Help
With Windows Vista, Windows 7, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2, you can collect events from remote computers (including computers running Windows XP) and detect problems such as low disk space before they become more serious. Additionally, Windows now includes many more event logs to make it easier to troubleshoot problems with a specific Windows component or application. This lesson describes how to manage events in Windows Server 2008 R2 and Windows 7.
Using Event Viewer
You can open Event Viewer from within Server Manager by selecting the Diagnostics\Event Viewer node. Alternatively, you can open the stand-alone version of Event Viewer from Administrative Tools on the Start menu.
The log files are contained in two subnodes: Windows Logs and Applications And Services Logs. Windows Logs contains four subnodes:
- Application Contains events generated by applications. Many applications do not generate events, however, and many of those applications store events in a custom event log located within Applications And Services Logs.
- Security Contains auditing events that Windows adds when a user accesses or attempts to access a resource that has been configured for auditing. For an overview of auditing, read “Audit Policy” at http://technet.micro...y/cc766468.aspx.
- Setup Contains events generated while installing and updating Windows.
- System Contains core system events. Other system events are contained with Applications And Services Logs.
- Forwarded Events Contains events forwarded to this computer from other computers. Event forwarding is discussed later in this lesson.
To view each of these types of events, click the node, and then double-click an event.
The Applications And Services Logs node contains dozens of event logs, each for a specific feature of Windows. For example, the Directory Service subnode contains Active Directory Domain Controller events. Similarly, events generated by a DHCP server are visible within the Applications And Services Logs\Microsoft\Windows\DHCP-Server node.
Note: You certainly should not attempt to memorize all the application and service logs. However, you should familiarize yourself with the list and remember to look within Applications And Services Logs when searching for detailed troubleshooting information about a specific Windows feature.
Filtering Events
During the troubleshooting process, you might decide to browse an event log looking for information about a specific application or Windows feature. The biggest challenge of using Event Viewer is the sheer number of events. Busy servers generate thousands of events every day, so browsing events to look for something useful is impractical.
A more efficient way to find meaningful events is to create a filter. To create a filter, follow these steps:
- Select an event log, such as Windows Logs\System.
- Right-click the log, and then click Filter Current Log.
- Use the Filter Current Log dialog box to specify which events you want to view. You can configure the following settings:
- Logged Select a time range from this list to display only recent events.
- Event Level Events have one of five urgency levels assigned. From least to most urgent, the levels are: Verbose, Information, Warning, Error, and Critical.
- Event Logs Choose which event logs to search. When you create a filter, you can only search the current log. To search multiple logs, create a custom view instead, as discussed in the next section.
- Event Sources When a feature or application adds an event to the event log, it specifies a source. Typically, these have meaningful names; however, if you cannot find an event, consider searching for it by using the Find feature in Event Viewer, and then making note of the exact Source name.
- Event IDs If you already know which events you are looking for, specify the Event IDs in this box.
- Task Category The category of the task.
- Keywords A list of predefined keywords you can search for.
- User The active user when the event was generated. Many events do not have this field.
- Computers The computer the event was generated on.
- Logged Select a time range from this list to display only recent events.
- Click OK.
Event Viewer will display the list of events that match your filter criteria. After you create a filter, you can save it as a custom view (described in the next section) so that you can easily recall it later by clicking Save Filter To Custom View in the actions pane.
Using Custom Views
Custom views are filters that can display events from multiple logs. When you create a custom view, Event Viewer saves it within the Custom Views node so that you can quickly view the same set of events. Windows Server 2008 R2 also includes custom views within the Server Roles node for standard roles such as Active Directory Certificate Services, DNS Server, and File Server.
Automatically Responding to Events
Windows 7 regularly runs background tasks to maintain the system and respond to events. For example, Windows starts a task to optimize the disk layout by using defragmentation every Wednesday at 01:00. Similarly, if a memory-related event appears in the event log, Windows responds to this event by launching the Memory Diagnostic tool. To view built-in events, open Server Manager and expand the Configuration\Task Scheduler\Task Scheduler Library\Microsoft\Windows node. Then, browse to each of the subnodes.
Note: The 70-642 exam objectives don’t include Task Scheduler, so we won’t discuss it in detail in this book. However, you do need to know how to launch a task in response to an event. Exercise 1 at the end of this lesson walks you through the process of creating a task when a specific event appears, which should be all you need to know for the exam. However, for the real world and other Microsoft certifications, you should spend some time familiarizing yourself with the Task Scheduler capabilities and user interface.
One of the most useful ways to use Task Scheduler is to launch a task in response to a specific event type that appears in Event Viewer. You can respond to events in three ways:
- Start A Program Launches an application. Often, administrators write a script that carries out a series of tasks that they would otherwise need to manually perform, and automatically run that script when an event appears.
- Send An E-mail Sends an email by using the Simple Mail Transport Protocol (SMTP) server you specify. Often, administrators configure urgent events to be sent to a mobile device.
- Display A Message Displays a dialog box showing a message. This is typically useful only when a user needs to be notified of something happening on the computer.
To trigger a task when an event occurs, follow one of these three procedures:
- Find an example of the event in Event Viewer. Then, right-click the event and click Attach Task To This Event. A wizard will guide you through the process. Exercise 1 at the end of this lesson provides step-by-step instructions for this process.
- In Task Scheduler, click Create Basic Task in the actions pane. On the Trigger page of the wizard, select When A Specific Event Is Logged. Then, specify the Log, Source, and Event ID.
- Use the Schtasks command-line tool from a command prompt or a script. For example, to run a file named Respond.exe whenever event 177 is published in the System event log, run the following command:
SCHTASKS /Create /TN EventLog /TR respond.exe /SC ONEVENT /EC System /MO *[System/ EventID=177]
Note: For complete details about using the Schtasks tool, read “Schtasks: Management Services” at http://technet.micro...y/cc772785.aspx.
Learn more about this topic from Self-Paced Training Kit Exam 70-642: Configuring Windows Server® 2008 Network Infrastructure, 2nd Edition.
Fully updated for Windows Server 2008 R2! This 2-in-1 TRAINING KIT delivers in-depth preparation plus practice for Exam 70-642: Windows Server 2008 Network Infrastructure, Configuring. Ace your exam prep—and build real-world job skills.
