Windows event log running files. Where is the windows event log located?

Hello everyone, the topic is how to view windows logs. I think everyone knows what logs are, but if suddenly you are a beginner, then logs are system events occurring in the operating system of both Windows and Linux, which help track what, where and when happened and who did it. Any system administrator must be able to read Windows logs.

An example from real life is the situation when on one of the IBM servers the disk failed and for technical support I collected server logs so they could diagnose the problem. The Event Viewer service is responsible for collecting and recording logs in Windows. Event Viewer is a convenient tool for obtaining system logs.

How to open in Event Viewer

You can go into the Event Viewer snap-in very simply, suitable for any Windows versions. Press the magic buttons

Win+R and enter eventvwr.msc

A viewing window will open. windows events in which you need to expand the item Windows logs. Let's go through each of the magazines.

Log Application contains records related to programs on your computer. The log is written when the program was launched, if it was launched with an error, then this will also be reflected here.

An audit log is needed to understand who did what and when. For example, logged in or logged out, tried to gain access. All success or failure audits are written here.

The Installation item records Windows logs about what was installed and when, for example, programs or updates.

The most important magazine is the system. All the most necessary and important things are written down here. For example, you had a blue screen bsod, and these messages that are recorded here will help you determine its cause.

There are also Windows logs for more specific services, such as DHCP or DNS. Event Viewer cuts everything :).

Suppose you have more than a million events in the Security log, you will probably immediately ask the question whether there is filtering, since viewing all of them is masochism. Event Viewer has taken this into account; Windows logs can be conveniently filtered out, leaving only what is needed. On the right in the Actions area there is a button Filter current log.

You will be asked to specify the event level:

• Critical
• Error
• Warning
• Intelligence
• Details

It all depends on the search task; if you are looking for errors, then there is no point in other types of messages. Next, in order to narrow the scope of your search for event viewing, you can specify the desired event source and code.

So, as you can see, parsing Windows logs is very simple, we search, we find, we solve. A quick clearing of Windows logs may also be useful:

View windows PowerShell logs

It would be strange if PowerShell couldn't do this, to display log files open PowerShell and enter the following command

Get-EventLog -Logname "System"

As a result, you will receive a list of System logs

The same can be done for other magazines, for example Applications

Get-EventLog -Logname "Application"

small list of abbreviations

• Event code - EventID
• Computer - MachineName
• Event sequence number - Data, Index
• Category of tasks - Category
• Category code - CategoryNumber
• Level - EntryType
• Event message - Message
• Source - Source
• Event generation date - ReplacementString, InstanceID, TimeGenerated
• Event recording date - TimeWritten
• User - UserName
• Website
• Division - Container

The Windows 7 operating system constantly monitors various noteworthy events that occur on your system. IN Microsoft Windows event is any incident in the operating system that is logged or requires notification to users or administrators. This could be a service that doesn't want to start, a device installation, or an application error. Events are recorded and stored in the Windows event logs and provide important historical information that helps you monitor your system, maintain system security, troubleshoot errors, and perform diagnostics. The information contained in these logs should be reviewed regularly. You should regularly monitor event logs and configure your operating system to save important system events. If you are an administrator Windows servers, then it is necessary to monitor the security of their systems, normal operation applications and services, and check the server for errors that could degrade performance. If you are a user personal computer, then you should ensure that you have access to the appropriate logs you need to support your system and troubleshoot errors.

Program "Event Viewer" represents a console snap-in Microsoft management(MMC) and is designed to view and manage event logs. This indispensable tool to monitor system performance and troubleshoot problems. Windows service, which controls the logging of events, is called "The event log". If it is running, Windows writes important data to the logs. Using the program "Event Viewer" you can do the following:

• View events from specific logs;
• Apply event filters and save them for later use as custom views;
• Create and manage event subscriptions;
• Assign specific actions to be performed when a specific event occurs.

