windows logging
Skip this Video
Download Presentation
Windows Logging

Loading in 2 Seconds...

play fullscreen
1 / 29

Windows Logging - PowerPoint PPT Presentation

  • Uploaded on

Windows Logging . Or managing the morass. The Good Old Days. Back in the good old days of Windows NT, there were three main logs: The Application log The System log The Security log, which you almost never saw enabled on desktops.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Windows Logging' - LeeJohn

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
windows logging

Windows Logging

Or managing the morass...

the good old days
The Good Old Days...
  • Back in the good old days of Windows NT, there were three main logs:
  • The Application log
  • The System log
  • The Security log, which you almost never saw enabled on desktops.
  • Windows 9x (95/ 98 and ME) of course didn't bother with anything so sophisticated.
  • Most users never realised that Windows logs existed.
  • Even those who did had no idea what most of the error messages meant.
then life got a lot more complicated
Then life got a lot more complicated...
  • Currently there are two main setups, pre-Vista and post-Vista.
  • The logs which most sysadmins are used to are probably still the main three logs of Windows NT although the some minor tweaks have been made.
  • The Security log is not necessarily enabled on desktops.
  • It is turned on automatically on servers (2003) but the default settings record success and failure equally, which may not be the most efficient of settings.
  • One improvement is that Windows 2003 security logs may now record the full IP address of machines attempting a login (previously only the NetBIOS name was recorded).
vista style logging changes
Vista-Style Logging changes
  • Vista logs use a different XML-based format and the .evtx rather than a .evt extension).
  • More details can be found here:
  • There are two very important consequences:
  • Vista and Windows 2008 .evtxlogfiles cannot be read on pre-Vista machines (at least in native .evtx format):
  • The fields in which certain events are recorded have changed.
  • Specifically the Type field which was previously used to record the severity of events (Information, Warning, Error, Audit Success, Audit Failure) is now called Level. Mostly security events are now recorded in the new Keywords field, not the Level field.
  • If you already have a log-collecting procedure, then clearly what you collect will need to change.
vista style logging changes5
Vista-Style Logging changes
  • Vista logs use a different three-pane interface.
  • Windows 2008 logs follow this style but are potentially far more numerous.
  • Part of the consequences of the new structure is that opening a Vista log even on a powerful machine takes far longer than the old .evt-style interface.
  • As a consequence of recording much more detail, post-Vista-style logs can expand very rapidly so it’s wise to allow much more space for them.
  • The differences in what is recorded between Vista logs (desktop) and Windows 2008 logs, particularly on AD servers is much more marked.
vista windows 2008 three pane interface
Vista/Windows 2008 Three-Pane Interface
  • The left-pane details the all the categories of logs.
  • The middle-pane gives the old familiar log entries with the details of the line you click on presented beneath.
  • The right-pane has a list of possible actions and tasks (for example the Filter action which was previously found under the main menu. )
what does all this mean for sysadmins
What does all this mean for SysAdmins?
  • The primary use for logs is still for troubleshooting hardware and software problems as well as for security purposes.
  • The problem is that as the complexity of log entries increase so does the ratio of background “noise” to useful information.
  • The old-style logs are still quite effective tools.
  • For example repeated messages in system logs about disk errors at decreasing intervals often precedes a hard disk failure.
  • Or a malware-affected portable may give warning about "new" services being installed or even (when such malware has been partially cleaned by anti-virus or anti-spyware) of the malware's failure.
what does all this mean for sysadmins8
What does all this mean for SysAdmins?
  • The advantage of the older style of logs is that their format and error messages are in general well understood.
  • Specialist sites like give good information on their meanings and possible consequences.
  • Even if a specialist site cannot give specific advice details of the circumstances under which the error can arise they may still be helpful.
  • The following example uses a filter which displays only the Warning, Error and Failure Audit entries in the Application log on a Windows XP box, and gives the less than helpful error message about a ‘ Fault Bucket’ failure.
determining what the errors mean
Determining what the errors mean...
  • Looking up the unhelpful error message 'Fault bucket', no source except 'Application Error' and an event ID of 1001 gives a page of cases when this error messages has arisen and what solved the problem, as well as reference to Microsoft Technet articles.
  • In this particular case (one of the Technet articles mentioned above) makes it clear that this error is normally related to another eventid (1004) which when looking back at the log which was being scanned linked the error message with a Firefox problem.
  • So even the more obscure old-style messages can normally be determined.
what does all this mean for sysadmins13
What does all this mean for SysAdmins?
  • Basically just going through the logs on a regular basis manually, particularily on desktops is no longer a viable proposition for most sysadmins, especially since the ‘known’ problems database for Vista-style logs isn’t really there yet.
  • So although mostly you will still need to go back to the full set of logs to diagnose a problem in further detail, some form of scripting collecting/sorting/pruning of logs is needed.
