to examine the NT Event Viewer. This valuable tool, available on NT Server and NT Workstation, helps you diagnose and prevent problems. (For additional information about the Event Viewer, see James Michael Stewart and Ed Tittel, "Systems Management Tools," May 1997.)

Event Logs
The Event Viewer is a tool you use to examine the three NT event logs: System, Security, and Application. The event logs are in the directory \winntroot\system32\config, where winntroot is the directory that houses NT. The three log files are sysevent.evt, secevent.evt, and appevent.evt. You cannot use a regular text editor to view these files. In addition, the files do not reflect the latest changes, which the log writes only at system startup, shutdown, and specific intervals in between. The Event Viewer lets you see the contents of each log, including the most recent information.

Event Log Viewer
To open the Event Viewer, go to the Start menu and select Programs, Administrative Tools, Event Viewer. When the utility opens, it shows the log you viewed last. To switch between logs, click Log on the menu bar, and select the log you want to view (System, Security, or Application), as Screen 1, page 206, shows. The System log shows system problems, such as drivers failing to load at system startup. The Security log does not show entries by default. To view security data, you must set up security auditing. The Application log records information about the status of applications and services running under NT. For example, SQL Server places entries in the Application log, in addition to recording the information in its error log.

Events for the System and Application logs fall into one of three categories: error, warning, and information. Error events are the most serious and cause a red stop sign to appear on the left side of the screen. Warning events identify a possible problem, but not as crucial a problem as in an error event. Information events are basic notifications, such as services starting and stopping, browser elections, and print jobs.

The Security log uses two event types: success and failure. These events signal whether a user was able to log on or access a resource. You want the system to prevent unauthorized users from logging on, so a success event for an unauthorized user is a problem.

For each event, the logs show the date and time when the event occurred, as well as the event's source. The source is the service, device driver, or application that wrote the event to the log. A source can subdivide the events it writes into multiple categories to let you easily find messages. Each event has an event ID, which helps Microsoft Product Support troubleshoot problems. An event might list the user who was running the process that generated the message. In most cases, NT or the source generates the message, so no username is listed. Events list the computer name because you can view event logs on a remote computer. Remote access lets you diagnose problems without going to a user's office or remote server site. You can open multiple copies of Event Viewer to investigate problems on several machines simultaneously. To see more information about an event, double-click the event listing to view the Event Detail window, as Screen 2, page 206, shows.

Changing Log Settings
By default, logs automatically overwrite events every 7 days, and each log can grow to 512KB. These log settings might not be adequate for applications such as SQL Server that write to the log frequently and use excessive memory. Increasing the log size is a good idea because disk space is cheap. When a log fills up, the system stops writing events to the log until it empties. To configure overwrite settings, select Log, Log Settings from the main menu. Select the log from the drop-down list, set the log size, and select the overwrite frequency, as Screen 3, page 206, shows. If you want to stop the log from overflowing, select Overwrite Events as Needed. If you are in a secure environment and do not want the log to overwrite automatically, select Do Not Overwrite Events.

To clear a log, select Log, Clear All Events from the main menu. The Event Viewer prompts you to save the log before clearing it, but this step is optional. You cannot specify events to clear (e.g., only events older than 2 days, only information events). If you log security events and you clear your logs, the Security log generates an entry that identifies who cleared the log and when they cleared it.

Filtering Events of Interest
If you are trying to troubleshoot a problem, you might want to view specific log information. You can apply a filter to the log. From the main menu, select View, Filter Events. You can filter logs by date and time, type of event, source, category, user, computer, or event ID, as Screen 4 shows. To revert to viewing all events, select View, All Events from the main menu.

Finding a Specific Event
Sometimes you need to see an event in context rather than filtering it. To find an event, select View, Find from the main menu, and select or enter the search criteria. The Find dialog box resembles the Filter dialog box. The Find function shows you the desired event in a list with other events in the log, as Screen 1 shows. To look through the entire log, press F3 to jump to the next event with the desired search criteria.

Security Auditing
By default, NT performs no security auditing. You must turn on security auditing before you can view events in the Security log. You can audit only if you use NTFS; FAT has no security capability and thus does not support auditing.

Open User Manager for Domains, and select Policies, Audit. Select the events you want to audit (e.g., success and failure for logons, file and object access, use of user rights, security policy changes), as Screen 5 shows. If you choose file and object access, you must set the auditing options for the files, using the Security tab of the Properties window for the file, directory, or disk, as Screen 6 shows. You do not have to audit all files and users and then filter the logs. You can audit only certain users or groups, and only specific files or directories.

If you are operating in a high-security environment, you might want the system to shut down when the Security log fills up. Shutting down the system prevents an attacker from filling the Security log with bogus events, then breaking in without leaving an audit trail. After the system shuts down, only the systems administrator can connect to the system. The systems administrator must clear the log before anyone else can connect.

To configure an automatic shutdown when the Security log fills up, open a Registry editor and go to HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\Lsa. (Before you edit the Registry, update your Emergency Repair Disk--ERD.) Add the value name CrashOnAuditFail, data type REG_DWORD, and entry value 1. When the Security log fills up, the Registry entry value changes to 2, and the system shuts down. The systems administrator can restart the Security log, clear it, and change the value back to 1. Users cannot log on until the system reboots.

Saving Logs
You might want to save event logs for security purposes or for later analysis. From the main menu, select Log, Save As. You can then save the log in one of three formats: .evt, Text Files, or Comma Delimited. The .evt format saves the log in the event log format, which lets you read the log later and use the Event Viewer tools to examine it. The Text Files option saves the log as a simple text file, which you can read by using a text editor. The Comma Delimited option is useful if you want to read the event log file in a program such as Excel or Access.

Improving Your Reports
The Microsoft Windows NT Workstation 4.0 Resource Kit includes the Crystal Reports Event Log Viewer. This report writer lets you extract, view, save, and publish information from the event logs. If you frequently need formatted reports, you'll want to further investigate this useful application.

Advance Diagnosis and Cure
The Event Viewer is the first tool you reach for to diagnose a problem in NT. You need to understand how the Event Viewer works, what information it shows, and which data deserves closer examination. Do not wait until you have a problem before you examine the event logs. If you scan the logs weekly, you can discover potential problems and solve them before they affect users.