Create your own Windows events in the log. Using Windows Audit to track user activity

When working with automated scripts, scheduled tasks, or own applications you may want them to write their own events to Windows logs. For example, when a script runs normally, you want to record a notification event in the application log so that you can easily determine later whether the script executed and completed normally. Conversely, if the script does not work and errors occur as a result of its execution, you may want to store the error or warning event in a log - then you will know to analyze the script and find out what happened.

For creating own events The Eventcreate utility is used. You can save your own events to any available log except the security log. Such events may contain a source, code and the necessary description. Eventcreate syntax:

eventcreate /l LogName /so Event Source /t Event Type / id Event Code /d Event Description

1. LogName - the name of the log to record the event; if it contains spaces, enclose it in quotation marks, for example "DNS Server".
2. EventSource - indicates the source of the event and can be any string. If the string contains spaces, enclose it in quotation marks, for example "Event Tracker*. In most cases, the source indicates the application, job, or script that caused the error.
3. EventType - specifies the event type. Can take the values ​​Information, Warning or Error. The "Success Audit" and "Failure Audit" event types are not applicable because they are used in the security log, which cannot record its own events.
4. Event Code - displays the numeric code of the event. Can be any value from 1 to 1000. Rather than randomly assigning IDs, it is better to make a list of common events that can occur, and then break it down into categories. Then each category can be assigned its own range of event codes. For example, events from the first hundred may be general, from the second - status events, from the fifth - warnings, and from the ninth - errors.
5. Event Description - specifies a description of the event and can be any string. Don't forget to enclose the string in quotes.

Using Eventcreate with a few examples

• Create a notification event in the application log with the source Event Tracker and event code 209:eventcreate /l "application" /t information /so "Event Tracker" /id 209 /d "evs.bat script ran without errors."
• Create a warning event in the system log with the source CustApp and event code 511:eventcreate /l "system" /t warning /so "CustApp" /id 511 /d "sysck.exe didn"t complete successfully."
• Create an error event in the system log on MAIL with the source SysMon and event code 918:eventcreate /s Mail /l "system" /t error /so "SysMon" /id 918 /d "sysmon.exe was unable to verify write operation."

As you know, most "normal" applications record their events in the Windows Event Log (Application Event Log). This is a great place to centrally store and view application events, but often when you need to log events from specific application in this journal, we may encounter the fact that due to large quantity and excessive detail of events, work with a standard log Windows applications it becomes very uncomfortable. IN in this case it would be convenient to create your own event log for this application, and configure for it various parameters, such as log size, filters, etc., and the standard Application log can be used as usual without clogging it unnecessary information. In OS Windows family There is a function that allows you to create your own event log.

First let's create new file magazine. This can be done using the registry. Launch the registry editor regedit and go to the branch:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog

Click right click on the Eventlog node and create new key(New > Key)

The key name in this case will also be the name of the new log. Default new magazine(file.evt) is created here:

C:\WINDOWS\System32\Config\New Key #1.evt

You can rename it by changing the string parameter in the registry as you wish.

Next, you need to add event Sources for the new log. Create a new key of Multi-String type with the name “Sources”, as parameters specify the names of all applications that will use this magazine(each application on a new line).

Next, you need to transfer your application associations from the standard Application log to your new log. Expand the “Application” branch located at:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application

And copy all the branches that relate to the applications you are interested in into a new registry branch of the new log:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\CustomLog

Because the copy/paste command in the registry editor does not work, they can be re-created manually (if there are few of them), or the transfer can be carried out using the procedure for exporting/importing registry branches with manual editing of the .reg file. Make sure that after the transfer you delete the registry keys of your applications from the Application branch, otherwise Windows will not understand that you need to write events to the new log. If you are using a new event source for the log, you will need to create a DWORD parameter named CustomSource with a value of 1:

In my example, I created my own .NET 2.0 application, and I want it to write events to the log we created. To do this, I'll create a new registry key, EventMessageFile, and set it to the path to the .NET 2.0 logging library:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll

Then you need to restart Windows, and after the system boots you will see a new event log in the Event Viewer section. If your application for some reason does not write events to the new log, you can test its operation manually by opening a command line and going to the directory:

CD C:\WINDOWS\system32

Then type:

Eventcreate /l CustomLog /t Information /so Application1 /id 1 /d "Test message"

If you did everything correctly, a window should appear indicating that the event was successfully recorded in the log, or an error message and the reasons for its occurrence.

A small update to the article based on letters from readers:

The above instructions for creating own magazine is focused on server operating systems of the Microsoft family. More general method which should work in most Windows the following (registry paths and keys differ):

We create new section in the registry (section name is the name of the log being created), the path to the created one will be like this:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ NewEventLog, in which you need to create the following keys:

• “AutoBackupLogFiles” - DWORD type, create or not backups log (0 - do not create)
• “MaxSize” - DWORD type, maximum log size in bytes, the value must be a multiple of 64Kb
• “Retention” – DWORD type, the storage time for records in case of log overflow.
• “File” - type REG_EXPAND_SZ, a string containing the path to the log on the hard drive, for example %SystemRoot%\System32\config\ NewEventLog.evt)
• “Sources” - type REG_MULTI_SZ, here is a list of event sources whose logs should go into this log, each source on a new line

The Windows 7 operating system constantly monitors various noteworthy events that occur on your system. IN Microsoft Windows event is any incident in the operating system that is logged or requires notification to users or administrators. This could be a service that doesn't want to start, a device installation, or an application error. Events are recorded and stored in the Windows event logs and provide important historical information that helps you monitor your system, maintain system security, troubleshoot errors, and perform diagnostics. The information contained in these logs should be reviewed regularly. You should regularly monitor event logs and configure your operating system to save important system events. If you are an administrator Windows servers, then it is necessary to monitor the security of their systems, normal operation applications and services, and check the server for errors that could degrade performance. If you are a user personal computer, then you should ensure that you have access to the appropriate logs you need to support your system and troubleshoot errors.

Program "Event Viewer" represents a console snap-in Microsoft management(MMC) and is designed to view and manage event logs. This indispensable tool to monitor system performance and troubleshoot problems. Windows service, which controls the logging of events, is called "The event log". If it is running, Windows writes important data to the logs. Using the program "Event Viewer" you can do the following:

• View events from specific logs;
• Apply event filters and save them for later use as custom views;
• Create and manage event subscriptions;
• Assign specific actions to be performed when a specific event occurs.

Launching Event Viewer

Application "Event Viewer" can be opened in the following ways:

Fig.1. Event Viewer Window

Event logs in Windows 7

In the Windows 7 operating system, as well as in Window Vista, there are two categories of event logs: Windows logs And application and service logs. Windows logs - used by the operating system to register system-wide events related to the operation of applications, system components, security and startup. A application and service logs- used by applications and services to record events related to their operation. You can use the snap-in to manage event logs "Event Viewer" or program command line wevtutil, which will be discussed in the second part of the article. All log types are described below:

Application- stores important events, Related specific application. For example, Exchange Server stores events related to mail forwarding, including information store events, mailboxes And running services. By default it is placed in %SystemRoot%\System32\Winevt\Logs\Application.Evtx.

Safety- stores security-related events such as system login/logout, privilege usage, and resource accesses. By default it is located in %SystemRoot%\System32\Winevt\Logs\Security.Evtx

Installation- this log records events that occur during installation and configuration operating system and its components. By default it is located in %SystemRoot%\System32\Winevt\Logs\Setup.Evtx.

System- stores events of the operating system or its components, such as failures to start services or initialize drivers, system-wide messages and other messages related to the system as a whole. By default it is located in %SystemRoot%\System32\Winevt\Logs\System.Evtx

Forwarded Events- if event forwarding is configured, this log includes events forwarded from other servers. By default it is placed in %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.Evtx

Internet Explorer - this log records events that occur during setup and work with Internet browser Explorer. By default it is located in %SystemRoot%\System32\Winevt\Logs\InternetExplorer.Evtx

Windows PowerShell- This log records events related to the use of PowerShell. By default it is located in %SystemRoot%\System32\Winevt\Logs\WindowsPowerShwll.Evtx

Equipment Events- if hardware event logging is configured, events generated by devices are recorded in this log. By default it is placed in %SystemRoot%\System32\Winevt\Logs\HardwareEvent.Evtx

In Windows 7, the infrastructure that provides event logging is based in the same way as in Windows Vista in XML. Each event data corresponds to an XML schema, allowing you to access the XML code of any event. You can also create XML-based queries to retrieve data from logs. No knowledge of XML is required to use these new features. Equipment "Event Viewer" provides simple GUI to access these features.

