Using the Event Viewer snap-in

Windows Server 2003 admins can benefit from using the various snap-ins included with the Computer Management Console. This tip offers a more detailed introduction to one of these snap-ins: Event Viewer. (To access the Computer Management Console in Windows Server 2003, right-click the My Computer Icon on the Start menu and select Manage with the left button.)

Event Viewer displays items logged by the system when actions happen within a Windows Server 2003 system. You can access the tool from the Run dialog by entering eventvwr and clicking OK.

By default, the events logged are captured in one of these log files:

• System: Shows Windows system events.
• Application: Shows events recorded by applications that are installed on the system.
• Security: Contains records of logon/logoff actions and privilege use.

(Other applications--which include later versions of Microsoft Office and Internet Explorer, Microsoft Active Directory, and File Replication Services--may create their own logs, which will appear in the event log.)

Each of the logs included in Event Viewer by default allow you to quickly view actions taking place on a system. For example, the starting and stopping of services are recorded as informational entries in the System log.

The System and Application logs also record warning events and critical events. Warning events display events that are not immediate problems but could cause more serious issues if left unchecked. Critical events occur when a component or application fires an error when performing a task. An example of a critical event within the Directory Services log might be an error that occurs when the Domain Controllers in your Active Directory environment cannot replicate directory service information between each other. While this error can be caused by several things, including network outages or problems with DNS, it is classified as critical because it becomes a significant point of possible failure in your environment.

Backing up, clearing, and altering the size of event logs
You can also use Event Viewer to back up and clear the event logs. You may want to do this if a given log has reached its maximum size limit.

To clear a log of all the events it currently holds, follow these steps:

1. In the left pane of the Computer Management Console, right-click the event log you want to clear and select Clear Log.
2. Windows Server 2003 will ask you if you want to save the contents of the file before clearing it. Click Yes and then choose a location to save the contents of the log.
3. Click Save. This will back up the contents of that log and clear it.

Follow these steps to change the size of a log:

1. Right-click the log file object for which you wish to adjust the size and select Properties.
2. Enter the new file size in the Maximum Size box (the default is 512 KB), then click OK.

Maintaining log files automatically
When the log files are created, they are assigned a default size of 512 KB. This size is usually easy to manage; however, if the system is accessed frequently and processes many logons, the Security log may become full more often than you like. If this happens, the PC will prevent logons by anyone who is not a member of the administrators group. (This is typically not an issue on a server system, but I’m using it as an example of an event that can occur that will fill the log file.)

To remedy full log files, you can assign one of the following actions to each log file:

• Overwrite events as needed (overwrite the oldest events first)
• Overwrite events older than xx days
• Do not overwrite events (clear logs manually)

If you assign either of the first two options, it will allow the logs to manage themselves in terms of disk space.

Note: It's important to review log files on a regular basis to ensure that your Windows Server 2003 systems are functioning properly. The log archiving option will allow you to review the log files, while keeping the active logs manageable with little intervention.