Launching Event Viewer

Application "Event Viewer" can be opened in the following ways:

Fig.1. Event Viewer Window

Event logs in Windows 7

In the operating room Windows system 7, just like in Window Vista, there are two categories of event logs: Windows logs And application and service logs. Windows logs- used by the operating system to register system-wide events related to the operation of applications, system components, security and startup. A application and service logs- used by applications and services to record events related to their operation. You can use the snap-in to manage event logs "Event Viewer" or program command line wevtutil, which will be discussed in the second part of the article. All log types are described below:

Application- stores important events, Related specific application. For example, Exchange Server stores events related to mail forwarding, including information store events, mailboxes And running services. By default it is placed in %SystemRoot%\System32\Winevt\Logs\Application.Evtx.

Safety- stores security-related events such as system login/logout, privilege usage, and resource accesses. By default it is located in %SystemRoot%\System32\Winevt\Logs\Security.Evtx

Installation- This log records events that occur during the installation and configuration of the operating system and its components. By default it is located in %SystemRoot%\System32\Winevt\Logs\Setup.Evtx.

System- stores events of the operating system or its components, such as failures to start services or initialize drivers, system-wide messages and other messages related to the system as a whole. By default it is located in %SystemRoot%\System32\Winevt\Logs\System.Evtx

Forwarded Events- if event forwarding is configured, this log includes events forwarded from other servers. By default it is placed in %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.Evtx

Internet Explorer - this log records events that occur during setup and work with Internet browser Explorer. By default it is located in %SystemRoot%\System32\Winevt\Logs\InternetExplorer.Evtx

Windows PowerShell- This log records events related to the use of PowerShell. By default it is located in %SystemRoot%\System32\Winevt\Logs\WindowsPowerShwll.Evtx

Equipment Events- if hardware event logging is configured, events generated by devices are recorded in this log. By default it is placed in %SystemRoot%\System32\Winevt\Logs\HardwareEvent.Evtx

In Windows 7, the infrastructure that provides event logging is based in the same way as in Windows Vista in XML. Each event data corresponds to an XML schema, allowing you to access the XML code of any event. You can also create XML-based queries to retrieve data from logs. No knowledge of XML is required to use these new features. Equipment "Event Viewer" provides simple GUI to access these features.

Event Properties

There are several snap-in event properties "Event Viewer", which are described in detail below:

Source is the program that logged the event. This can be either the name of the program (for example, “Exchange Server”), or the name of a system component or large application(for example, driver name). For example, "Elnkii" means EtherLink II driver.

Event code is a number that identifies a specific type of event. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event Logging service starts. Accordingly, at the beginning of the description of this event there is the line “The event log service has been started.” The event code and recording source name can be used by the support team software product for troubleshooting.

Level- this is the level of importance of the event. In system and application logs, events can have the following severity levels:

• Notification- denotes a change in an application or component, such as the occurrence of an information event associated with a successful action, the creation of a resource, or the startup of a service.
• Warning- indicates a warning general for a problem that could affect service or lead to a more serious problem if left unattended;
• Error- indicates that a problem has occurred that may affect functions external to the application or component that caused the event;
• Critical error- indicates that a failure has occurred from which the application or component that initiated the event cannot recover automatically;
• Audit of successes - successful completion actions you monitor through auditing, such as the use of a privilege;
• Failure audit- failure to perform actions that you monitor through auditing, such as an error logging into the system.

User- defines the user account on whose behalf the this event. Users include special entities such as Local Service, Network Service, and Anonymous Logon, as well as accounts real users. This name is the client identifier if the event was actually raised by a server process, or the primary identifier if no impersonation is performed. In some cases, the security log entry contains both IDs. This field may also contain N/A (N/A), if in this situation Account not applicable. Impersonation occurs in cases where a server allows one process to assume the security attributes of another process.

Working code- contains numeric value, which defines the operation or point within the operation during which this event occurred. For example, initialization or closing.

Magazine- the name of the log in which this event was recorded.

Category and tasks- defines an event category, sometimes used to subsequently describe a valid action. Each event source has its own categories. For example, the following categories: login/logout, use privileges, change policies, and account management.

Keywords is a set of categories or tags that can be used to filter or search for events. For example: “Network”, “Security” or “Resource not found”.

Computer- identifies the name of the computer on which the event occurred. This is usually the name of the local computer, but can also be the name of the computer that forwarded the event, or the name of the local computer before it was modified.

date and time- determines the date and time of occurrence of this event in the log.

