We create our own event log in Windows. Creating native Windows events in the log

As you know, most "normal" applications log their events Windows events(Application Event Log). This is a great place to centrally store and view application events, but often when you need to log events from specific application in this journal, we may encounter the fact that due to large quantity and excessive detail of events, work with a standard log Windows applications it becomes very uncomfortable. IN in this case it would be convenient to create own magazine events for this application, and configure for it various parameters, such as log size, filters, etc., and the standard Application log can be used as usual without clogging it unnecessary information. In OS Windows family There is a function that allows you to create your own event log.

First let's create new file magazine. This can be done using the registry. Launch the registry editor regedit and go to the branch:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog

Click right click on the Eventlog node and create new key(New > Key)

The key name in this case will also be the name of the new journal. Default new magazine(file.evt) is created here:

C:\WINDOWS\System32\Config\New Key #1.evt

You can rename it by changing the string parameter in the registry as you wish.

Next, you need to add event Sources for the new log. Create a new key of Multi-String type with the name “Sources”, as parameters specify the names of all applications that will use this magazine(each application on a new line).

Next, you need to transfer your application associations from the standard Application log to your new log. Expand the “Application” branch located at:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application

And copy all the branches that relate to the applications you are interested in into a new registry branch of the new log:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\CustomLog

Because the copy/paste command in the registry editor does not work, they can be re-created manually (if there are few of them), or the transfer can be carried out using the procedure for exporting/importing registry branches with manual editing of the .reg file. Make sure that after the transfer you delete the registry keys of your applications from the Application branch, otherwise Windows will not understand that you need to write events to the new log. If you are using a new event source for the log, you will need to create a DWORD parameter named CustomSource with a value of 1:

In my example, I created my own .NET 2.0 application, and I want it to write events to the log we created. To do this, I'll create a new registry key, EventMessageFile, and set it to the path to the .NET 2.0 logging library:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll

Then you need to restart Windows, and after the system boots you will see a new event log in the Event Viewer section. If your application for some reason does not write events to the new log, you can test its operation manually by opening a command line and going to the directory:

CD C:\WINDOWS\system32

Then type:

Eventcreate /l CustomLog /t Information /so Application1 /id 1 /d "Test message"

If you did everything correctly, a window should appear indicating that the event was successfully recorded in the log, or an error message and the reasons for its occurrence.

A small update to the article based on letters from readers:

The above instructions for creating your own magazine are aimed at server operating systems of the Microsoft family. More general method which should work in most Windows next(paths in the registry and keys differ):

We create new section in the registry (section name is the name of the log being created), the path to the created one will be like this:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ NewEventLog, in which you need to create the following keys:

• “AutoBackupLogFiles” - DWORD type, create or not backups log (0 - do not create)
• “MaxSize” - DWORD type, maximum log size in bytes, the value must be a multiple of 64Kb
• “Retention” – DWORD type, the storage time for records in case of log overflow.
• “File” - type REG_EXPAND_SZ, a string containing the path to the log on the hard drive, for example %SystemRoot%\System32\config\ NewEventLog.evt)
• “Sources” - type REG_MULTI_SZ, here is a list of event sources whose logs should go into this log, each source on a new line

Hello, friends! In this article we will look at Windows 7 event log. The operating system records almost everything that happens to it in this log. It is convenient to view it using the Event Viewer application, which is installed with Windows 7. To say that there are a lot of recorded events is to say nothing. Their darkness. But it’s difficult to get confused in them since everything is sorted into categories.

Thanks to the event log, specialists and ordinary users it is much easier to find errors and fix it. When I say easier, I don't mean easy. Almost always, to correct a recurring error, you will have to use a lot of search and re-read a bunch of material. Sometimes it's worth it to get rid of non-standard operating system behavior.

In order for the operating system to successfully fill event logs, the Windows Event Log service, which is responsible for this, must be running. Let's check if this service is running. In the search field of the main Start menu, look for Services

Finding a service Windows Event Log and check the Status - Works and Startup type - Automatically

If this service is not running, double-click on it with the left mouse and in the properties, in the Startup type section, select Automatic. Then click Run and OK

The service has started and the event logs will begin to fill.

