Monitoring Event Logs in Windows Vista

by [Published on 21 March 2006 / Last Updated on 21 March 2006]

This article examines the enhanced features for event log monitoring in Windows Vista and walks the reader through configuring and using these features to better troubleshoot system problems.


Get your copy of Windows Server Hacks!

One of the key tools for troubleshooting issues with Windows computers is Event Viewer. Using this console, you can view events recorded in the Application, System, and Security logs and use this information to try and resolve problems with your computer. Domain controllers have additional logs such as Directory Services, DNS Server, and File Replication Service that can be used to troubleshoot issues involving Active Directory replication and DNS name resolution. Unfortunately, Event Viewer in pre-Vista platforms suffers from several limitations that make it underperform as a troubleshooting tool. These limitations include a lack of support for centralized logging, inability to query across multiple logs, limited event filtering capability, and a general lack of "software intelligence" in terms of helping you understand how different events correlate with possible problems and how they can be resolved.

Windows Vista's enhanced version of Event Viewer is a big improvement in many of these areas, and while it's still not perfect (especially in the area of software intelligence) it's still a good step forward over the previous version of the tool. Let's walk through using some of these new features so you can learn how to use their capabilities for troubleshooting purposes. While I do this I'll highlight some new terminology to bring it to your attention. Note that this article is based on a pre-release version of Vista so some details may change in the final release.

The Big Picture

When you open Event Viewer you can immediately see some similarities and differences with the previous version of the tool (Figure 1):


Figure 1: What Event Viewer looks like in Vista

The new action pane on the right basically just gives you an alternative method of performing actions on selected items. The previous methods of right-clicking and selecting the Action toolbar button still work the same. Personally I still prefer right-clicking since it involves less hand movement with the mouse once you've selected the object of interest.

The scope pane at the left displays a more complex tree of options than in the previous version of the tool. Let's drill down into this pane by selecting the node labeled Global Logs (Figure 2):


Figure 2: Examining the scope pane

Note that there are now several different types of event logs you can monitor including Administrative, Operational, Analytic, and Debug log types. Selecting the Application Logs node in the scope pane reveals that there are numerous other new event logs you can use, including many labeled as diagnostic logs (Figure 3):


Figure 3: Lots and lots of new event logs

In fact, most of the items displayed in the center view pane above are actually subfolders containing more logs! Clearly the event logs in Windows Vista have a much greater level of granularity than in previous versions of Windows, and this should make it easier to drill down and find information that is more relevant to the issue you are troubleshooting than before.

Working with Views

Another new feature of Event Viewer in Windows Vista are views, which are essentially filters on steroids. The filtering capability of the previous version of Event Viewer was pretty good—you could filter events by event source, category, event ID, user, computer, start and end date, and type such as information, warning, error, and so on. Something many administrators don't know about the old Event Viewer is that you can in fact create more than one filter at a time and keep these available for later use. To do this, you have to right-click on the log you want to focus on and select New Log View, then you select this new view (basically a virtual copy of the log) and filter it to drill down on the items you want to watch. With Windows Vista it's almost the same only better—just right-click on the Views node and select Create View and this opens a properties sheet (filter) for configuring your view (Figure 4):


Figure 4: Creating a new view

Note the addition here of being able to filter events by keywords in events, which is a welcome addition to the functionality of the tool. You can also use the Event Log gadget at the top to select more than one log as the source for your view, which means you can now create a view for example that can display all critical events found in either the Application or System log (Figure 5):


Figure 5: Creating a single view that displays events from multiple logs

You can then give the view you created a descriptive name like this (Figure 6) and, if you wanted to, limit the use of this view to only the current user or to all users:


Figure 6: Naming a newly created view

You can also create new application views, which are basically just views of application logs. In other words, you can create a custom view of some specific functionality such as Microsoft Print Spooler and then filter this to display certain kinds of events. And you can create as many new views as you want, plus when you create them you can also create new subfolders to organize your views. Then when you need to check on something, you just select the view you want and the filtered events are displayed.

XML Under the Hood

With Vista, XML is now under the hood almost everywhere in Microsoft Windows products. Even the details of events stored in event logs are in XML format. To see this, let's open the properties of an event from the Application log (Figure 7):


Figure 7: Properties of an event

This looks pretty similar to event information in previous versions, and note the link to event log online help. When you click this link you are prompted to OK sending your event information over the Internet to Microsoft, and if you agree then Internet Explorer opens up and you get a page that has the usual "We're sorry, there is no additional information about this issue etc." that we're all familiar with from earlier versions of Windows. I don't expect this help feature to get that much better with Vista, and if I really want to find help on a mysterious event then I go to EventID.net, a community site where administrators share their tips concerning what conditions or problems may have caused the particular event. EventID.net is a paid subscription-based site but if you're a Windows administrator then it's really worth shelling out a few bucks a year to gain access to the full database on this site, I highly recommend it. But back to Event Viewer—click the Details tab and you'll see the event info in XML format (Figure 8):


Figure 8: Event viewer stores event information in XML format

Note that you can display this information in a more readable format by selecting Friendly View. Why does Vista store event info in XML format? Probably because this makes it easier to centralize, consolidate, and mine event data to find useful information when troubleshooting a problem. In other words, by schematizing event data using XML, you can create rich information that can easily be integrated with management platforms like MOM and SMS, though we'll have to wait to see how all that plays out later.

Conclusion

An important piece of Event Viewer functionality that will be included in future builds will be the ability to forward events from one computer to another, centralized computer. This will allow you to easily monitor selected kinds of events for multiple computers across a network from a single Vista workstation. Other improvements may work themselves into Event Viewer before RTM, but I think we can say from the above tour that Vista's version of this tool is a big improvement over previous versions and will make monitoring and troubleshooting Windows-based computers easier than ever. But don't forget to subscribe to EventID.net if you want access to the collective knowledge (and frustration) of the global administrator community concerning those mysterious, strangely worded events that are sometimes (or often) displayed by Event Viewer!

The Author — Mitch Tulloch

Mitch Tulloch avatar

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions.

Latest Contributions

Advertisement

Featured Links