Several Windows SBS 2011 tools, including the Windows
SBS Console and the Server Manager Console, display selected entries
from the Windows event logs, but to view these logs in their entirety,
you must use the Event Viewer Console, shown in Figure 1.
The Windows
Eventing engine is responsible for monitoring system activities on all
Windows computers and recording information about those activities in
various logs. Each log contains a series of entries called events. The Event Viewer Console is simply an application that displays those events in various formats.
To launch Event Viewer, you can use any one of the five methods:
-
Click Start. Then click Administrative Tools > Event Viewer.
-
Click Start. Then click Control Panel > System and Security > Administrative Tools, and double-click Event viewer.
-
Open a blank Microsoft Management Console (MMC) and add the Event Viewer snap-in.
-
Click Start and type Event Viewer or Eventvwr.msc in the search box.
-
Open the Computer Management Console and expand the Event viewer node.
The Overview and Summary display that appears in the console by default lists the most recently occurring events by type. The Windows Eventing engine creates events of several types:
-
Critical Warns that an incident resulting in a catastrophic loss of functionality or data in a component or process has occurred
-
Error Warns of a
problem that is not likely to affect the performance of the component or
process where the problem occurred, but which could affect the
performance of other system components or processes
-
Warning Warns of a
service degradation or an occurrence that can potentially cause a
service degradation in the near future unless an administrator takes
steps to prevent it
-
Information Describes a change in the state of a component or process as part of a normal operation
-
Audit Success Indicates the successful completion of a system process or activity for which an audit policy is active
In addition to a chronological display by type, Event Viewer can also display the most current events in each of the following individual logs, regardless of type:
-
Application Contains information about specific programs running on the computer, as determined by the application developer.
-
Security Contains
information about security-related events, such as failed logons,
attempts to access protected resources, and success or failure of
audited events. The events recorded in this log are determined by audit
policies, which you can enable using either local computer policies or
Group Policy.
-
Setup Contains information about the operating system installation and setup history.
-
System Contains information about events generated by the operating system, such as service start and device driver load failures.
-
Forwarded vents Contains events received from other computers on the network via subscriptions.
Using Other Event Viewer Functions
In addition to providing access to the main Windows logs, the Event
Viewer Console displays logs for individual applications and services,
and enables you to create custom logs containing events of specific
types, from specific sources, and from specific time periods by using
the Create Custom View dialog box shown in Figure 2.
Another powerful feature of the Event
Viewer Console is the ability to audit the success or failure of
specific system events, such as account logons and modifications to AD
DS objects. For example, you can modify logon failures to determine if
someone is making repeated attempts to guess a user’s password. To use
auditing, you must enable specific Group Policy settings, as shown in Figure 3. When the system detects one of the selected events, it creates an entry in the Security log, which you can evaluate later.
Windows Server 2008 R2 also includes an Advanced audit policy configuration node in its GPOs, which enables you to monitor Windows 7 system activities on a more granular level, as shown in Figure 4.
Note
BEST PRACTICES Some audit policies, such as Audit system events,
can generate a large number of entries in a short period of time. This
is one reason why auditing is not enabled by default. In most cases, the
best practice is to turn auditing on for brief periods and then turn it
off again, making sure that you have enough storage space for the Security log file.