Launch the Event Viewer utility using the search from the Start menu

The default utility looks like this:

A lot of things here can be customized for yourself. For example, you can use the buttons below the menu area to hide or show the Console Tree on the left and the Actions panel on the right

The area at the bottom center is called the Viewing Area. It displays information about the selected event. It can be removed by unchecking the corresponding checkbox in the View menu or by clicking on the cross in the right top corner viewing areas

The main field is located at the top center and is a table with the events of the log that you selected in the Console Tree. By default, not all columns are displayed. You can add and change their display order. To do this, right-click on the header of any column and select Add or remove columns...

In the window that opens, add the required columns from the left field to the Displayed columns column

To change the order of columns in the right field, select desired column and use the Up and Down buttons to change the location.

Each column is a specific property of the event. All these properties were perfectly described by Dmitry Bulanov. I'll give you a screenshot. Click on it to enlarge.

There is no point in setting all the columns in the table since the key properties are displayed in the viewport. If the latter is not displayed for you, then by double-clicking with the left mouse button on the event in a separate window you will see its properties

The General tab has a description of this error and sometimes a way to fix it. Below are all the properties of the event and in the Details section there is a link to Web Help where information on correcting the error may be available.

Event logs

Key Management Service— Key management service events are recorded. Designed to manage activations of corporate versions of operating systems. The log is empty because you can do without it on your home computer.

Magazines also have their own Properties. To view them, right-click on the log and select Properties in the context menu

In the opened properties you see Full name log, Path to the log file its size and dates created, modified and when it was opened

The Enable logging checkbox is also checked. It is not active and cannot be removed. I looked at this option in the properties of other magazines, there it is also enabled and inactive. For the Equipment Events log, it is in exactly the same position and the log is not maintained.

In the properties, you can set the Maximum log size (KB) and select an action when it reaches maximum size. For servers and other important workstations, most likely make the log size larger and select Archive log when full, so that in case emergency situation track when the malfunction started.

Working with Windows 7 event logs

The work involves sorting, grouping, cleaning up logs and creating custom views to make it easier to find certain events.

Choose any magazine. For example, Application and in the table, in the center, click on the header of any column with the left mouse button. Events will be sorted by this column

If you press again you will get sorting in the opposite direction. The sorting principles are the same as for Windows Explorer. The limitation is that you cannot sort by more than one column.

To group events by a specific column, right-click on its header and select Group events by this column. In the example, events are grouped by the Level column

In this case, it is convenient to work with a specific group of events. For example with errors. After grouping events, you will be able to collapse and expand groups. This can also be done in the event table itself by double-clicking on the group name. For example, Level: Warning (74).

To delete a grouping, right-click on the column header again and select Delete event grouping.

Clearing the log

If you have corrected errors in the system that led to events being recorded in the log, then you will probably want to clear the log so that old entries do not interfere with diagnosing new computer conditions. To do this, right-click on the log you want to clear and select Clear Log...

In the window that opens, we can simply clear the log and we can Save it to a file before clearing

Custom views

Configured sorting and groupings disappear when you close the Event Viewer window. If you often work with events, you can create custom views. These are certain filters that are saved in the corresponding section of the console tree and do not disappear anywhere when Event Viewer is closed.

To create a custom view, right-click on any journal and select Create custom view...

In the window that opens, in the Date section, select from the drop-down list the time range for which we need to select events

In the Event Level section, check the boxes to select the importance of events.

We may sample by specific journal or journals or by source. Switch the radio box to the desired position and select the necessary checkboxes from the drop-down list

You can select specific event codes to be shown or not shown in the view you create.

When all the view options have been selected, click OK.

In the window that appears, set the name and description of the custom view and click OK

For example, I created a custom view for Errors and critical events from the Application and Security logs

This view can later be edited and will not disappear when you close the Event Viewer utility. To edit, right-click on the view and select Filter current custom view...

In the window that opens, do additional settings in the presentation.

You can draw an analogy between Custom View and saved search terms in Windows Explorer 7.

Conclusion

In this article, we looked at the Windows 7 event log. We talked about almost all the basic operations with it for the convenience of finding error events and critical events. And here a logical question arises: “How can we correct these errors in the system?” Everything is much more complicated here. There is little information on the Internet and therefore you may have to spend a lot of time searching for information. Therefore, if you are generally satisfied with the operation of the computer, then you don’t have to do this. If you want to try to fix it, watch the video below.

