The new Windows Vista and Windows 2008 event handling architecture packs a powerful new Event Viewer
|Windows Server 2008 and Windows Vista include a redesigned Microsoft Management Console (MMC) Event Viewer snap-in. The Event Viewer snap-in’s use of XML makes it easy to query and filter events by using XML Path Language (XPath). Event Viewer and Task Scheduler can be used to attach actions to event queries.|
Most of us use the built-in Windows event log service and the associated Event Viewer as troubleshooting tools. However, the Windows event management tools can be leveraged for much more. These tools can inform us of problems long before a disaster happens and give us event "signs” about applications, services, or OS components that aren't functioning properly or users that are misusing a system’s resources or data.
It's true that the legacy Event Viewer shows a lot of useless event information, and it's often difficult to find crucial event information in Event Viewer. However, usability isn't the only problem. Many of us have a mental block regarding the use of event management tools. We consider these tools to be primarily reactive tools, not proactive tools that can help us increase the availability and security of our Windows systems.
To address the shortcomings of the legacy Windows event management tools and to elevate Windows event management to a proactive, enterprise-level security tool, Microsoft introduces a new event management architecture in Windows Server 2008 (formerly code-named Longhorn) and Windows Vista called Windows Eventing 6.0. Let's take a look at how to get the most out of this tool.
The New Event Viewer Interface
In Windows 2008 and Vista, Event Viewer is a Microsoft Management Console (MMC) 3.0-compliant snap-in (eventvwr.msc). Event Viewer is the most visible Windows Eventing 6.0 feature. Figure 1 shows Event Viewer's default interface.
Under the Windows Logs node in the left pane of the Event Viewer interface, you'll recognize the standard Application, Security, and System logs that have been used for years. You'll also notice that Event Viewer shows several new logs, including application- and service-specific logs under the Application and Services Logs node. These smaller logs contain events that are generated by specific applications and services and make it easy for users to quickly find a specific application's or service's events. By default, the analytic and debug logs that administrators typically use for advanced troubleshooting, analysis, or debugging are hidden in the new Event Viewer. To display the analytic and debug logs, select Show Analytic and Debug Logs from the View menu.
Most users will greatly appreciate Event Viewer’s Event Preview pane, which immediately shows a selected event’s properties. In previous Windows versions, users could access event details only by double-clicking an event.
Event Viewer now includes the Actions pane (the right pane in Figure 1), which is a standard MMC 3.0 feature that lets users initiate actions on selected objects simply by clicking hyperlinks. In previous MMC versions, actions could be started only from an object’s context menu or from MMC’s menu. By default, the Actions pane is enabled in MMC 3.0, but you can disable it in MMC’s Customize View dialog box.
Event Viewer also includes a Custom Views node that holds user-defined logs—in previous Windows versions, custom views were displayed at the root level of the Event Viewer. The Custom Views node contains the predefined Administrative Events log, which summarizes all Critical-, Error-, and Warning-level events that occur on the system.
To create a custom view, right-click Custom Views and select Create Custom View in the context menu or click Create Custom View in the Actions pane. Both of these actions open the Create Custom View dialog box, which is shown in Figure 2. Note that you can specify Critical, Warning, Verbose, Error, and Information levels in a view. Previous versions of Event Viewer include only the Error, Warning, and Information levels.
Under the Hood: XML to the Rescue
Windows Eventing 6.0 stores all events in an XML format. All Windows 2008 and Vista events have an XML structure that's defined in an XML event schema. To see an event’s XML representation, click the event’s Details tab in the preview pane or double-click the event and go to the Details tab (both actions open the event's properties dialog box). Figure 3 shows the XML representation of an event.
XML is fundamental to the way Windows Eventing 6.0 and Windows applications and services interface and handle event data. Every Windows 2008 and Vista application or service provider that publishes events to the event logs must advertise its event XML schema beforehand, meaning the application developer must define all the events the application could produce and each event's structure in a special manifest file. This file is then compiled with the application’s DLLs.
You can get a list of all predefined Windows 2008 and Vista event publishers by using the Windows Events command-line utility (wevtutil.exe) with the ep switch. To get an overview of a particular event publisher’s configuration information, use wevtutil.exe with the gp switch and the name of the publisher. Figure 4 shows the wevtutil.exe information for the Microsoft-Windows-UAC publisher (i.e., the User Account Control—UAC—service).
Because events are stored in XML, you can now query and filter events by using an XML query language called XML Path Language (XPath). The XPath language is exposed in Event Viewer. For example, when you define a custom view, Event Viewer automatically creates a set of XPath queries to express the associated event filter.
However, Event Viewer exposes only some of the powerful features of the XPath query language. If you're familiar with XPath, you can directly define the associated filter in XPath on the XML tab of the Create Custom View dialog box.
XPath’s full power is unleashed when you supply your XPath queries to wevtutil.exe. Type the commands
wevtutil qe /?
to see how wevtutil.exe and XPath can help with Windows event management at the command line. These commands will give you a list of the options you can use with wevtutil.exe for interfacing with Windows Eventing 6.0. For more information about XPath, go to http://www.w3.org/TR/xpath.
The use of structured events and a predefined event XML schema for representing events in Event Viewer offer great opportunities for automatic exploitation and proactive monitoring of event data. A particularly interesting combination for automation is Event Viewer and Task Scheduler.
