Windows Events and Logging

WINDOWS EVENTS: Events are typically used for troubleshooting application and driver software.
EVENT TYPES
There are five types of events that can be logged. All of these have well-defined common data and can optionally
include event-specific data.

The application indicates the event type when it reports an event. Each event must be of a single type. The Event
Viewer displays a different icon for each type in the list view of the event log.

The following table describes the five event types used in event logging.

Event type Description

Error An event that indicates a significant problem such as loss of data or loss of functionality.
For example, if a service fails to load during startup, an Error event is logged.

Warning An event that is not necessarily significant, but may indicate a possible future problem. For
example, when disk space is low, a Warning event is logged. If an application can recover
from an event without loss of functionality or data, it can generally classify the event as a
Warning event.

Informatio An event that describes the successful operation of an application, driver, or service. For
n example, when a network driver loads successfully, it may be appropriate to log an
Information event. Note that it is generally inappropriate for a desktop application to log
an event each time it starts.

Success An event that records an audited security access attempt that is successful. For example, a
Audit user's successful attempt to log on to the system is logged as a Success Audit event.

Failure An event that records an audited security access attempt that fails. For example, if a user
Audit tries to access a network drive and fails, the attempt is logged as a Failure Audit event.

Windows Event Log

“The Windows event log is a detailed record of system, security and application notifications stored by the Windows
operating system that is used by administrators to diagnose system problems and predict future issues.”

“Logs are records of events that happen in your computer, either by a person or by a running process. They help you
track what happened and troubleshoot problems”

Applications and the operating system (OS) use these event logs to record important hardware and software actions
that the administrator can use to troubleshoot issues with the operating system. The Windows operating system
tracks specific events in its log files, such as application installations, security management, system setup operations
on initial startup, and problems or errors.

The elements of a Windows event log

Each event in a log entry contains the following information:

Date: The date the event occurred.

 Time: The time the event occurred.
User: The username of the user logged onto the machine when the event occurred.
Computer: The name of the computer.
Event ID: A Windows identification number that specifies the event type.
Source: The program or component that caused the event.
Type: The type of event, including information, warning, error, security success audit or security failure audit.

Example:

For example, an information event might appear as:

Information 5/16/2018 8:41:15 AM Service Control Manager 7036 None
A warning event might look like:
Warning 5/11/2018 10:29:47 AM Kernel-Event Tracing 1 Logging
By comparison, an error event might appear as:
Error 5/16/2018 8:41:15 AM Service Control Manager 7001 None
A critical event might resemble:
Critical 5/11/2018 8:55:02 AM Kernel-Power 41 (63)

The type of information stored in Windows event logs

The Windows operating system records events in five areas: application, security, setup, system and forwarded
events. Windows stores event logs in the C:\WINDOWS\system32\config\ folder.

Application events relate to incidents with the software installed on the local computer. If an application such as
Microsoft Word crashes, then the Windows event log will create a log entry about the issue, the application name
and why it crashed.

Security events store information based on the Windows system's audit policies, and the typical events stored
include login attempts and resource access. For example, the security log stores a record when the computer
attempts to verify account credentials when a user tries to log on to a machine.

Setup events include enterprise-focused events relating to the control of domains, such as the location of logs after a
disk configuration.

System events relate to incidents on Windows-specific systems, such as the status of device drivers.

Forwarded events arrive from other machines on the same network when an administrator wants to use a computer
that gathers multiple logs.

The most common location for logs in Windows is the Windows Event Log. It contains logs from the operating
system and several applications such as SQL Server or Internet Information Server (IIS). The logs use a structured
data format, making them easy to search for and analyze. Additionally, some applications write to log files, for
example IIS access logs, in text format.

Windows Event Logs

Windows displays its event logs in the Windows Event Viewer. This application lets you view and navigate the
Windows Event Log, search and filter on particular types of logs, export them for analysis, and more. We’ll start by
showing you how to access it and what features are available.

Starting Windows Event Viewer

In Windows Server 2012, the Event Viewer is accessible from a number of places. Most people will open it from the
Control Panel, but we also wanted to show other places it’s accessible from.

Open from Windows Control Panel

From the Control Panel, select Administrative Tools.

From the Administrative Tools window, double-click on Event Viewer app icon.

Open from Server Manager

From the Server Manager, choose the Tools menu.

Select Event Viewer from the drop-down menu.

Open from Computer Manager

If you choose the Computer Management option from Server Manager’s Tools menu, Event Viewer is accessible
from that applet too:

Open from the Command Prompt

Open a command prompt window.

Type eventvwr and press enter.