You can also use the event log to diagnose slow loading Windows 7.

I will be glad to receive any comments and suggestions.

The Windows 7 operating system constantly monitors various noteworthy events that occur on your system. IN Microsoft Windows event is any incident in the operating system that is logged or requires notification to users or administrators. This could be a service that doesn't want to start, a device installation, or an application error. Events are recorded and stored in the Windows event logs and provide important historical information that helps you monitor your system, maintain system security, troubleshoot errors, and perform diagnostics. The information contained in these logs should be reviewed regularly. You should regularly monitor event logs and configure your operating system to save important system events. If you are an administrator Windows servers, then it is necessary to monitor the security of their systems, normal operation applications and services, and check the server for errors that could degrade performance. If you are a user personal computer, then you should ensure that you have access to the appropriate logs you need to support your system and troubleshoot errors.

Program "Event Viewer" represents a console snap-in Microsoft management(MMC) and is designed to view and manage event logs. This indispensable tool to monitor system performance and troubleshoot problems. Windows service, which controls the logging of events, is called "The event log". If it is running, Windows writes important data to the logs. Using the program "Event Viewer" you can do the following:

• View events from specific logs;
• Apply event filters and save them for later use as custom views;
• Create and manage event subscriptions;
• Assign specific actions to be performed when a specific event occurs.

Launching Event Viewer

Application "Event Viewer" can be opened in the following ways:

Event logs in Windows 7

In the Windows 7 operating system, as well as in Window Vista, there are two categories of event logs: Windows logs And application and service logs. Windows logs- used by the operating system to register system-wide events related to the operation of applications, system components, security and startup. A application and service logs- used by applications and services to record events related to their operation. You can use the snap-in to manage event logs "Event Viewer" or program command line wevtutil, which will be discussed in the second part of the article. All log types are described below:

Application- stores important events related to specific application. For example, Exchange Server stores events related to mail forwarding, including information store events, mailboxes And running services. By default it is placed in %SystemRoot%\System32\Winevt\Logs\Application.Evtx.

Safety- stores security-related events such as system login/logout, privilege usage, and resource accesses. By default it is located in %SystemRoot%\System32\Winevt\Logs\Security.Evtx

Installation- This log records events that occur during the installation and configuration of the operating system and its components. By default it is located in %SystemRoot%\System32\Winevt\Logs\Setup.Evtx.

System- stores events of the operating system or its components, such as failures to start services or initialize drivers, system-wide messages and other messages related to the system as a whole. By default it is located in %SystemRoot%\System32\Winevt\Logs\System.Evtx

Forwarded Events- if event forwarding is configured, this log includes events forwarded from other servers. By default it is placed in %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.Evtx

Internet Explorer - this log records events that occur during setup and work with Internet browser Explorer. By default it is located in %SystemRoot%\System32\Winevt\Logs\InternetExplorer.Evtx

Windows PowerShell- This log records events related to the use of PowerShell. By default it is located in %SystemRoot%\System32\Winevt\Logs\WindowsPowerShwll.Evtx

Equipment Events- if hardware event logging is configured, events generated by devices are recorded in this log. By default it is placed in %SystemRoot%\System32\Winevt\Logs\HardwareEvent.Evtx

In Windows 7, the infrastructure that provides event logging is based in the same way as in Windows Vista in XML. Each event data corresponds to an XML schema, allowing you to access the XML code of any event. You can also create XML-based queries to retrieve data from logs. No knowledge of XML is required to use these new features. Equipment "Event Viewer" provides simple GUI to access these features.

Event Properties

There are several snap-in event properties "Event Viewer", which are described in detail below:

Source is the program that logged the event. This can be either the name of the program (for example, “Exchange Server”), or the name of a system component or large application(for example, driver name). For example, "Elnkii" means EtherLink II driver.

Event code is a number that identifies a specific type of event. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event Logging service starts. Accordingly, at the beginning of the description of this event there is the line “The event log service has been started.” The event code and recording source name can be used by the support team software product for troubleshooting.