  • You can link directly to Microsoft’s database of errors from Vista-style logs but although I’ve tried this several times, mostly I get told I have an unknown error.
  • Hopefully as Vista and Windows 2008 age the ‘known database’ of problems will get larger...
so what does all this mean for sysadmins
So what does all this mean for SysAdmins?
  • Various third-party products which perform this function have been around for ten years, including Event Alarm, GFI Events Manager and EventSentry.
  • Microsoft realised the growing market in this area was being exploited in the late 90s and brought out MOM 2000 (Microsoft Operations Manager).
  • MOM 2005 with SP1 is compatible with Windows 2008, but it looks as though that is the end of the line (?merging with SMS).
  • 2007 saw the release of System Center Operations Manager 2007:
  • All of these are specialized products, and they are not free. Only large organisations can generally afford them.
  • So what’s the alternative?
free alternatives
“Free” Alternatives
  • One product which has been around for several years is a product produced (and to a certain extent supported) by Microsoft called Log Parser.
  • It can be downloaded from Microsoft:
  • Although the blurb says it’s compatible with Windows XP Pro, Windows 2000 and Windows 2003 it runs perfectly happily on Windows Vista and Windows Server 2008.
  • A word of warning: this is a command-line tool which demands a fair amount of care in usage and a basic knowledge of SQL syntax. It repays work put into it but you will need to spend a little time getting used to it.
free alternatives17
“Free” Alternatives
  • Log Parser will deal with many log formats other than the standard .evt and .evtx ones, including syslog files, W3C (IIS log-format) and various other Windows format files.
  • It has various output formats including a Chart one (pie graphs and the like) and SQL.
  • Log Parser is still a trifle buggy when used with .evtx files. You need to specify ‘-i:EVT’ to get it to recognise these files.
  • The default output format used if you do not specify one is NAT, which is a very wide tabular based format you may not find entirely helpful.
  • It comes with a directory full of SQL samples directed at the IIS log format so they will need to be adapted for ordinary event log use.
free alternatives18
“Free” Alternatives
  • The following command-line produces an output file called report.txt detailing a particular type of SQL error from the Application log on a Windows 2008 server running SQL Server 2005 in the Datagrid format when run from the Program File\Log Parser directory (probably best to extend the PATH to include the Log Parser directory on a regular basis).
  • logparser -i:EVT "SELECT * INTO report.txt FROM Application WHERE SourceName='MSSQLSERVER' AND EventType=16" -o DATAGRID
free alternatives21
“Free” Alternatives
  • The first details to check if you want to use Log Parser are the fields used in the format you want, or you will find that you are getting an awful lot of errors every time you try to run a query.
  • The examples given in the Log Parser online help files (or from the command-line) are far from exhaustive.
  • If you are more used to a GUI-style interface and unhappy having to build up your scripts from there, then there is a GUI front-end available:
  • You need to read the documentation to ensure you have the right components available to use it.
free alternatives22
“Free” Alternatives
  • Log parser examples (also in the on-line Help):
  • SecurityFocus article on using Log Parser to look at IIS log files (includes description of all the fields used in this format):
  • Lots of IIS examples:
  • A step-by-step guide on importing Security logs:
other possible solutions
Other Possible Solutions
  • Microsoft have included a query-driven language using XML behind the scenes which you may prefer to use if you are happier with XML than SQL.
  • It is driven in much the usual way from the normal grey GUI-style of interface.
  • For example in Windows 2008 server you will see an entry at the bottom of the left-hand pane entitled Subscriptions.
  • If you click on Subscriptions the normal type of wizard starts asking you the type of questions you’d expect e.g. which computers do you wish to connect to (an obvious option is domain computers).
  • You also have the possibility of choosing which level of events (e.g. Audit Failure, Error etc) you choose to collect.
other possible solutions24
Other Possible Solutions
  • The important point about setting up subscriptions in the underlying new functionality in the post-Vista world of collecting remote logs (even on a desktop) which is where the new Forwarded Events log comes in.
  • This allows you to combine logs from a variety of differing sources.
other alternatives
Other Alternatives
  • Other features in the new-look logs include the ability to attach a task to a particular log (a wizard runs).
  • The scheduled job can then be tidied up and/or developed in the usual way using the Scheduler.
  • There is also the ability to create Custom Logs for particular tasks.
  • Some particularly useful pre-supplied logs are included with the various new role functions in Windows Server 2008.
  • For example if a Windows 2008 server is set up as a Windows Terminal Server Gateway (TSG) then a log of who is accessing the TSG is automatically started.
mixed solutions
Mixed Solutions
  • It is perfectly possible to use a combination of Log Parser and the new functionality of normal Vista logging to handle more complex tasks.
  • For example you could use the new Forwarded Events log to collect all event of any severity from domain computers and then run the resulting output through Log Parser (which also produces CSV and TSV output) into the database of your choice…
  • For the brave here’s the Microsoft take on AD auditing:
the future
The Future
  • Well what can I say? If you are interested you can read the Microsoft Center Team’s plan to take over the world: