We create our own event log in Windows. Creating native Windows events in the log

The Windows 7 operating system constantly monitors various noteworthy events that occur on your system. IN Microsoft Windows event is any incident in the operating system that is logged or requires notification to users or administrators. This could be a service that doesn't want to start, a device installation, or an application error. Events are recorded and stored in logs Windows events and provide important historical information to help you monitor your system, maintain system security, troubleshoot errors, and perform diagnostics. The information contained in these logs should be reviewed regularly. You should regularly monitor event logs and configure your operating system to save important system events. If you are an administrator Windows servers, then it is necessary to monitor the security of their systems, normal operation applications and services, and check the server for errors that could degrade performance. If you are a user personal computer, then you should ensure that you have access to the appropriate logs you need to support your system and troubleshoot errors.

Program "Event Viewer" represents a console snap-in Microsoft management(MMC) and is designed to view and manage event logs. This indispensable tool to monitor system performance and troubleshoot problems. Windows service, which controls the logging of events, is called "The event log". If it is running, Windows writes important data to the logs. Using the program "Event Viewer" you can do the following:

• View events from specific logs;
• Apply event filters and save them for later use as custom views;
• Create and manage event subscriptions;
• Assign specific actions to be performed when a specific event occurs.

Launching Event Viewer

Application "Event Viewer" can be opened in the following ways:

Fig.1. Event Viewer Window

Event logs in Windows 7

In the operating room Windows system 7, just like in Window Vista, there are two categories of event logs: Windows logs And application and service logs. Windows logs- used by the operating system to register system-wide events related to the operation of applications, system components, security and startup. A application and service logs- used by applications and services to record events related to their operation. You can use the snap-in to manage event logs "Event Viewer" or program command line wevtutil, which will be discussed in the second part of the article. All log types are described below:

Application- stores important events, Related specific application. For example, Exchange Server stores events related to mail forwarding, including information store events, mailboxes And running services. By default it is placed in %SystemRoot%\System32\Winevt\Logs\Application.Evtx.

Safety- stores security-related events such as system login/logout, privilege usage, and resource accesses. By default it is located in %SystemRoot%\System32\Winevt\Logs\Security.Evtx

Installation- this log records events that occur during installation and configuration operating system and its components. By default it is located in %SystemRoot%\System32\Winevt\Logs\Setup.Evtx.

System- stores events of the operating system or its components, such as failures to start services or initialize drivers, system-wide messages and other messages related to the system as a whole. By default it is located in %SystemRoot%\System32\Winevt\Logs\System.Evtx

Forwarded Events- if event forwarding is configured, this log includes events forwarded from other servers. By default it is placed in %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.Evtx

Internet Explorer - this log records events that occur during setup and work with Internet browser Explorer. By default it is located in %SystemRoot%\System32\Winevt\Logs\InternetExplorer.Evtx

Windows PowerShell- This log records events related to the use of PowerShell. By default it is located in %SystemRoot%\System32\Winevt\Logs\WindowsPowerShwll.Evtx

Equipment Events- if hardware event logging is configured, events generated by devices are recorded in this log. By default it is placed in %SystemRoot%\System32\Winevt\Logs\HardwareEvent.Evtx

In Windows 7, the infrastructure that provides event logging is based in the same way as in Windows Vista in XML. Each event data corresponds to an XML schema, allowing you to access the XML code of any event. You can also create XML-based queries to retrieve data from logs. No knowledge of XML is required to use these new features. Equipment "Event Viewer" provides simple GUI to access these features.

Event Properties

There are several snap-in event properties "Event Viewer", which are described in detail below:

Source is the program that logged the event. This can be either the name of the program (for example, “Exchange Server”), or the name of a system component or large application(for example, driver name). For example, "Elnkii" means EtherLink II driver.

Event code is a number that identifies a specific type of event. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event Logging service starts. Accordingly, at the beginning of the description of this event there is the line “The event log service has been started.” The event code and recording source name can be used by the support team software product for troubleshooting.

Level- this is the level of importance of the event. In system and application logs, events can have the following severity levels:

• Notification- denotes a change in an application or component, such as the occurrence of an information event associated with a successful action, the creation of a resource, or the startup of a service.
• Warning- indicates a warning general for a problem that could affect service or lead to a more serious problem if left unattended;
• Error- indicates that a problem has occurred that may affect functions external to the application or component that caused the event;
• Critical error- indicates that a failure has occurred from which the application or component that initiated the event cannot recover automatically;
• Audit of successes - successful completion actions you monitor through auditing, such as the use of a privilege;
• Failure audit- failure to perform actions that you monitor through auditing, such as an error logging into the system.

User- defines the user account on whose behalf the this event. Users include special entities such as Local Service, Network Service, and Anonymous Logon, as well as accounts real users. This name is the client identifier if the event was actually raised by a server process, or the primary identifier if no impersonation is performed. In some cases, the security log entry contains both IDs. This field may also contain N/A (N/A), if in this situation Account not applicable. Impersonation occurs in cases where a server allows one process to assume the security attributes of another process.

Working code- contains numeric value, which defines the operation or point within the operation during which this event occurred. For example, initialization or closing.

Magazine- the name of the log in which this event was recorded.

Category and tasks- defines an event category, sometimes used to subsequently describe a valid action. Each event source has its own categories. For example, the following categories: login/logout, use privileges, change policies, and account management.

Keywords is a set of categories or tags that can be used to filter or search for events. For example: “Network”, “Security” or “Resource not found”.

Computer- identifies the name of the computer on which the event occurred. Usually this is the name local computer, but could also be the name of the computer that forwarded the event, or the name of the local computer before it was changed.

date and time- determines the date and time of occurrence of this event in the log.

Process ID- represents the identification number of the process that generated the event. Computer program represents only a passive set of instructions, while a process is the direct execution of these instructions

Stream ID- represents the identification number of the thread that generated the event. A process spawned in an operating system can consist of several threads running “in parallel,” that is, without a prescribed order in time. For some tasks, this separation can achieve more effective use computer resources

Processor ID- represents the identification number of the processor that processed the event.

Session code is the session identification number on the terminal server in which the event occurred.

Kernel mode operating time- defines the time spent executing kernel mode instructions, in CPU time units. Kernel mode has unlimited access to system memory And external devices. The NT system kernel is called a hybrid kernel or macrokernel.

Operating time in user mode- defines the time spent executing user mode instructions, in units of CPU time. User mode consists of subsystems that pass I/O requests to the appropriate kernel mode driver through the I/O manager.

CPU load is the time spent executing user mode instructions, in CPU ticks.

Correlation code- defines the action in the process for which the event is used. This code is used to indicate simple relations between events. Correlation is a statistical relationship between two or more random variables (or values ​​that can be considered as such with some acceptable degree of accuracy). Moreover, changes in one or more of these quantities lead to a systematic change in another or other quantities.

Relative Correlation ID- defines a relative action in the process for which the event is used

Working with event logs

Event Viewer

In the next screenshot you can see the log "Applications", where you can find information about events, recent views, and available actions. To view application log events, follow these steps:

1. In the console tree, select "Windows Logs";
2. Select a magazine "Applications".

It is advisable to review event logs more often "Application" And "System" and study existing problems and warnings that may foreshadow problems in the future. When you select a log, the middle window displays available events, including event date, time and source, event level, and other details.

Panel "Viewport" shows basic event data on the tab "Are common", and additional specific data is on the tab "Details". You can turn this panel on and off by selecting the menu "View" and then the command "Viewport".

For critical systems It is recommended to keep logs from the last few months. As a rule, it is inconvenient to assign a size to magazines all the time so that all the information fits in them; this problem can be solved in another way. You can export logs to files located in a specified folder. To save the selected log, follow these steps:

1. In the console tree, select the event log you want to save;
2. Select a team "Save Events As" from the menu "Action" or from context menu log select command "Save all events as";
3. In the dialog that appears "Save as" select the folder where the file should be saved. If you need to save the file in a new folder, you can create it directly from this dialog using the context menu or the button "New folder" on the action bar. In field "File type" you need to select the desired file format from the available ones: event files - *.evtx, xml file - *.xml, tab-delimited text - *.txt, comma-separated csv - *.csv. In field "File name" enter a name and click on the button "Save". To cancel saving, click the button "Cancel";
4. In the event that the event log is not intended to be viewed on another computer, in the dialog box "Display details" leave the default option "Do not display information", and if the log is intended to be viewed on another computer, then in the dialog box "Display details" select an option "Display information for following languages» and click on the button "OK".

Clearing the event log

Sometimes it is necessary to clear full event logs to ensure effective analysis of alerts and critical errors operating system. To clear the selected log, follow these steps:

Setting the maximum log size

As mentioned above, event logs are stored as files in the %SystemRoot%\System32\Winevt\Logs\ folder. By default, the maximum size of these files is limited, but you can change it in the following way:

Events are saved in a log file, the size of which can only grow up to a specified size maximum value. After reaching the file maximum size, the processing of incoming events will be determined by the log retention policy. The following log retention policies are available:

Rewrite events if necessary (oldest files first)- in this case, new entries continue to be entered into the journal after it is filled. Each new event replaces the oldest one in the log;

Archive the log when filled; do not rewrite events- in this case, the log file is automatically archived if necessary. Stale events are not overwritten.

Do not overwrite events (clear log manually)- in this case, the log is cleared manually and not automatically.

To select the desired log retention policy, follow these steps:

1. In the console tree, select the event log you want to resize;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected journal;
3. On the tab "Are common", In chapter "When reaching maximum size" select the required parameter and click the button "OK".

Activating the analytical and debug log

Analytical and debug logs are inactive by default. Once activated, they quickly fill up with a large number of events. For this reason, it is advisable to enable these logs for a limited period of time to collect the data needed for troubleshooting, and then disable them again. You can activate logs as follows:

1. In the console tree, find and select the analytical or debug log that you want to activate;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected analytical or debug log;
3. On the tab "Are common" check the option box "Enable logging"

Opening and closing a saved journal

Using equipment "Event Viewer" You can open and view previously saved logs. You can open multiple saved logs at the same time and access them at any time in the console tree. Magazine opened in "Event Viewer", can be closed without deleting the information it contains. To open a saved log, follow these steps:

In order to delete open magazine their event tree, do the following:

Conclusion

This part of the article, dedicated to the Event Viewer snap-in, talks about the snap-in itself and describes in detail the simplest operations associated with monitoring and maintaining the system using Event Viewer. The next part of the article will be designed for experienced Windows users. It will cover tasks with custom views, filtering, grouping/sorting events, and managing subscriptions.

× Attention!
Log in to your website account or Create one to receive full access to our site. Registration will give you the opportunity to add news, comment on articles, communicate with other users and much more.

Other materials

Hello, friends! In this article we will look at Windows 7 event log. The operating system records almost everything that happens to it in this log. It is convenient to view it using the Event Viewer application, which is installed with Windows 7. To say that there are a lot of recorded events is to say nothing. Their darkness. But it’s difficult to get confused in them since everything is sorted into categories.

Thanks to the event log, specialists and ordinary users it is much easier to find errors and fix it. When I say easier, I don't mean easy. Almost always, to correct a recurring error, you will have to use a lot of search and re-read a bunch of material. Sometimes it's worth it to get rid of non-standard operating system behavior.

In order for the operating system to successfully fill event logs, the Windows Event Log service, which is responsible for this, must be running. Let's check if this service is running. In the search field of the main Start menu, look for Services

Finding a service Windows Event Log and check the Status - Works and Startup type - Automatically

If this service is not running, double-click on it with the left mouse and in the properties, in the Startup type section, select Automatic. Then click Run and OK

The service has started and the event logs will begin to fill.

Launch the Event Viewer utility using the search from the Start menu

The default utility looks like this:

A lot of things here can be customized for yourself. For example, you can use the buttons below the menu area to hide or show the Console Tree on the left and the Actions panel on the right

The area at the bottom center is called the Viewing Area. It displays information about the selected event. It can be removed by unchecking the corresponding checkbox in the View menu or by clicking on the cross in the right top corner viewing areas

The main field is located at the top center and is a table with the events of the log that you selected in the Console Tree. By default, not all columns are displayed. You can add and change their display order. To do this, right-click on the header of any column and select Add or remove columns...

In the window that opens, add the required columns from the left field to the Displayed columns column

To change the order of columns in the right field, select desired column and use the Up and Down buttons to change the location.

Each column is a specific property of the event. All these properties were perfectly described by Dmitry Bulanov. I'll give you a screenshot. Click on it to enlarge.

There is no point in setting all the columns in the table since the key properties are displayed in the viewport. If the latter is not displayed for you, then by double-clicking with the left mouse button on the event in a separate window you will see its properties

The General tab has a description of this error and sometimes a way to fix it. Below are all the properties of the event and in the Details section there is a link to Web Help where information on correcting the error may be available.

Event logs

Key Management Service— Key management service events are recorded. Designed to manage activations of corporate versions of operating systems. The log is empty because you can do without it on your home computer.

Magazines also have their own Properties. To view them, click right click mouse on the magazine and select Properties in the context menu

In the opened properties you see Full name log, Path to the log file its size and dates created, modified and when it was opened

The Enable logging checkbox is also checked. It is not active and cannot be removed. I looked at this option in the properties of other magazines, there it is also enabled and inactive. For the Equipment Events log, it is in exactly the same position and the log is not maintained.

In the properties, you can set the Maximum log size (KB) and select an action when the maximum size is reached. For servers and other important workstations, most likely make the log size larger and select Archive log when full, so that in case emergency situation track when the malfunction started.

Working with Windows 7 event logs

The work involves sorting, grouping, cleaning up logs and creating custom views to make it easier to find certain events.

Choose any magazine. For example, Application and in the table, in the center, click on the header of any column with the left mouse button. Events will be sorted by this column

If you press again you will get sorting in the opposite direction. The sorting principles are the same as for Windows Explorer. The limitation is that you cannot sort by more than one column.

To group events by a specific column, right-click on its header and select Group events by this column. In the example, events are grouped by the Level column

In this case, it is convenient to work with a specific group of events. For example with errors. After grouping events, you will be able to collapse and expand groups. This can also be done in the event table itself by double-clicking on the group name. For example, Level: Warning (74).

To delete a grouping, right-click on the column header again and select Delete event grouping.

Clearing the log

If you have corrected errors in the system that led to events being recorded in the log, then you will probably want to clear the log so that old entries do not interfere with diagnosing new computer conditions. To do this, right-click on the log you want to clear and select Clear Log...

In the window that opens, we can simply clear the log and we can Save it to a file before clearing

Custom views

Configured sorting and groupings disappear when you close the Event Viewer window. If you often work with events, you can create custom views. These are certain filters that are saved in the corresponding section of the console tree and do not disappear anywhere when Event Viewer is closed.

To create a custom view, right-click on any journal and select Create custom view...

In the window that opens, in the Date section, select from the drop-down list the time range for which we need to select events

In the Event Level section, check the boxes to select the importance of events.

We may sample by specific journal or journals or by source. Switch the radio box to the desired position and select the necessary checkboxes from the drop-down list

You can select specific event codes to be shown or not shown in the view you create.

When all the view options have been selected, click OK.

In the window that appears, set the name and description of the custom view and click OK

For example, I created a custom view for Errors and critical events from the Application and Security logs

This view can later be edited and will not disappear when you close the Event Viewer utility. To edit, right-click on the view and select Filter current custom view...

In the window that opens, do additional settings in the presentation.

You can draw an analogy between Custom View and saved search terms in Windows Explorer 7.

Conclusion

In this article, we looked at the Windows 7 event log. We talked about almost all the basic operations with it for the convenience of finding error events and critical events. And here a logical question arises: “How can we correct these errors in the system?” Everything is much more complicated here. There is little information on the Internet and therefore you may have to spend a lot of time searching for information. Therefore, if you are generally satisfied with the operation of the computer, then you don’t have to do this. If you want to try to fix it, watch the video below.

You can also use the event log to diagnose slow loading Windows 7.

I will be glad to receive any comments and suggestions.

When working with automated scripts, scheduled tasks, or own applications you may want them to write their own events to Windows logs. For example, when a script runs normally, you want to record a notification event in the application log so that you can easily determine later whether the script executed and completed normally. Conversely, if the script does not work and errors occur as a result of its execution, you may want to store the error or warning event in a log - then you will know to analyze the script and find out what happened.

For creating own events The Eventcreate utility is used. You can save your own events to any available log except the security log. Such events may contain a source, code and the necessary description. Eventcreate syntax:

eventcreate /l LogName /so Event Source /t Event Type / id Event Code /d Event Description

1. LogName - the name of the log to record the event; if it contains spaces, enclose it in quotation marks, for example "DNS Server".
2. EventSource - indicates the source of the event and can be any string. If the string contains spaces, enclose it in quotation marks, for example "Event Tracker*. In most cases, the source indicates the application, job, or script that caused the error.
3. EventType - specifies the event type. Can take the values ​​Information, Warning or Error. The "Success Audit" and "Failure Audit" event types are not applicable because they are used in the security log, which cannot record its own events.
4. Event Code - displays the numeric code of the event. Can be any value from 1 to 1000. Rather than randomly assigning IDs, it is better to make a list of common events that can occur, and then break it down into categories. Then each category can be assigned its own range of event codes. For example, events from the first hundred may be general, from the second - status events, from the fifth - warnings, and from the ninth - errors.
5. Event Description - specifies a description of the event and can be any string. Don't forget to enclose the string in quotes.

Using Eventcreate with a few examples

• Create a notification event in the application log with the source Event Tracker and event code 209:eventcreate /l "application" /t information /so "Event Tracker" /id 209 /d "evs.bat script ran without errors."
• Create a warning event in the system log with the source CustApp and event code 511:eventcreate /l "system" /t warning /so "CustApp" /id 511 /d "sysck.exe didn"t complete successfully."
• Create an error event in the system log on MAIL with the source SysMon and event code 918:eventcreate /s Mail /l "system" /t error /so "SysMon" /id 918 /d "sysmon.exe was unable to verify write operation."

In the Windows OS line, all major events that occur in the system are recorded and then recorded in the log. Errors, warnings and just various notifications are recorded. Based on these records, an experienced user can correct the operation of the system and eliminate errors. Let's learn how to open the event log in Windows 7.

The event log is stored in system tool, which has the name "Event Viewer". Let's see how using in various ways you can go to it.

Method 1: "Control Panel"

One of the most common ways to launch the tool described in this article, although far from the easiest and most convenient, is done using "Control Panels".

Method 2: Run Tool

It is much easier to initiate activation of the described tool using the tool "Run".

The basic disadvantage of this fast and convenient way lies in the need to keep in mind the command to call the window.

Method 3: Start Menu Search Box

A very similar method of calling the tool we are studying is carried out using the search field of the menu "Start".

Method 4: "Command Line"

Calling a tool via "Command line" quite inconvenient, but such a method exists, and therefore it is also worth special mention. First we need to call the window "Command line".

Method 5: Directly start the eventvwr.exe file

You can use such an “exotic” option for solving the problem as directly starting a file from "Conductor". However, and this method may be useful in practice, for example, if the failures have reached such a scale that other options for running the tool are simply not available. This happens extremely rarely, but it is quite possible.

First of all, you need to go to the location of the eventvwr.exe file. It is located in system directory along this path:

C:\Windows\System32

Method 6: Entering the file path in the address bar

With help "Conductor" we can launch the window we are interested in faster. In this case, you don’t even have to look for eventvwr.exe in the directory "System32". To do this, in the address field "Conductor" you just need to specify the path to this file.

Method 7: Create a shortcut

If you don't want to remember different commands or section jumps "Control Panels" If you consider it too inconvenient, but at the same time you often use the magazine, then in this case you can create an icon on "Desktop" or in another place convenient for you. After this, launch the tool "Event Viewer" will be carried out as simply as possible and without the need to remember anything.

Problems opening the magazine

There are cases when problems arise with opening a journal using the methods described above. Most often this happens because the person responsible for the work of this instrument the service is deactivated. When trying to run the tool "Event Viewer" A message appears indicating that the Event Log service is unavailable. Then you need to activate it.

1. First of all, you need to go to "Service Manager". This can be done from the section "Control Panels" which is called "Administration". How to get into it was described in detail when considering Method 1. Once in this section, look for the item "Services". Click on it.

   

   IN "Service Manager" you can go using the tool "Run". Call him by typing Win+R. Enter in the input area:

   Click "OK".



2. Regardless of whether you made the transition through "Control Panel" or used the command input in the tool field "Run", starts "Service Manager". Look for an element in the list "Windows Event Log". To make your search easier, you can arrange all the objects in the list in alphabetical order by clicking on the field name "Name". After required line found, look at the corresponding value in the column "State". If the service is enabled, then there should be an inscription "Works". If it is empty, this means that the service is deactivated. Also look at the value in the column "Startup type". IN in good condition there should be an inscription there "Automatically". If there is a value there "Disabled", this means that the service is not activated when the system starts.



3. To fix this, go to the service properties by double-clicking on the name LMB.



4. A window opens. Click on the area "Startup type".



5. Select from the drop-down list "Automatically".



6. Click on the inscriptions "Apply" And "OK".



7. Returning to "Service Manager", mark "Windows Event Log". In the left area of ​​the shell, click on the inscription "Run".



8. The service has started. Now in the corresponding column field "State" value will be displayed "Works", and in the column field "Startup type" the inscription will appear "Automatically". Now the magazine can be opened in any of the ways that we described above.