Level- this is the level of importance of the event. In system and application logs, events can have the following severity levels:

• Notification- denotes a change in an application or component, such as the occurrence of an information event associated with a successful action, the creation of a resource, or the startup of a service.
• Warning- indicates a warning general for a problem that could affect service or lead to a more serious problem if left unattended;
• Error- indicates that a problem has occurred that may affect functions external to the application or component that caused the event;
• Critical error- indicates that a failure has occurred from which the application or component that initiated the event cannot recover automatically;
• Audit of successes - successful completion actions you monitor through auditing, such as the use of a privilege;
• Failure audit- failure to perform actions that you monitor through auditing, such as an error logging into the system.

User- defines the user account on whose behalf the this event. Users include special entities such as Local Service, Network Service, and Anonymous Logon, as well as accounts real users. This name is the client identifier if the event was actually raised by a server process, or the primary identifier if no impersonation is performed. In some cases, the security log entry contains both IDs. This field may also contain N/A (N/A), if in this situation Account not applicable. Impersonation occurs in cases where a server allows one process to assume the security attributes of another process.

Working code- contains numeric value, which defines the operation or point within the operation during which this event occurred. For example, initialization or closing.

Magazine- the name of the log in which this event was recorded.

Category and tasks- defines an event category, sometimes used to subsequently describe a valid action. Each event source has its own categories. For example, the following categories: login/logout, use privileges, change policies, and account management.

Keywords is a set of categories or tags that can be used to filter or search for events. For example: “Network”, “Security” or “Resource not found”.

Computer- identifies the name of the computer on which the event occurred. Usually this is the name local computer, but could also be the name of the computer that forwarded the event, or the name of the local computer before it was changed.

date and time- determines the date and time of occurrence of this event in the log.

Process ID- represents the identification number of the process that generated the event. Computer program represents only a passive set of instructions, while a process is the direct execution of these instructions

Stream ID- represents the identification number of the thread that generated the event. A process spawned in an operating system can consist of several threads running “in parallel,” that is, without a prescribed order in time. For some tasks, this separation can achieve more effective use computer resources

Processor ID- represents the identification number of the processor that processed the event.

Session code is the session identification number on the terminal server in which the event occurred.

Kernel mode operating time- defines the time spent executing kernel mode instructions, in CPU time units. Kernel mode has unlimited access to system memory And external devices. The NT system kernel is called a hybrid kernel or macrokernel.

Operating time in user mode- defines the time spent executing user mode instructions, in units of CPU time. User mode consists of subsystems that pass I/O requests to the appropriate kernel mode driver through the I/O manager.

CPU load is the time spent executing user mode instructions, in CPU ticks.

Correlation code- defines the action in the process for which the event is used. This code is used to indicate simple relations between events. Correlation is a statistical relationship between two or more random variables (or values ​​that can be considered as such with some acceptable degree of accuracy). Moreover, changes in one or more of these quantities lead to a systematic change in another or other quantities.

Relative Correlation ID- defines a relative action in the process for which the event is used

Working with event logs

Event Viewer

In the next screenshot you can see the log "Applications", where you can find information about events, recent views, and available actions. To view application log events, follow these steps:

1. In the console tree, select "Windows Logs";
2. Select a magazine "Applications".

It is advisable to review event logs more often "Application" And "System" and study existing problems and warnings that may foreshadow problems in the future. When you select a log, the middle window displays available events, including event date, time and source, event level, and other details.

Panel "Viewport" shows basic event data on the tab "Are common", and additional specific data is on the tab "Details". You can turn this panel on and off by selecting the menu "View" and then the command "Viewport".

For critical systems It is recommended to keep logs from the last few months. As a rule, it is inconvenient to assign a size to magazines all the time so that all the information fits in them; this problem can be solved in another way. You can export logs to files located in a specified folder. To save the selected log, follow these steps:

1. In the console tree, select the event log you want to save;
2. Select a team "Save Events As" from the menu "Action" or from context menu log select command "Save all events as";
3. In the dialog that appears "Save as" select the folder where the file should be saved. If you need to save the file in a new folder, you can create it directly from this dialog using the context menu or the button "New folder" on the action bar. In field "File type" you need to select the desired file format from the available ones: event files - *.evtx, xml file - *.xml, tab-delimited text - *.txt, comma-separated csv - *.csv. In field "File name" "Save". To cancel saving, click the button "Cancel";
4. In the event that the event log is not intended to be viewed on another computer, in the dialog box "Display details" leave the default option "Do not display information", and if the log is intended to be viewed on another computer, then in the dialog box "Display details" select an option "Display information for following languages» and click on the button "OK".

