I have been working with Windows-related solutions for over 15 years. During that time period, the Event Viewer has always been a hard topic to discuss as it has fallen short of even being very functional for most of that time period. The events have been non-descriptive, the capabilities to control the events non-existent, and the overall perception of the Event Viewer has been less than satisfactory. Well, all of that started to change in the Windows Vista era, followed by Windows Server 2008, Windows 7, and Windows Server 2008 R2, which has elevated the Windows Event Viewer into a useful, descriptive, and competitive tool. If you are a network admin, security professional, or security auditor you will want to take a look at what is available with the new features that Windows Server 2008 and R2, as well as Windows 7 offers with the Event Viewer.
Pains and Limits of Old Event Viewer
For the past years the event viewer has caused problems, headaches, and frustration to nearly every Windows administrator. The tool, although important, has had significant limitations. For those Windows professionals that rely on the events generated by the Event Viewer need to have a tool that they can rely on, but have not had that to this point.
The events generated in the old Event Viewer were not very descriptive. For most events, the description was short, cryptic, and not useful to track down why the event occurred. Of course, the events that are generated by the Event Viewer include common attributes, such as:
- Type of event
- Date of the event
- Time the event occurred
- Source of the event
- Category the event falls under
- Event ID to track the event details
- User that caused the event to occur
- Computer on which the user was logged on which caused the event
Although these events contain these common attributes, there has been little to no methods to filter through the events to find exactly what you are looking for. Yes, there was a filter option, but the filter option was limited compared to what you have in the new Event Viewer.
There was no way to be notified if an event occurred which you wanting to track. The only way to know that an event occurred is to manually check for the event in the log. When there are hundreds of events being tracked and logged on hundreds of servers, this is a limiting factor.
Finally, the most restrictive aspect of the old Event Viewer is that all events are tracked on the computer where the activity occurs. So, if you have thousands of desktops, hundreds/thousands of servers, that means there will be thousands of logs that need to be reviewed. The old Event Viewer has no way to archive or centralize logs from all of these computers.
New Details for Events
For Windows Vista, 7, and Server 2008, the events are more descriptive and give more details. First off, it appears as if Microsoft has hired some amazing documentation experts who know how to work within the interface to give good information. Some events provide not only the event description, but give background information on why the event might have occurred, as in Figure 1.
Figure 1: Events now often give even more information than just a description
Beyond these details, all events now come in two formats: standard text based and XML. They both provide the same information, but each can be used for different purposes. The standard text view is a detailed view, which gives some spectacular detail about the event, which can be seen in Figure 2.
Figure 2: Detailed view of event
The XML view provides a format that can be used by scripts, programs, PowerShell, etc. Although not all that useful while browsing through the logs, this is very useful is you want to export the data and manipulate it with some scripting language or put into a Web format.
Another amazing option that I like to take advantage of is the Custom Views. Although the previous Event Viewer had the ability to copy a view, this Event Viewer now allows you to customize the views. For example, say that you want to look at 4 specific event IDs from 5 different logs. You can perform this easily with the Custom View option. You simply create a new custom view, then select which logs you want to include in the view, along with the other details, such as Event IDs. Figure 3 illustrates these options in the Custom View dialog box.
Figure 3: Custom View allows for multiple logs and specific Event IDs in one view
Another great feature of the new Event Viewer is the ability to set filters for logs, even the Custom View logs that you generate. The filtering is just another way for you to find what you want in the log, quickly and precisely. The filtering option is similar to that of the old Event Viewer, except there is a new option for Keywords, which pulls out keywords from the events for you to pivot upon. Figure 4 shows you what a filter dialog box and options looks like.
Figure 4: Filtering allows for you to show specific events in the log
Now in the new Event Viewer, you can setup a task to be associated with a log or event. The idea is that you can have an email sent to you, a program start, or a message displayed when certain criteria is met. This allows for you to be notified immediately when certain events occur, instead of you finding out about them when you get to review the log. The interface is very intuitive and the options simple to configure. Figure 5 illustrates the Task Wizard for associating tasks to events.
Figure 5: Tasks can be associated with events or logs
The new Event Viewer comes with some of the most desired options Windows administrators have wanted for years. The old Event Viewer was limited, clumsy, and not very detailed. In reality, this is not very useful. The new Event Viewer with Windows Vista, 7, and Server 2008 provides more detail for events, which provide an insight into what is really occurring with your computer. The ability to set up Custom Views in the new Event Viewer gives you a place to converge different logs and Event IDs into a single view. Combine the Custom Views with the filtering option and now you can find any event quickly and be able to see it in s shorter time after filtering than before. The task option can be linked to a log or event, giving you real time management of the events as they occur. With the new Event Viewer, you can control your events more precisely, with better efficiency, and provide yourself with more time for other tasks!