Process ID- represents the identification number of the process that generated the event. Computer program represents only a passive set of instructions, while a process is the direct execution of these instructions

Stream ID- represents the identification number of the thread that generated the event. A process spawned in an operating system can consist of several threads running “in parallel,” that is, without a prescribed order in time. For some tasks, this separation can achieve more effective use computer resources

Processor ID- represents the identification number of the processor that processed the event.

Session code is the session identification number on the terminal server in which the event occurred.

Kernel mode operating time- defines the time spent executing kernel mode instructions, in CPU time units. Kernel mode has unlimited access to system memory And external devices. The NT system kernel is called a hybrid kernel or macrokernel.

Operating time in user mode- defines the time spent executing user mode instructions, in units of CPU time. User mode consists of subsystems that pass I/O requests to the appropriate kernel mode driver through the I/O manager.

CPU load is the time spent executing user mode instructions, in CPU ticks.

Correlation code- defines the action in the process for which the event is used. This code is used to indicate simple relations between events. Correlation is a statistical relationship between two or more random variables (or values ​​that can be considered as such with some acceptable degree of accuracy). Moreover, changes in one or more of these quantities lead to a systematic change in another or other quantities.

Relative Correlation ID- defines a relative action in the process for which the event is used

Working with event logs

Event Viewer

In the next screenshot you can see the log "Applications", where you can find information about events, recent views, and available actions. To view application log events, follow these steps:

1. In the console tree, select "Windows Logs";
2. Select a magazine "Applications".

It is advisable to review event logs more often "Application" And "System" and study existing problems and warnings that may foreshadow problems in the future. When you select a log, the middle window displays available events, including event date, time and source, event level, and other details.

Panel "Viewport" shows basic event data on the tab "Are common", and additional specific data is on the tab "Details". You can turn this panel on and off by selecting the menu "View" and then the command "Viewport".

For critical systems It is recommended to keep logs from the last few months. As a rule, it is inconvenient to assign a size to magazines all the time so that all the information fits in them; this problem can be solved in another way. You can export logs to files located in a specified folder. To save the selected log, follow these steps:

1. In the console tree, select the event log you want to save;
2. Select a team "Save Events As" from the menu "Action" or from context menu log select command "Save all events as";
3. In the dialog that appears "Save as" select the folder where the file should be saved. If you need to save the file in a new folder, you can create it directly from this dialog using the context menu or the button « new folder» on the action bar. In field "File type" you need to select the desired file format from the available ones: event files - *.evtx, xml file - *.xml, tab-delimited text - *.txt, comma-separated csv - *.csv. In field "File name" enter a name and click on the button "Save". To cancel saving, click the button "Cancel";
4. In the event that the event log is not intended to be viewed on another computer, in the dialog box "Display details" leave the default option "Do not display information", and if the log is intended to be viewed on another computer, then in the dialog box "Display details" select an option "Display information for following languages» and click on the button "OK".

Clearing the event log

Sometimes it is necessary to clear full event logs to ensure effective analysis of alerts and critical errors operating system. To clear the selected log, follow these steps:

Setting the maximum log size

As mentioned above, event logs are stored as files in the %SystemRoot%\System32\Winevt\Logs\ folder. By default, the maximum size of these files is limited, but you can change it in the following way:

Events are saved in a log file, the size of which can only grow up to a specified size maximum value. After reaching the file maximum size, the processing of incoming events will be determined by the log retention policy. The following log retention policies are available:

Rewrite events if necessary (oldest files first)- in this case, new entries continue to be entered into the journal after it is filled. Each new event replaces the oldest one in the log;

Archive the log when filled; do not rewrite events- in this case, the log file is automatically archived if necessary. Stale events are not overwritten.

Do not overwrite events (clear log manually)- in this case, the log is cleared manually and not automatically.

To select the desired log retention policy, follow these steps:

1. In the console tree, select the event log you want to resize;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected journal;
3. On the tab "Are common", In chapter "When reaching maximum size" select the required parameter and click the button "OK".