Clearing the event log

Sometimes it is necessary to clear full event logs to ensure effective analysis of alerts and critical errors operating system. To clear the selected log, follow these steps:

1. In the console tree, select the event log that you want to clear;
2. Clear the log using one of the following methods:
   • On the menu "Action" select team "Clear log";
   • Right-click on the selected log to open the context menu. In the context menu, select the command "Clear log";
3. Next, you can either clear the log or archive it if this has not been done previously:
   • To clear the event log without saving, click the button "Clear";
   • To clear the event log after saving it, click the button "Save and Clear". In the dialog that appears "Save as" select the folder where the file should be saved. If you need to save the file in a new folder, you can create it directly from this dialog using the context menu or button "New folder" on the action bar. In field "File name" enter a name and click on the button "Save". To cancel saving, click on the button "Cancel".

Setting the maximum log size

As mentioned above, event logs are stored as files in the %SystemRoot%\System32\Winevt\Logs\ folder. By default, the maximum size of these files is limited, but you can change it in the following way:

1. Select a team "Properties" from the menu "Action"
2. In field "Maximum log size (KB)" set the required value using a counter or set manually without using a counter. In this case, the value will be rounded to the nearest multiple of 64 KB because the log file size must be a multiple of 64 KB and cannot be less than 1024 KB.

Events are saved in a log file, the size of which can only grow up to a specified size maximum value. Once the file reaches its maximum size, processing of incoming events will be determined by the log retention policy. The following log retention policies are available:

Rewrite events if necessary (oldest files first)- in this case, new entries continue to be entered into the journal after it is filled. Each new event replaces the oldest one in the log;

Archive the log when filled; do not rewrite events- in this case, the log file is automatically archived if necessary. Stale events are not overwritten.

Do not overwrite events (clear log manually)- in this case, the log is cleared manually and not automatically.

To select the desired log retention policy, follow these steps:

1. In the console tree, select the event log you want to resize;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected journal;
3. On the tab "Are common", In chapter "When reaching maximum size" select the required parameter and click the button "OK".

Activating the analytical and debug log

Analytical and debug logs are inactive by default. Once activated, they quickly fill up with a large number of events. For this reason, it is advisable to enable these logs for a limited period of time to collect the data needed for troubleshooting, and then disable them again. You can activate logs as follows:

1. In the console tree, find and select the analytical or debug log that you want to activate;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected analytical or debug log;
3. On the tab "Are common" check the option box "Enable logging"

Opening and closing a saved journal

Using equipment "Event Viewer" You can open and view previously saved logs. You can open multiple saved logs at the same time and access them at any time in the console tree. Magazine opened in "Event Viewer", can be closed without deleting the information it contains. To open a saved log, follow these steps:

1. Select a team "Open saved journal" on the menu "Action" or from the context menu in the console tree;
2. 3. In the dialog box "Open saved journal", moving along the directory tree, open the folder containing required file. By default, the dialog box will display all event log files. Also, when opening, you can select the type of files that you want to display in the opening dialog. Available file types are event log files (*.evtx, *.evt, *.etl), as well as event files (*.evtx), legacy event files (*.evt), or trace log files (*.etl). Once the desired log file has been found, select it by left-clicking on it, which will place its name in the file name line and click on the button "Open".
3. In dialogue "Open saved journal", in field "Name" Enter a new name to use for the log in the console tree. It is used only to display the log in the console tree and does not change the log file name. You can also use an existing log file name. In field "Description" enter a description for the log. It will be displayed in the central area when the parent log folder is selected in the console tree;
4. To create a folder in which the saved log will be located, click the button "Create a folder". In field "Name" enter the name of the folder in which it will be located open magazine and then click the button "OK". If no parent folder is selected, new folder will be located in the folder "Saved Logs".
5. To make the open event log inaccessible to other computer users, you can uncheck the "All users". If this checkbox remains active, the open log will be available to all users, but administrator rights will be required to delete it from the console tree;
6. To open the magazine, click on the button "OK".

