Microsoft Event Logging, when an error occurs, the system administrator or Integrator must determine what caused the error. The operator can then use the event log to help determine what conditions caused the error and identify the context in which it occurred.
Step-by-step guide
Starting Event Viewer
The procedure for starting Event Viewer depends on your starting point, e.g. windows key + R type in ”eventvwr.msc” hit enter.
Selecting Computers
With the decent administrative access, you can select any computer in your network to view that Microsoft system event logs.
To select computers in Event Viewer:
In the top of the console tree, right-click Event Viewer (local), and then click Connect to another computer.
Enter FQDN/NetBIOS name or browser to the regarding machine
Adjusting Event Viewer Settings
In the console tree, right-click the appropriate log file, and then click Properties. Click the General tab.
Saving Event Logs
In the console tree, right-click the appropriate log file, and then click Save Log File As. Navigate to the subfolder in which you want to save the file, type a name for the file, click the file type, and then click Save.
Clearing Event Logs
In the console tree, right-click the appropriate log file, and then click clear all Events. You are prompted for whether you want to save the log to a file before clearing it. Click “Yes” to save a log and clear all events. If you click No, the log is not saved, but all events are cleared from the selected Event log. If you click Cancel, the request to clear the log is canceled.
Viewing Event Details
In the console tree, right-click the appropriate log file. A list of events in the log file is displayed in the details pane of Event Viewer. Click a specific event in the details pane to display the Event Properties dialog box and details about the event.
Filtering Events
In the console tree, right-click the appropriate log file, and then click Properties. Click the Filter tab. Type the appropriate information that you would like to filter.
Finding Events
In the console tree, right-click the appropriate log file. On the View menu, click Find. Type the appropriate information that you would like to find in the dialog box, and then click Find Next.
Event Types:
Event type
Description
Error
An event that indicates a significant problem such as loss of data or loss of functionality. For example, if a service fails to load during startup, an Error event is logged.
Warning
An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a Warning event is logged. If an application can recover from an event without loss of functionality or data, it can generally classify the event as a Warning event.
Information
An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, it may be appropriate to log an Information event. Note that it is generally inappropriate for a desktop application to log an event each time it starts.
Success Audit
An event that records an audited security access attempt that is successful. For example, a user's successful attempt to log on to the system is logged as a Success Audit event.
Failure Audit
An event that records an audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt is logged as a Failure Audit event.
The events themselves are what we’re trying to see, of course, and their usefulness can range from really specific and obvious things that you can fix easily to the totally undefined messages that don’t make any sense and you can’t find any information on your preferred search engine. example:
The regular fields on the display contain:
Log Name – while in older versions of Windows everything got dumped into the Application or System log, in the more modern editions there are dozens or hundreds of different logs to choose from. Each Windows component will most likely have its own log.
Source – this is the name of the software that generates the log event. The name usually doesn’t directly match with a filename, of course, but it is a representation of which component did it.
Event ID – the all-important Event ID can actually be a little confusing. If you were to Google for “event ID 122” that you see in the next screenshot, you wouldn’t end up with very useful information unless you also include the Source, or application name. This is because every application can define their own unique Event IDs.
Level – This tells you how severe the event is – Information just tells you that something has changed or a component has started, or something has completed. Warning tells you that something might be going wrong, but it isn’t all that important yet. Error tells you that something happened that shouldn’t have happened, but isn’t always the end of the world. Critical, on the other hand, means something is broken somewhere, and the component that triggered this event has probably crashed.
User – this field tells you whether it was a system component or your user account that was running the process that caused the error. This can be helpful when looking through things.
OpCode – this field theoretically tells you what activity the application or component was doing when the event was triggered. In practice, however, it will almost always say “Info” and is pretty useless.
Computer – on your home desktop, this will usually just be your PC’s name, but in the IT world, you can actually forward events from one computer or server to another computer. You can also connect Event Viewer to another PC or server.
Task Category – this field is not always used, but it ends up basically being an informational field that tells you a bit more information about the event.
Keywords – this field is not usually used, and generally contains useless information.
As a rule of thumb (common way of doing), you should try searching by the general description, or the Event ID and the source, or a combination of those values. Just remember that the Event ID is unique for each application. So there is a lot of overlap and you can’t just search for “Event ID 122” only. This is because users might find the list is too large and too general, your specific search aspect might not fit your issue.
... View more