Event Properties

There are several snap-in event properties "Event Viewer", which are described in detail below:

Source is the program that logged the event. This can be either the name of the program (for example, “Exchange Server”), or the name of a system component or large application(for example, driver name). For example, "Elnkii" means EtherLink II driver.

Event code is a number that identifies a specific type of event. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event Logging service starts. Accordingly, at the beginning of the description of this event there is the line “The event log service has been started.” The event code and recording source name can be used by the support team software product for troubleshooting.

Level- this is the level of importance of the event. In system and application logs, events can have the following severity levels:

• Notification- denotes a change in an application or component, such as the occurrence of an information event associated with a successful action, the creation of a resource, or the startup of a service.
• Warning- indicates a warning general for a problem that could affect service or lead to a more serious problem if left unattended;
• Error- indicates that a problem has occurred that may affect functions external to the application or component that caused the event;
• Critical error- indicates that a failure has occurred from which the application or component that initiated the event cannot recover automatically;
• Audit of successes - successful completion actions you monitor through auditing, such as the use of a privilege;
• Failure audit- failure to perform actions that you monitor through auditing, such as an error logging into the system.

User- defines the user account on whose behalf the this event. Users include special entities such as Local Service, Network Service, and Anonymous Logon, as well as accounts real users. This name is the client identifier if the event was actually raised by a server process, or the primary identifier if no impersonation is performed. In some cases, the security log entry contains both IDs. This field may also contain N/A (N/A), if in this situation Account not applicable. Impersonation occurs in cases where a server allows one process to assume the security attributes of another process.

Working code- contains numeric value, which defines the operation or point within the operation during which this event occurred. For example, initialization or closing.

Magazine- the name of the log in which this event was recorded.

Category and tasks- defines an event category, sometimes used to subsequently describe a valid action. Each event source has its own categories. For example, the following categories: login/logout, use privileges, change policies, and account management.

Keywords is a set of categories or tags that can be used to filter or search for events. For example: “Network”, “Security” or “Resource not found”.

Computer- identifies the name of the computer on which the event occurred. Usually this is the name local computer, but could also be the name of the computer that forwarded the event, or the name of the local computer before it was changed.

date and time- determines the date and time of occurrence of this event in the log.

Process ID- represents the identification number of the process that generated the event. Computer program represents only a passive set of instructions, while a process is the direct execution of these instructions

Stream ID- represents the identification number of the thread that generated the event. A process spawned in an operating system can consist of several threads running “in parallel,” that is, without a prescribed order in time. For some tasks, this separation can achieve more effective use computer resources

Processor ID- represents the identification number of the processor that processed the event.

Session code is the session identification number on the terminal server in which the event occurred.

Kernel mode operating time- defines the time spent executing kernel mode instructions, in CPU time units. Kernel mode has unlimited access to system memory And external devices. The NT system kernel is called a hybrid kernel or macrokernel.

Operating time in user mode- defines the time spent executing user mode instructions, in units of CPU time. User mode consists of subsystems that pass I/O requests to the appropriate kernel mode driver through the I/O manager.

CPU load is the time spent executing user mode instructions, in CPU ticks.

Correlation code- defines the action in the process for which the event is used. This code is used to indicate simple relations between events. Correlation is a statistical relationship between two or more random variables (or values ​​that can be considered as such with some acceptable degree of accuracy). Moreover, changes in one or more of these quantities lead to a systematic change in another or other quantities.

Relative Correlation ID- defines a relative action in the process for which the event is used

Working with event logs

Event Viewer

In the next screenshot you can see the log "Applications", where you can find information about events, recent views, and available actions. To view application log events, follow these steps:

1. In the console tree, select "Windows Logs";
2. Select a magazine "Applications".

It is advisable to review event logs more often "Application" And "System" and study existing problems and warnings that may foreshadow problems in the future. When you select a log, the middle window displays available events, including event date, time and source, event level, and other details.

Panel "Viewport" shows basic event data on the tab "Are common", and additional specific data is on the tab "Details". You can turn this panel on and off by selecting the menu "View" and then the command "Viewport".

For critical systems It is recommended to keep logs from the last few months. As a rule, it is inconvenient to assign a size to magazines all the time so that all the information fits in them; this problem can be solved in another way. You can export logs to files located in a specified folder. To save the selected log, follow these steps:

1. In the console tree, select the event log you want to save;
2. Select a team "Save Events As" from the menu "Action" or from context menu log select command "Save all events as";
3. In the dialog that appears "Save as" select the folder where the file should be saved. If you need to save the file in a new folder, you can create it directly from this dialog using the context menu or the button "New folder" on the action bar. In field "File type" you need to select the desired file format from the available ones: event files - *.evtx, xml file - *.xml, tab-delimited text - *.txt, comma-separated csv - *.csv. In field "File name" enter a name and click on the button "Save". To cancel saving, click the button "Cancel";
4. In the event that the event log is not intended to be viewed on another computer, in the dialog box "Display details" leave the default option "Do not display information", and if the log is intended to be viewed on another computer, then in the dialog box "Display details" select an option "Display information for following languages» and click on the button "OK".

Clearing the event log

Sometimes it is necessary to clear full event logs to ensure effective analysis of alerts and critical errors operating system. To clear the selected log, follow these steps:

Setting the maximum log size

As mentioned above, event logs are stored as files in the %SystemRoot%\System32\Winevt\Logs\ folder. By default, the maximum size of these files is limited, but you can change it in the following way:

Events are saved in a log file, the size of which can only grow up to a specified size maximum value. After reaching the file maximum size, the processing of incoming events will be determined by the log retention policy. The following log retention policies are available:

Rewrite events if necessary (oldest files first)- in this case, new entries continue to be entered into the journal after it is filled. Each new event replaces the oldest one in the log;

Archive the log when filled; do not rewrite events- in this case, the log file is automatically archived if necessary. Stale events are not overwritten.

Do not overwrite events (clear log manually)- in this case, the log is cleared manually and not automatically.

To select the desired log retention policy, follow these steps:

1. In the console tree, select the event log you want to resize;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected journal;
3. On the tab "Are common", In chapter "When reaching maximum size" select the required parameter and click the button "OK".

Activating the analytical and debug log

Analytical and debug logs are inactive by default. Once activated, they quickly fill up with a large number of events. For this reason, it is advisable to enable these logs for a limited period of time to collect the data needed for troubleshooting, and then disable them again. You can activate logs as follows:

1. In the console tree, find and select the analytical or debug log that you want to activate;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected analytical or debug log;
3. On the tab "Are common" check the option box "Enable logging"

Opening and closing a saved journal

Using equipment "Event Viewer" You can open and view previously saved logs. You can open multiple saved logs at the same time and access them at any time in the console tree. Magazine opened in "Event Viewer", can be closed without deleting the information it contains. To open a saved log, follow these steps:

In order to delete open magazine their event tree, do the following:

Conclusion

This part of the article, dedicated to the Event Viewer snap-in, talks about the snap-in itself and describes in detail the simplest operations associated with monitoring and maintaining the system using Event Viewer. The next part of the article will be designed for experienced Windows users. It will cover tasks with custom views, filtering, grouping/sorting events, and managing subscriptions.

× Attention!
Log in to your site account or Create it, To obtain full access to our site. Registration will give you the opportunity to add news, comment on articles, communicate with other users and much more.

Other materials

The Windows 7 operating system constantly monitors various noteworthy events that occur on your system. On Microsoft Windows event is any incident in the operating system that is logged or requires notification to users or administrators. This could be a service that doesn't want to start, a device installation, or an application error. Events are recorded and stored in the Windows event logs and provide important historical information that helps you monitor your system, maintain system security, troubleshoot errors, and perform diagnostics. The information contained in these logs should be reviewed regularly. You should regularly monitor event logs and configure your operating system to save important system events. If you are an administrator of Windows servers, you need to monitor the security of their systems, the normal operation of applications and services, and also check the server for errors that can impair performance. If you are a personal computer user, you should make sure that you have access to the appropriate logs you need to support your system and troubleshoot errors.