There are quite a few options to activate the event log in Windows 7. Of course, the most convenient and popular methods are to go through "Toolbar", activation using the tool "Run" or menu search fields "Start". For easy access you can create an icon for the described function on "Desktop". Sometimes there are problems starting the window "Event Viewer". Then you need to check whether the corresponding service is activated.

The Windows 7 operating system constantly monitors various noteworthy events that occur on your system. On Microsoft Windows event is any incident in the operating system that is logged or requires notification to users or administrators. This could be a service that doesn't want to start, a device installation, or an application error. Events are recorded and stored in the Windows event logs and provide important historical information that helps you monitor your system, maintain system security, troubleshoot errors, and perform diagnostics. The information contained in these logs should be reviewed regularly. You should regularly monitor event logs and configure your operating system to save important system events. If you are an administrator of Windows servers, you need to monitor the security of their systems, the normal operation of applications and services, and also check the server for errors that can impair performance. If you are a personal computer user, you should make sure that you have access to the appropriate logs you need to support your system and troubleshoot errors.

Program "Event Viewer" is a Microsoft Management Console (MMC) snap-in for viewing and managing event logs. This is an indispensable tool for monitoring system performance and troubleshooting problems. The Windows service that manages event logging is called "The event log". If it is running, Windows writes important data to the logs. Using the program "Event Viewer" you can do the following:

• View events from specific logs;
• Apply event filters and save them for later use as custom views;
• Create and manage event subscriptions;
• Assign specific actions to be performed when a specific event occurs.

Launching Event Viewer

Application "Event Viewer" can be opened in the following ways:

Event logs in Windows 7

In the Windows 7 operating system, as well as in Window Vista, there are two categories of event logs: Windows logs And application and service logs. Windows logs- used by the operating system to record system-wide events related to the operation of applications, system components, security and startup. A application and service logs- used by applications and services to record events related to their operation. You can use the snap-in to manage event logs "Event Viewer" or command line program wevtutil, which will be discussed in the second part of the article. All log types are described below:

Application- stores important events related to a specific application. For example, Exchange Server stores events related to mail forwarding, including events for the information store, mailboxes, and running services. By default it is placed in %SystemRoot%\System32\Winevt\Logs\Application.Evtx.

Safety- stores security-related events such as system login/logout, privilege usage, and resource accesses. By default it is located in %SystemRoot%\System32\Winevt\Logs\Security.Evtx

Installation- This log records events that occur during the installation and configuration of the operating system and its components. By default it is located in %SystemRoot%\System32\Winevt\Logs\Setup.Evtx.

System- stores events of the operating system or its components, such as failures to start services or initialize drivers, system-wide messages and other messages related to the system as a whole. By default it is located in %SystemRoot%\System32\Winevt\Logs\System.Evtx

Forwarded Events- if event forwarding is configured, this log includes events forwarded from other servers. By default it is placed in %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.Evtx

Internet Explorer- this log records events that occur when setting up and working with the Internet Explorer browser. By default it is located in %SystemRoot%\System32\Winevt\Logs\InternetExplorer.Evtx

Windows PowerShell- This log records events related to the use of PowerShell. By default it is located in %SystemRoot%\System32\Winevt\Logs\WindowsPowerShwll.Evtx

Equipment Events- if hardware event logging is configured, events generated by devices are recorded in this log. By default it is placed in %SystemRoot%\System32\Winevt\Logs\HardwareEvent.Evtx

In Windows 7, the infrastructure that provides event logging is based on XML, just like in Windows Vista. Each event data corresponds to an XML schema, allowing you to access the XML code of any event. You can also create XML-based queries to retrieve data from logs. No knowledge of XML is required to use these new features. Equipment "Event Viewer" provides a simple graphical interface to access these features.

Event Properties

There are several snap-in event properties "Event Viewer", which are described in detail below:

Source is the program that logged the event. This can be either the name of a program (for example, “Exchange Server”) or the name of a system component or large application (for example, the name of a driver). For example, "Elnkii" means EtherLink II driver.

Event code is a number that identifies a specific type of event. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event Logging service starts. Accordingly, at the beginning of the description of this event there is the line “The event log service has been started.” The event code and recording source name can be used by the software product support team to troubleshoot problems.

Level- this is the level of importance of the event. In system and application logs, events can have the following severity levels:

• Notification- denotes a change in an application or component, such as the occurrence of an information event associated with a successful action, the creation of a resource, or the startup of a service.
• Warning- indicates a general warning about a problem that could affect service or lead to a more serious problem if left unattended;
• Error- indicates that a problem has occurred that may affect functions external to the application or component that caused the event;
• Critical error- indicates that a failure has occurred from which the application or component that initiated the event cannot recover automatically;
• Audit of successes- successful execution of actions that you monitor through audit, such as the use of a privilege;
• Failure audit- failure to perform actions that you monitor through auditing, such as an error logging into the system.

User- defines the user account on whose behalf this event occurred. Users include special entities such as Local Service, Network Service, and Anonymous Logon, as well as real user accounts. This name is the client identifier if the event was actually raised by a server process, or the primary identifier if no impersonation is performed. In some cases, the security log entry contains both IDs. This field may also contain N/A if the account is not applicable in this situation. Impersonation occurs in cases where a server allows one process to assume the security attributes of another process.

Working code- contains a numeric value that identifies the operation or point within the operation during which this event occurred. For example, initialization or closing.

Magazine- the name of the log in which this event was recorded.

Category and tasks- defines an event category, sometimes used to subsequently describe a valid action. Each event source has its own categories. For example, the following categories: login/logout, use privileges, change policies, and account management.

Keywords is a set of categories or tags that can be used to filter or search for events. For example: “Network”, “Security” or “Resource not found”.

Computer- identifies the name of the computer on which the event occurred. This is usually the name of the local computer, but can also be the name of the computer that forwarded the event, or the name of the local computer before it was modified.

date and time- determines the date and time of occurrence of this event in the log.

Process ID- represents the identification number of the process that generated the event. A computer program is only a passive set of instructions, while a process is the direct execution of these instructions

Stream ID- represents the identification number of the thread that generated the event. A process spawned in an operating system can consist of several threads running “in parallel,” that is, without a prescribed order in time. When performing some tasks, such division can achieve more efficient use of computer resources

Processor ID- represents the identification number of the processor that processed the event.

Session code is the session identification number on the terminal server in which the event occurred.

Kernel mode operating time- defines the time spent executing kernel mode instructions, in CPU time units. Kernel mode has unrestricted access to system memory and external devices. The NT system kernel is called a hybrid kernel or macrokernel.

Operating time in user mode- defines the time spent executing user mode instructions, in units of CPU time. User mode consists of subsystems that pass I/O requests to the appropriate kernel mode driver through the I/O manager.

CPU load is the time spent executing user mode instructions, in CPU ticks.

Correlation code- defines the action in the process for which the event is used. This code is used to specify simple relationships between events. Correlation is a statistical relationship between two or more random variables (or values ​​that can be considered as such with some acceptable degree of accuracy). Moreover, changes in one or more of these quantities lead to a systematic change in another or other quantities.

Relative Correlation ID- defines a relative action in the process for which the event is used

Working with event logs

Event Viewer

In the next screenshot you can see the log "Applications", where you can find information about events, recent views, and available actions. To view application log events, follow these steps:

1. In the console tree, select "Windows Logs";
2. Select a magazine "Applications".

It is advisable to review event logs more often "Application" And "System" and examine existing problems and warnings that may foreshadow future problems. When you select a log, the middle window displays available events, including event date, time and source, event level, and other details.

Panel "Viewport" shows basic event data on the tab "Are common", and additional specific data is on the tab "Details". You can turn this panel on and off by selecting the menu "View" and then the command "Viewport".

For critical systems, it is recommended to keep logs going back several months. As a rule, it is inconvenient to assign a size to magazines all the time so that all the information fits in them; this problem can be solved in another way. You can export logs to files located in a specified folder. To save the selected log, follow these steps:

1. In the console tree, select the event log you want to save;
2. Select a team "Save Events As" from the menu "Action" or from the log context menu select the command "Save all events as";
3. In the dialog that appears "Save as" select the folder where the file should be saved. If you need to save the file in a new folder, you can create it directly from this dialog using the context menu or the button "New folder" on the action bar. In field "File type" you need to select the desired file format from the available ones: event files - *.evtx, xml file - *.xml, tab-delimited text - *.txt, comma-separated csv - *.csv. In field "File name" "Save". To cancel saving, click the button "Cancel";
4. In the event that the event log is not intended to be viewed on another computer, in the dialog box "Display details" leave the default option "Do not display information", and if the log is intended to be viewed on another computer, then in the dialog box "Display details" select an option "Display information for the following languages" and click on the button "OK".

Clearing the event log

Sometimes it is necessary to clear full event logs to ensure effective analysis of warnings and critical operating system errors. To clear the selected log, follow these steps:

1. In the console tree, select the event log that you want to clear;
2. Clear the log using one of the following methods:
   • On the menu "Action" select team "Clear log";
   • Right-click on the selected log to open the context menu. In the context menu, select the command "Clear log";
3. Next, you can either clear the log or archive it if this has not been done previously:
   • To clear the event log without saving, click the button "Clear";
   • To clear the event log after saving it, click the button "Save and Clear". In the dialog that appears "Save as" select the folder where the file should be saved. If you need to save the file in a new folder, you can create it directly from this dialog using the context menu or button "New folder" on the action bar. In field "File name" enter a name and click on the button "Save". To cancel saving, click on the button "Cancel".

Setting the maximum log size

As mentioned above, event logs are stored as files in the %SystemRoot%\System32\Winevt\Logs\ folder. By default, the maximum size of these files is limited, but you can change it in the following way:

1. Select a team "Properties" from the menu "Action"
2. In field "Maximum log size (KB)" set the required value using a counter or set manually without using a counter. In this case, the value will be rounded to the nearest multiple of 64 KB because the log file size must be a multiple of 64 KB and cannot be less than 1024 KB.

Events are stored in a log file that can only grow up to a specified maximum size. Once the file reaches its maximum size, processing of incoming events will be determined by the log retention policy. The following log retention policies are available:

Rewrite events if necessary (oldest files first)- in this case, new entries continue to be entered into the journal after it is filled. Each new event replaces the oldest one in the log;

Archive the log when filled; do not rewrite events- in this case, the log file is automatically archived if necessary. Stale events are not overwritten.

Do not overwrite events (clear log manually)- in this case, the log is cleared manually and not automatically.

To select the desired log retention policy, follow these steps:

1. In the console tree, select the event log you want to resize;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected journal;
3. On the tab "Are common", In chapter "When reaching maximum size" select the required parameter and click the button "OK".

Activating the analytical and debug log

Analytical and debug logs are inactive by default. Once activated, they quickly fill up with a large number of events. For this reason, it is advisable to enable these logs for a limited period of time to collect the data needed for troubleshooting, and then disable them again. You can activate logs as follows:

1. In the console tree, find and select the analytical or debug log that you want to activate;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected analytical or debug log;
3. On the tab "Are common" check the option box "Enable logging"

Opening and closing a saved journal

Using equipment "Event Viewer" You can open and view previously saved logs. You can open multiple saved logs at the same time and access them at any time in the console tree. Magazine opened in "Event Viewer", can be closed without deleting the information it contains. To open a saved log, follow these steps:

1. Select a team "Open saved journal" on the menu "Action" or from the context menu in the console tree;
2. 3. In the dialog box "Open saved journal", moving along the directory tree, open the folder containing required file. By default, the dialog box will display all event log files. Also, when opening, you can select the type of files that you want to display in the opening dialog. Available file types are event log files (*.evtx, *.evt, *.etl), as well as event files (*.evtx), legacy event files (*.evt), or trace log files (*.etl). Once the desired log file has been found, select it by left-clicking on it, which will place its name in the file name line and click on the button "Open".
3. In dialogue "Open saved journal", in field "Name" Enter a new name to use for the log in the console tree. It is used only to display the log in the console tree and does not change the log file name. You can also use an existing log file name. In field "Description" enter a description for the log. It will be displayed in the central area when the parent log folder is selected in the console tree;
4. To create a folder in which the saved log will be located, click the button "Create a folder". In field "Name" enter the name of the folder in which the open log will be located, and then click "OK". If no parent folder is selected, new folder will be located in the folder "Saved Logs".
5. To make the open event log inaccessible to other computer users, you can uncheck the "All users". If this checkbox remains active, the open log will be available to all users, but administrator rights will be required to delete it from the console tree;
6. To open the magazine, click on the button "OK".

To delete an open log from the event tree, follow these steps:

1. In the console tree, select the log to be deleted;
2. Select a team "Delete" from the menu "Action" or from the context menu of the selected journal;
3. In dialogue "Event Viewer" click on the button "Yes".

Conclusion

This part of the article, dedicated to the Event Viewer snap-in, talks about the snap-in itself and describes in detail the simplest operations associated with monitoring and maintaining the system using Event Viewer. The next part of the article will be designed for experienced Windows users. It will cover tasks with custom views, filtering, grouping/sorting events, and managing subscriptions.