To delete an open log from the event tree, follow these steps:

1. In the console tree, select the log to be deleted;
2. Select a team "Delete" from the menu "Action" or from the context menu of the selected journal;
3. In dialogue "Event Viewer" click on the button "Yes".

Conclusion

This part of the article, dedicated to the Event Viewer snap-in, talks about the snap-in itself and describes in detail the simplest operations associated with monitoring and maintaining the system using Event Viewer. The next part of the article will be designed for experienced Windows users. It will cover tasks with custom views, filtering, grouping/sorting events, and managing subscriptions.

The Windows operating system version seven has implemented a tracking function important events that occur in the operation of system programs. At Microsoft, the concept of “events” refers to any incidents in the system that are recorded in a special log and signaled to users or administrators. This could be a utility program that doesn't want to run, an application crash, or incorrect installation devices. All incidents are recorded and saved by the Windows 7 event log. It also arranges and shows all actions in chronological order, helps to carry out system control, ensures the security of the operating system, corrects errors and diagnoses the entire system.

You should periodically review this log for new information and configure the system to save important data.

Window 7 - programs

The Event Viewer computer application is the main part of Microsoft utility utilities that are designed to monitor and view the event log. This necessary tool to monitor system performance and eliminate emerging errors. The Windows utility that manages the documentation of incidents is called the Event Log. If this service is started, then it begins to collect and log all important data in its archive. The Windows 7 Event Log allows you to do the following:

Viewing data recorded in the archive;

Using various event filters and saving them for further use in system settings;

Creating and managing subscriptions for specific incidents;

Assign specific actions when certain events occur.

How to open Windows 7 event log?

The program responsible for recording incidents is launched as follows:

1. The menu is activated by pressing the “Start” button in the lower left corner of the monitor, then the “Control Panel” opens. In the list of controls, select “Administration” and in this submenu click on “Event Viewer”.

2. There is another way to view the Windows 7 event log. To do this, go to the Start menu, type mmc in the search window and send a request to search for the file. Next, the MMC table will open, where you need to select the paragraph indicating adding and removing equipment. Then the “Event Viewer” is added to the main window.

What is the application described?

IN operating systems Windows 7 and Vista have two types of event logs: system archives and application service log. The first option is used to capture system-wide incidents that are related to performance various applications, startup and safety. The second option is responsible for recording the events of their work. To control and manage all data, the Event Log service uses the View tab, which is divided into the following items:

Application - events that are associated with some kind are stored here specific program. For example, postal services they store in this place the history of information transfers, various events in mailboxes, and so on.

The “Security” item stores all data related to logging in and out of the system, using administrative capabilities and accessing resources.

Installation - This Windows 7 event log records data that occurs during the installation and configuration of the system and its applications.

System - records all operating system events, such as failures when launching service applications or when installing and updating device drivers, various messages regarding the operation of the entire system.

Forwarded events – if this item is configured, then it stores information that comes from other servers.

Other sub-items of the main menu

Also in the “Administration” menu, where the event log in Windows 7 is located, there are the following additional items:

Internet Explorer – events that occur during the operation and configuration of the browser of the same name are recorded here.

Windows PowerShell – incidents related to the use of PowerShell are recorded in this folder.

Equipment events – if this item is configured, then the data generated by the devices is logged.

The entire structure of the "seven", which ensures the recording of all events, is based on the Vista type on XML. But to use the event log program in Window 7, you don't need to know how to use this code. The Event Viewer application will do everything itself, providing a convenient and simple table with menu items.

Incident characteristics

A user who wants to know how to view the Windows 7 event log must also understand the characteristics of the data that he wants to view. After all, there are different properties of certain incidents described in the “Event Viewer”. We will look at these characteristics below:

Sources – a program that records events in a log. The names of applications or drivers that influenced a particular incident are recorded here.

Event code is a set of numbers that determine the type of incident. This event source code and name is used by technical support system support to correct errors and eliminate software failures.

Level – the degree of importance of the event. The system event log has six levels of incidents:

1. Message.

2. Caution.

3. Error.

4. Dangerous mistake.

5. Monitoring successful error correction operations.

6. Audit of unsuccessful actions.

Users – records the data of the accounts on whose behalf the incident occurred. These can be the names of various services, as well as real users.

Date and time – records the timing of the occurrence of the event.

There are many other events that occur while the operating system is running. All incidents are displayed in the “Event Viewer” with a description of all related information data.

How to work with the event log?

Very important point To protect the system from crashes and freezes is to periodically review the “Application” log, which records information about incidents, recent actions with a particular program, and also provides a selection of available operations.

By going to the Windows 7 event log, in the “Application” submenu you can see a list of all programs that caused various negative events in the system, the time and date of their occurrence, the source, and the degree of problem.

User Responses to Events

Having learned how to open the Windows 7 event log and how to use it, you should next learn how to use the Task Scheduler application with this useful application. To do this, you need to right-click on any incident and in the window that opens, select the menu for linking a task to an event. The next time such an incident occurs in the system, the operating system will automatically launch the installed task to process the error and correct it.

An error in the log is not a reason to panic

If, while looking at the Windows 7 system event log, you see system errors or warnings appearing periodically, then you should not worry or panic about this. Even with a perfectly working computer, they can register various errors and failures, most of which do not pose a serious threat to the performance of the PC.

The application we are describing was created to make it easier for the system administrator to control computers and troubleshoot emerging problems.

Conclusion

Based on all of the above, it becomes clear that the event log is a way that allows programs and the system to record and save all events on the computer in one place. This journal stores everything operational errors, messages and warnings from system applications.

Where is the event log in Windows 7, how to open it, how to use it, how to correct errors that appear - we learned all this from this article. But many will ask: “Why do we need this, we don’t system administrators, not programmers, but ordinary users who don’t seem to need this knowledge?” But this approach is wrong. After all, when a person gets sick with something, before going to the doctor, he tries to cure himself in one way or another. And many often succeed. Likewise, a computer, which is a digital organism, can “get sick”, and this article shows one of the ways to diagnose the cause of such a “disease”; based on the results of such an “examination”, you can make the right decision on methods of subsequent “treatment”.

So information about the method of viewing events will be useful not only to the system specialist, but also to the ordinary user.

When working with automated scripts, scheduled tasks, or own applications you may want them to write their own events to Windows logs. For example, when a script runs normally, you want to record a notification event in the application log so that you can easily determine later whether the script executed and completed normally. Conversely, if the script does not work and errors occur as a result of its execution, you may want to store the error or warning event in a log - then you will know to analyze the script and find out what happened.

To create your own events, use the Eventcreate utility. You can save your own events to any available log except the security log. Such events may contain a source, code and the necessary description. Eventcreate syntax:

eventcreate /l LogName /so Event Source /t Event Type / id Event Code /d Event Description

1. LogName - the name of the log to record the event; if it contains spaces, enclose it in quotation marks, for example "DNS Server".
2. EventSource - indicates the source of the event and can be any string. If the string contains spaces, enclose it in quotation marks, for example "Event Tracker*. In most cases, the source indicates the application, job, or script that caused the error.
3. EventType - specifies the event type. Can take the values ​​Information, Warning or Error. The "Success Audit" and "Failure Audit" event types are not applicable because they are used in the security log, which cannot record its own events.
4. Event Code - displays the numeric code of the event. Can be any value from 1 to 1000. Rather than randomly assigning IDs, it is better to make a list of common events that can occur, and then break it down into categories. Then each category can be assigned its own range of event codes. For example, events from the first hundred may be general, from the second - status events, from the fifth - warnings, and from the ninth - errors.
5. Event Description - specifies a description of the event and can be any string. Don't forget to enclose the string in quotes.

Using Eventcreate with a few examples

• Create a notification event in the application log with the source Event Tracker and event code 209:eventcreate /l "application" /t information /so "Event Tracker" /id 209 /d "evs.bat script ran without errors."
• Create a warning event in the system log with the source CustApp and event code 511:eventcreate /l "system" /t warning /so "CustApp" /id 511 /d "sysck.exe didn"t complete successfully."
• Create an error event in the system log on MAIL with the source SysMon and event code 918:eventcreate /s Mail /l "system" /t error /so "SysMon" /id 918 /d "sysmon.exe was unable to verify write operation."