Program "Event Viewer" is a Microsoft Management Console (MMC) snap-in for viewing and managing event logs. This is an indispensable tool for monitoring system performance and troubleshooting problems. The Windows service that manages event logging is called "The event log". If it is running, Windows writes important data to the logs. Using the program "Event Viewer" you can do the following:

• View events from specific logs;
• Apply event filters and save them for later use as custom views;
• Create and manage event subscriptions;
• Assign specific actions to be performed when a specific event occurs.

Launching Event Viewer

Application "Event Viewer" can be opened in the following ways:

Event logs in Windows 7

In the Windows 7 operating system, as well as in Window Vista, there are two categories of event logs: Windows logs And application and service logs. Windows logs- used by the operating system to record system-wide events related to the operation of applications, system components, security and startup. A application and service logs- used by applications and services to record events related to their operation. You can use the snap-in to manage event logs "Event Viewer" or command line program wevtutil, which will be discussed in the second part of the article. All log types are described below:

Application- stores important events related to a specific application. For example, Exchange Server stores events related to mail forwarding, including events for the information store, mailboxes, and running services. By default it is placed in %SystemRoot%\System32\Winevt\Logs\Application.Evtx.

Safety- stores security-related events such as system login/logout, privilege usage, and resource accesses. By default it is located in %SystemRoot%\System32\Winevt\Logs\Security.Evtx

Installation- This log records events that occur during the installation and configuration of the operating system and its components. By default it is located in %SystemRoot%\System32\Winevt\Logs\Setup.Evtx.

System- stores events of the operating system or its components, such as failures to start services or initialize drivers, system-wide messages and other messages related to the system as a whole. By default it is located in %SystemRoot%\System32\Winevt\Logs\System.Evtx

Forwarded Events- if event forwarding is configured, this log includes events forwarded from other servers. By default it is placed in %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.Evtx

Internet Explorer- this log records events that occur when setting up and working with the Internet Explorer browser. By default it is located in %SystemRoot%\System32\Winevt\Logs\InternetExplorer.Evtx

Windows PowerShell- This log records events related to the use of PowerShell. By default it is located in %SystemRoot%\System32\Winevt\Logs\WindowsPowerShwll.Evtx

Equipment Events- if hardware event logging is configured, events generated by devices are recorded in this log. By default it is placed in %SystemRoot%\System32\Winevt\Logs\HardwareEvent.Evtx

In Windows 7, the infrastructure that provides event logging is based on XML, just like in Windows Vista. Each event data corresponds to an XML schema, allowing you to access the XML code of any event. You can also create XML-based queries to retrieve data from logs. No knowledge of XML is required to use these new features. Equipment "Event Viewer" provides a simple graphical interface to access these features.

Event Properties

There are several snap-in event properties "Event Viewer", which are described in detail below:

Source is the program that logged the event. This can be either the name of a program (for example, “Exchange Server”) or the name of a system component or large application (for example, the name of a driver). For example, "Elnkii" means EtherLink II driver.

Event code is a number that identifies a specific type of event. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event Logging service starts. Accordingly, at the beginning of the description of this event there is the line “The event log service has been started.” The event code and recording source name can be used by the software product support team to troubleshoot problems.

Level- this is the level of importance of the event. In system and application logs, events can have the following severity levels:

• Notification- denotes a change in an application or component, such as the occurrence of an information event associated with a successful action, the creation of a resource, or the startup of a service.
• Warning- indicates a general warning about a problem that could affect service or lead to a more serious problem if left unattended;
• Error- indicates that a problem has occurred that may affect functions external to the application or component that caused the event;
• Critical error- indicates that a failure has occurred from which the application or component that initiated the event cannot recover automatically;
• Audit of successes- successful execution of actions that you monitor through audit, such as the use of a privilege;
• Failure audit- failure to perform actions that you monitor through auditing, such as an error logging into the system.

User- defines the user account on whose behalf this event occurred. Users include special entities such as Local Service, Network Service, and Anonymous Logon, as well as real user accounts. This name is the client identifier if the event was actually raised by a server process, or the primary identifier if no impersonation is performed. In some cases, the security log entry contains both IDs. This field may also contain N/A if the account is not applicable in this situation. Impersonation occurs in cases where a server allows one process to assume the security attributes of another process.

Working code- contains a numeric value that identifies the operation or point within the operation during which this event occurred. For example, initialization or closing.

Magazine- the name of the log in which this event was recorded.

Category and tasks- defines an event category, sometimes used to subsequently describe a valid action. Each event source has its own categories. For example, the following categories: login/logout, use privileges, change policies, and account management.

Keywords is a set of categories or tags that can be used to filter or search for events. For example: “Network”, “Security” or “Resource not found”.

Computer- identifies the name of the computer on which the event occurred. This is usually the name of the local computer, but can also be the name of the computer that forwarded the event, or the name of the local computer before it was modified.

date and time- determines the date and time of occurrence of this event in the log.

Process ID- represents the identification number of the process that generated the event. A computer program is only a passive set of instructions, while a process is the direct execution of these instructions

Stream ID- represents the identification number of the thread that generated the event. A process spawned in an operating system can consist of several threads running “in parallel,” that is, without a prescribed order in time. When performing some tasks, such division can achieve more efficient use of computer resources

Processor ID- represents the identification number of the processor that processed the event.

Session code is the session identification number on the terminal server in which the event occurred.

Kernel mode operating time- defines the time spent executing kernel mode instructions, in CPU time units. Kernel mode has unrestricted access to system memory and external devices. The NT system kernel is called a hybrid kernel or macrokernel.

Operating time in user mode- defines the time spent executing user mode instructions, in units of CPU time. User mode consists of subsystems that pass I/O requests to the appropriate kernel mode driver through the I/O manager.

CPU load is the time spent executing user mode instructions, in CPU ticks.

Correlation code- defines the action in the process for which the event is used. This code is used to specify simple relationships between events. Correlation is a statistical relationship between two or more random variables (or values ​​that can be considered as such with some acceptable degree of accuracy). Moreover, changes in one or more of these quantities lead to a systematic change in another or other quantities.

Relative Correlation ID- defines a relative action in the process for which the event is used

Working with event logs

Event Viewer

In the next screenshot you can see the log "Applications", where you can find information about events, recent views, and available actions. To view application log events, follow these steps:

1. In the console tree, select "Windows Logs";
2. Select a magazine "Applications".

It is advisable to review event logs more often "Application" And "System" and examine existing problems and warnings that may foreshadow future problems. When you select a log, the middle window displays available events, including event date, time and source, event level, and other details.

Panel "Viewport" shows basic event data on the tab "Are common", and additional specific data is on the tab "Details". You can turn this panel on and off by selecting the menu "View" and then the command "Viewport".

For critical systems, it is recommended to keep logs going back several months. As a rule, it is inconvenient to assign a size to magazines all the time so that all the information fits in them; this problem can be solved in another way. You can export logs to files located in a specified folder. To save the selected log, follow these steps:

1. In the console tree, select the event log you want to save;
2. Select a team "Save Events As" from the menu "Action" or from the log context menu select the command "Save all events as";
3. In the dialog that appears "Save as" select the folder where the file should be saved. If you need to save the file in a new folder, you can create it directly from this dialog using the context menu or the button "New folder" on the action bar. In field "File type" you need to select the desired file format from the available ones: event files - *.evtx, xml file - *.xml, tab-delimited text - *.txt, comma-separated csv - *.csv. In field "File name" "Save". To cancel saving, click the button "Cancel";
4. In the event that the event log is not intended to be viewed on another computer, in the dialog box "Display details" leave the default option "Do not display information", and if the log is intended to be viewed on another computer, then in the dialog box "Display details" select an option "Display information for the following languages" and click on the button "OK".