Activating the analytical and debug log

Analytical and debug logs are inactive by default. Once activated, they quickly fill up with a large number of events. For this reason, it is advisable to enable these logs for a limited period of time to collect the data needed for troubleshooting, and then disable them again. You can activate logs as follows:

1. In the console tree, find and select the analytical or debug log that you want to activate;
2. Select a team "Properties" from the menu "Action" or from the context menu of the selected analytical or debug log;
3. On the tab "Are common" check the option box "Enable logging"

Opening and closing a saved journal

Using equipment "Event Viewer" You can open and view previously saved logs. You can open multiple saved logs at the same time and access them at any time in the console tree. Magazine opened in "Event Viewer", can be closed without deleting the information it contains. To open a saved log, follow these steps:

In order to delete open magazine their event tree, do the following:

Conclusion

This part of the article, dedicated to the Event Viewer snap-in, talks about the snap-in itself and describes in detail the simplest operations associated with monitoring and maintaining the system using Event Viewer. The next part of the article will be designed for experienced Windows users. It will cover tasks with custom views, filtering, grouping/sorting events, and managing subscriptions.

× Attention!
Log in to your website account or Create one to receive full access to our site. Registration will give you the opportunity to add news, comment on articles, communicate with other users and much more.

Other materials

Hello readers of the ComService company blog (Naberezhnye Chelny). In this article, we will look at the Windows 7 event log. The operating system records almost everything that happens to it in this log. It is convenient to view it using the Event Viewer application, which is installed with . To say that there are a lot of recorded events is to say nothing. Their darkness. But it’s difficult to get confused in them since everything is sorted into categories.

Thanks to the event log, specialists and ordinary users it is much easier to find errors and fix it. By saying easier I didn't mean easily. Almost always, in order to correct a recurring error, you will have to read a lot of material and re-read it. Sometimes it's worth it to get rid of the non-standard behavior of the operating system.

The default utility looks like this:

A lot of things here can be customized for yourself. For example, you can use the buttons below the menu area to hide or show the Console Tree on the left and the Actions panel on the right

The area at the bottom center is called the Viewing Area. It displays information about the selected event. It can be removed by unchecking the corresponding checkbox in the View menu or by clicking on the cross in the right top corner viewing areas

The main field is located at the top center and is a table with the events of the log that you selected in the Console Tree. By default, not all columns are displayed. Can add and change their display order. To do this, click on the header of any column right mouse and select Add or remove columns...

In the window that opens, add the required columns from the left field to the Displayed columns column

To change the order of columns in the right field, select desired column and use the Up and Down buttons to change the location.

2. Event properties

Each column is a specific property of the event. All these properties were perfectly described by Dmitry Bulanov. I'll give you a screenshot. Click on it to enlarge.

There is no point in setting all the columns in the table since the key properties are displayed in the viewport. If the latter is not displayed for you, then by double-clicking with the left mouse button on the event in a separate window you will see its properties

The General tab has a description of this error and sometimes a way to fix it. Below are all the properties of the event and in the Details section there is a link to Web Help where information on correcting the error may be available.

3. Event logs

Key Management Service—Key management service events are recorded. Designed to manage enterprise edition activations operating systems. The magazine is empty because you can't do without it.

Magazines also have their own Properties. To view them, click right click mouse on the magazine and select Properties in the context menu

In the opened properties you see Full name log, Path to the log file its size and dates created, modified and when it was opened

The Enable logging checkbox is also checked. It is not active and cannot be removed. I looked at this option in the properties of other magazines, there it is also enabled and inactive. For the Equipment Events log, it is in exactly the same position and the log is not maintained.

In the properties, you can set the Maximum log size (KB) and select an action when the maximum size is reached. For servers and other important workstations, most likely make the log size larger and select Archive log when full, which would be possible in case emergency situation track when the problem started.

4. Working with Windows 7 event logs

The work involves sorting, grouping, cleaning up logs and creating custom views to make it easier to find certain events.

Sorting events

Choose any magazine. For example, Application and in the table, in the center, click on the header of any column with the left mouse button. Events will be sorted by this column

If you press again you will get sorting in the opposite direction. The sorting principles are the same as for Windows Explorer. The limitation is that you cannot sort by more than one column.

Event grouping

To group events by a specific column, right-click on its header and select Group events by this column. In the example, events are grouped by the Level column

In this case, it is convenient to work with a specific group of events. For example with errors. After grouping events, you will be able to collapse and expand groups. This can also be done in the event table itself by double-clicking on the group name. For example, Level: Warning (74).

To delete a grouping, right-click on the column header again and select Delete event grouping.

Clearing the log

If you have corrected errors in the system that led to events being recorded in the log, then you will probably want to clear the log so that old entries do not interfere with diagnosing new computer conditions. To do this, right-click on the log you want to clear and select Clear Log...

In the window that opens, we can simply clear the log and we can Save it to a file before clearing

Custom views

Configured sorting and groupings disappear when you close the Event Viewer window. If you often work with events, you can create custom views. These are certain filters that are saved in the corresponding section of the console tree and do not disappear anywhere when Event Viewer is closed.

To create a custom view, right-click on any journal and select Create custom view...

In the window that opens, in the Date section, select from the drop-down list the time range for which we need to select events

In the Event Level section, check the boxes to select the importance of events.

We may sample by specific magazine or magazines or by source. Switch the radio box to the desired position and select the necessary checkboxes from the drop-down list

You can select certain event codes to be shown or not shown in the view you create.

When all the view options have been selected, click OK.

In the window that appears, set the name and description of the custom view and click OK

For example, I created a custom view for Errors and critical events from the Application and Security logs

This view can later be edited and will not disappear when you close the Event Viewer utility. To edit, right-click on the view and select Filter current custom view...

In the window that opens, do additional settings in the presentation.

You can draw an analogy between a Custom View and saved conditions in Windows Explorer 7.

Conclusion

In this article, we looked at the Windows 7 event log. We talked about almost all the basic operations with it for the convenience of finding error events and critical events. And here a logical question arises: “How can we correct these errors in the system?” Everything is much more complicated here. There is little information on the Internet and therefore you may have to spend a lot of time on it. Therefore, if you are generally satisfied with the operation of the computer, then you don’t have to do this. If you want to try to fix it, watch the video below.

You can also use the event log to diagnose slow loading Windows 7.

I will be glad to receive any comments and suggestions.

Thanks for sharing the article on in social networks. All the best!

This is what happens to me:

My user does not come to me,

but they walk in idle bustle

the variety is not the same...

What is an event log

Everything that happens is under control Windows(click, key press, program launch...) are events ( events). The most important (from the point of view Windows!) events (for example, hardware, application and system problems) are recorded by the operating system in the so-called event logs.

How to view event logs

Windows Vista+: Start -> Control Panel -> Administrative Tools -> Event Viewer.

Windows XP: Start -> Settings -> Control Panel -> Administrative Tools -> Event Viewer(or Start -> Run -> in the window Starting the program to text field Open enter eventvwr.msc /s –> click OK).

Main types of magazines:

– application log(contains data related to the operation of applications and programs. Entries in this log are created by the applications themselves. Events included in the application log are determined by the developers of the corresponding applications);

– security log(contains records of events such as successful and unsuccessful attempts to access the system, as well as events related to the use of resources, such as the creation, opening and deletion of files and other objects. Decision about events that are recorded in the security log , accepted by the administrator (For example, after you enable login auditing, all login attempts are recorded in the security log);

– system log(contains event records contributed by operating system components Windows. For example, the system log records failures during boot or other system components when the system starts).

The Event Viewer displays events of the following types:

– error(serious difficulties, such as loss of data or functionality. If the service fails to load at startup, an error message is logged. Error entries are marked with a circle with an X inside);

– warning(events that were not significant at the time the log was written, but may lead to difficulties in the future. For example, if there is little left on the disk free space, a warning is logged. Warnings are marked with a triangle with an exclamation mark);

– notification(an event that describes the successful completion of an action by an application or service. For example, after a successful download, a notification event is logged. Notifications are marked with a circle with a “tail” and the letter “i” inside);

– success audit(an event corresponding to a successfully completed action related to maintaining system security. For example, if a user successfully logs into the system, an event with the “Success Audit” type is logged);

– failure audit(event corresponding to an unsuccessful action related to system security support. For example, in the event of an unsuccessful user attempt to access network drive an event of the “Failure Audit” type is recorded in the log).

How to use event logs to troubleshoot problems

Careful analysis of event logs helps prevent system problems and determine the causes of their occurrence. For example, if there is a warning in the log that the disk can only be read or written to a sector after several attempts, then perhaps this sector will soon become unusable.

Logs can also help resolve application-related issues. For example, if a program crashes, the application log will usually contain entries about the events that lead to this.

Reading event logs is a sacred (daily!) duty of programmers and system administrators. Often, for the average user, viewing these logs can make life much easier, making communication with controllable Windows more enjoyable and productive!

Notes

1. The Event Log Service starts automatically at startup Windows.

Instructions

Video on the topic

Quite often, operating system users use “ magazine events" This application allows you to monitor failures, errors and problems in the system. This tool can be used to perform diagnostic tests for functionality, but in some cases it is not needed, so it must be removed as extra component.

You will need

• Working with the Event Viewer applet.

Instructions

About existence magazine A events Not all users know about the Windows operating system. We can say that you need to study the system in depth to get to this component. Although it is quite easy to find it if you are running Windows 7 or Windows Vista. Open the Start menu, activate the search bar and enter the command "View events" In the search results, select the first line and click on it.

The “View” applet will appear in front of you. events" This component is also called the View snap-in. events" Before you delete " magazine events", it must first be opened or created (in some cases the option to work magazine and disabled). To open magazine and press Top Menu“Action”, from the drop-down menu list, select “Open saved magazine».

In the “Open saved” window that opens magazine" find the file " magazine A events" For quick search use the desired file sidebar conductor. It is worth noting that by default the system offers to open several extensions, not each of which corresponds magazine u. In the dialog box you will see the following file formats - evtx, evt and etl. evtx extension – files events, evt extension – obsolete files events etl extension – files magazine and traces.

By selecting required file, click the "Open" button in the lower right corner of the dialog box. To delete a recently opened magazine events, you need to go to your magazine u. Click the triangle icon next to the Saved Items folder magazine s" on the left side of the window, then "Folder with saved magazine ami." This folder will contain everything magazine s that were created by the system.

Select magazine events, opposite which there is a floppy disk icon. Right-click on the selected element. From the context menu, select “Delete”. In the window that opens, click “Yes” to confirm the deletion operation.

System event log stored on a remote or local computer, can only be removed if you have permission to edit the registry. With such a deletion, the file with its contents is first erased, and then all sources from the registry.

You will need

• - computer;
• - system administration skills.

Instructions

Log in with administrator rights. To do this you need your current user was a member of the “Administrators” group, or obtain the appropriate authority through delegation. If the computer is connected to, this procedure can be carried out by members of the Domain Administrators group. To ensure security, use the “Run as” command.

Go to the main menu to delete events from the log, to do this, click on the “Start” button, select the “Control Panel” command, double-click on the “Administration” icon. In this window, select the “Event Viewer” icon and double-click on it, or click Enter button.

Open Event Viewer. In the tree of this console, select the log you want to clear. Go to the "Action" menu, select the "Erase all events" option. To save the log before clearing, click the “Yes” button. If the log is saved to a file, it cannot be cleared this way. To clear the log, you must delete the file in which it is stored.

Delete entries in the Windows 7 operating system. To do this, go to the main menu and select “Control Panel”, then select the “Administration” option from the panel components. Next, select the administrative command “Event Viewer”.

Next, open the “MMC Management Console”, to do this, click on the “Start” button, enter Mmc in the search field, press Enter. From the Console menu, select the Add or Remove Snap-in option, or press the Crtl+M key combination. In the dialog box, select “Event Viewer”, Click “Add”, then “Finish” and “OK”.

Click Start, Run, type Eventvwr.msc. Next, go to the “Action” menu and select “Clear Log”. To save after clearing, select Save and Clear. Enter a file name and click the “Save” button.

Video on the topic

Today, operating systems include special services, using which application and system programs can save data about their work in special journals. Such logs are called logs. For security reasons or to save disk space, it is sometimes necessary to clear the logs.

You will need

• - administrator or root rights on the local machine.

Instructions

Select the Windows log section that needs to be cleaned. Click on the “My Computer” icon on the desktop and select “Manage...” from the context menu. Or activate the “Computer Management” shortcut located in the “Administration” folder (you can go to it from the “Control Panel” window, opened using the corresponding item in the “Settings” section of the “Start” menu). The MMC console will launch.

In the Computer Management (Local) tree, expand Utilities and Event Viewer. Select nested items and view logs. Determine which partitions need to be cleaned.