In Event Viewer, you can define event-triggered actions that attach a task created in Task Scheduler to an event query executed by Windows Eventing 6.0. An event-triggered action can, for example, be used to automate problem resolution. When a particular event occurs, Task Scheduler executes the associated problem-resolution task.
Creating event-triggered actions in Windows 2008 and Vista is easy. To create an event-triggered action from Event Viewer, select Attach Task to this Event in an event’s context menu or the associated task in the Actions pane. Selecting this option will open the Create Basic Task Wizard, which is shown in Figure 5. In the wizard, you can select one of three notification actions (Start a program, Send an e-mail, or Display a notification message) that will be executed when a particular event occurs.
After you've successfully created the event-triggered action, a dialog box appears to inform you that a task has been added to Task Scheduler. From then on, you must use Task Scheduler to edit, disable, or delete the event-triggered action. Figure 6 shows Task Scheduler and the Event Viewer Tasks node that it uses to store event-triggered actions.
Windows XP and Windows Server 2003 also support event triggers, and Microsoft provides a tool called eventtriggers.exe that lets you define event-triggered actions from the command line. However, this tool is difficult to use and isn't integrated with the Event Viewer interface. Eventtriggers.exe also requires you to use additional programs to automate particular actions. For example, if you want eventtriggers.exe to send an email message from the command line, you can use the Blat freeware tool, which you can download from http://www.blat.net/.
Centralized Event Collection
Windows Eventing 6.0 also includes an event-forwarding feature that lets you collect events from multiple Windows 2008 or Vista machines on a central Windows 2008 or Vista computer. In previous Windows versions, you must use either a third-party tool or the Microsoft EventCombMT tool to perform centralized event collection.
Note that before the release of Vista, Microsoft was planning to provide a separate centralized security event collection tool called Microsoft Audit Collection Services (MACS) as a part of System Center. However, at the time of this article, it was unclear whether Microsoft planned to continue developing MACS.
In Windows Eventing 6.0 event forwarding, an administrator sets up a subscription in Event Viewer on the collector computer to instruct the collector computer to gather events from one or more source computers. The collector computer uses a polling mechanism to query one or more source computers for new events. By default, the collector computer polls source computers every 15 minutes, although you can change this interval. However, you can't do so from the Event Viewer GUI; instead you must change the interval from the command line by using the Windows Event Collector Utility (wecutil.exe). Collector and source computers can be standalone, workgroup, or domain-joined computers. Event forwarding can be done within a single Windows domain or between collector and source computers that are members of different domains.
Before you can create an event subscription between a collector computer and source computers that are all connected to a Windows domain, you must set up the source computers for Windows Remote Management (WinRM) and add the collector computer to the Event Log Readers local group.
Setting up an event subscription between standalone machines or between standalone and domain-joined machines involves some additional configuration steps. These steps are documented in the Windows 2008 and Vista help files in the section about configuring event subscriptions in a workgroup environment.
WinRM implements the Web Services for Management (WS-Management) protocol specification for remote management. The event exchanges between a collector and source computer leverage the WS-Management protocol. The WinRM logic and code are available out of the box on all Windows 2008 and Vista platforms. Microsoft plans to make a WinRM and WS-Management implementation for legacy Windows platforms, such as XP SP2 and Windows 2003, available as part of the WS-Management software package, which will enable XP and Windows 2003 systems to forward events to Windows 2008 or Vista systems. For more information about WS-Management, go to http://www.dmtf.org/standards/wsman. WS-Management 1.1 is currently available as a public beta from https://connect.microsoft.com/.
Although the WinRM logic and code are available on Vista machines, WinRM isn’t enabled and configured by default. However, you can easily do so from the command line by using the winrm command and the quickconfig switch, shown in Figure 7. If you agree to make the WinRM configuration changes by entering Y(es) at the command prompt, winrm will set up the WinRM service to start automatically, create a WinRM listener, and create a Windows firewall exception for WinRM. On Windows 2008, WinRM is enabled by default, but the default configuration doesn't allow for remote access.
Event Log Readers is a new predefined local group in Windows 2008 and Vista that Microsoft added to control access to the local event logs. Only members of a computer’s Event Log Readers group can read the events on that particular computer.
After you've set up WinRM on the source computers and added the collector computer to the Event Log Readers local group, you're ready to create an event subscription. To create the subscription, on the collector computer, select Create Subscription from the context menu of the Event Viewer’s Subscriptions container or click the Create Subscription link in the Event Viewer’s Actions pane. The first time you create an event subscription on a Windows 2008 or Vista system, you'll be prompted to start the Event Collector service and set it up to start automatically. After you've clicked Yes, the Subscription Properties dialog box will be displayed. In this dialog box, you can select the destination log that you want to use to gather forwarded events (which by default is the Forwarded Events log), select the source computers by clicking Add, and select the events you want to collect by clicking Select Events.
Fundamental Changes to Event Management
Windows 2008 and Vista include some of the most fundamental event management changes since Windows NT. These systems bring open standards, such as XML, XPath, and WS-Management, to Event Viewer. Windows Eventing 6.0’s architecture includes many features that increase the overall manageability of the Windows platform, including Event Viewer’s high level of flexibility for defining custom event views and event filters, the tight integration between Event Viewer and Task Scheduler, and wevtutil.exe’s powerful options.