Clearing the event log

Sometimes it is necessary to clear full event logs to ensure effective analysis of warnings and critical operating system errors. To clear the selected log, follow these steps:

1. In the console tree, select the event log that you want to clear;
2. Clear the log using one of the following methods:
   • On the menu "Action" select team "Clear log";
   • Right-click on the selected log to open the context menu. In the context menu, select the command "Clear log";
3. Next, you can either clear the log or archive it if this has not been done previously:
   • To clear the event log without saving, click the button "Clear";
   • To clear the event log after saving it, click the button "Save and Clear". In the dialog that appears "Save as" select the folder where the file should be saved. If you need to save the file in a new folder, you can create it directly from this dialog using the context menu or button "New folder" on the action bar. In field "File name" enter a name and click on the button "Save". To cancel saving, click on the button "Cancel".

Setting the maximum log size

As mentioned above, event logs are stored as files in the %SystemRoot%\System32\Winevt\Logs\ folder. By default, the maximum size of these files is limited, but you can change it in the following way:

1. Select a team "Properties" from the menu "Action"
2. In field "Maximum log size (KB)" set the required value using a counter or set manually without using a counter. In this case, the value will be rounded to the nearest multiple of 64 KB because the log file size must be a multiple of 64 KB and cannot be less than 1024 KB.

Events are stored in a log file that can only grow up to a specified maximum size. Once the file reaches its maximum size, processing of incoming events will be determined by the log retention policy. The following log retention policies are available:

Rewrite events if necessary (oldest files first)- in this case, new entries continue to be entered into the journal after it is filled. Each new event replaces the oldest one in the log;

Archive the log when filled; do not rewrite events- in this case, the log file is automatically archived if necessary. Stale events are not overwritten.

Do not overwrite events (clear log manually)- in this case, the log is cleared manually and not automatically.

To select the desired log retention policy, follow these steps:

1. In the console tree, select the event log you want to resize;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected journal;
3. On the tab "Are common", In chapter "When reaching maximum size" select the required parameter and click the button "OK".

Activating the analytical and debug log

Analytical and debug logs are inactive by default. Once activated, they quickly fill up with a large number of events. For this reason, it is advisable to enable these logs for a limited period of time to collect the data needed for troubleshooting, and then disable them again. You can activate logs as follows:

1. In the console tree, find and select the analytical or debug log that you want to activate;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected analytical or debug log;
3. On the tab "Are common" check the option box "Enable logging"

Opening and closing a saved journal

Using equipment "Event Viewer" You can open and view previously saved logs. You can open multiple saved logs at the same time and access them at any time in the console tree. Magazine opened in "Event Viewer", can be closed without deleting the information it contains. To open a saved log, follow these steps:

1. Select a team "Open saved journal" on the menu "Action" or from the context menu in the console tree;
2. 3. In the dialog box "Open saved journal", moving along the directory tree, open the folder containing required file. By default, the dialog box will display all event log files. Also, when opening, you can select the type of files that you want to display in the opening dialog. Available file types are event log files (*.evtx, *.evt, *.etl), as well as event files (*.evtx), legacy event files (*.evt), or trace log files (*.etl). Once the desired log file has been found, select it by left-clicking on it, which will place its name in the file name line and click on the button "Open".
3. In dialogue "Open saved journal", in field "Name" Enter a new name to use for the log in the console tree. It is used only to display the log in the console tree and does not change the log file name. You can also use an existing log file name. In field "Description" enter a description for the log. It will be displayed in the central area when the parent log folder is selected in the console tree;
4. To create a folder in which the saved log will be located, click the button "Create a folder". In field "Name" enter the name of the folder in which the open log will be located, and then click "OK". If no parent folder is selected, new folder will be located in the folder "Saved Logs".
5. To make the open event log inaccessible to other computer users, you can uncheck the "All users". If this checkbox remains active, the open log will be available to all users, but administrator rights will be required to delete it from the console tree;
6. To open the magazine, click on the button "OK".

To delete an open log from the event tree, follow these steps:

1. In the console tree, select the log to be deleted;
2. Select a team "Delete" from the menu "Action" or from the context menu of the selected journal;
3. In dialogue "Event Viewer" click on the button "Yes".

Conclusion

This part of the article, dedicated to the Event Viewer snap-in, talks about the snap-in itself and describes in detail the simplest operations associated with monitoring and maintaining the system using Event Viewer. The next part of the article will be designed for experienced Windows users. It will cover tasks with custom views, filtering, grouping/sorting events, and managing subscriptions.