243
Working with the Windows Registry and Event Logs
12
FIGURE 12-1
Event Viewer displays events on local and remote computers.
FIGURE 12-2
To display events on a remote computer, select Another Computer and then enter the computer name or IP address.
Understanding event entries
When you select a log in the console tree, current entries for the log are displayed in the view pane.
Each entry provides an overview of why, when, where, and how an event occurred. This information
is organized under column headings that provide the following information:
Type:
■
The type of event that occurred,
such as an error event
Date:
■
The date the event occurred
86804c12.indd 243
86804c12.indd 243
1/21/09 1:26:54 PM
1/21/09 1:26:54 PM
244
Part
II
Windows VBScript and JScript
Time:
■
The time the event occurred
Source:
■
The component that generated the event
Category:
■
The class of the event, such as Online Defragmentation or Logging/Recovery
Event:
■
An identifier for the specific event that occurred
User:
■
The user account
that triggered the event
Computer:
■
The computer name where the event occurred
You can obtain detailed information on an event by double-clicking its entry in the view pane. The
additional information provided is:
Description:
■
Provides a text description of the event
Record Data:
■
Provides any data or error code output by the event
Of all the various kinds of information that you can gather from event logs, the most valuable for
determining the relevance of an event is the event type. Event types include:
Error:
■
An event for an application, component, or service error. You should examine all
error events.
Failure
■
Audit: An event related to the failed execution of an action. If you are auditing
user activities to help you monitor network security, you should keep track of all failed
audit events.
Information:
■
An information event, which is generally related to a successful action. You
don’t need to watch information events closely, but may want to
track totals on various cat-
egories of information events.
Success
■
Audit: An event related to the successful execution of an action. You don’t need to
watch these events closely, but may want to track totals on various categories of these events.
Warning:
■
An event that may cause problems on the system, but isn’t necessarily the result
of an error. You should examine all warning events.
Archiving event logs
On most servers, administrators will archive event logs periodically.
When you archive event logs,
you store logs for later use. Logs can be archived in three formats:
Event log format:
■
This archive type is designed for viewing logs in Event Viewer. You can
also access these logs from
Dumpel, an event log analysis utility. To access an old log in
Event Viewer, right-click Event Viewer in the console tree, point to New, and then select
Log View. You can now load a previously saved log.
Text (Tab Delimited):
■
This archive type works best for viewing
in a text editor or word
processor. Individual entries are placed on separate lines with each data column represent-
ing a field. Tabs are used to separate the fields.
86804c12.indd 244
86804c12.indd 244
1/21/09 1:26:55 PM
1/21/09 1:26:55 PM
245
Working with the Windows Registry and Event Logs
12
Text (Comma Delimited):
■
This archive type works best for importing logs into spread-
sheets and databases. You can also work with the logs in Dumpel.
When you save log files to a comma-delimited file, each field in the event entry is separated by a
comma. Example event entries look like this:
Error,08/15/2008,5:35:07 PM,LicenseService,None,202,N/A,ZETA
Information,08/15/2008,11:25:19 AM,SceCli,None,1704,N/A,ZETA
Information,08/15/2008,11:24:36 AM,ESENT,Logging/Recovery ,302,N/A,ZETA
Information,08/15/2008,11:24:31 AM,Remote Storage,Agent ,1000,N/A,ZETA
Information,08/15/2008,11:24:19 AM,ESENT,Logging/Recovery ,302,N/A,ZETA
Information,08/15/2008,11:22:49 AM,Oakley,None,542,N/A,ZETA
Information,08/15/2008,11:20:38 AM,ESENT,Logging/Recovery ,301,N/A,ZETA
Information,08/15/2008,11:20:35 AM,EvntAgnt,None,2018,N/A,ZETA
The format for the entries is as follows:
Type, Date, Time, Source, Category, Event, User, Computer
As you can see, the event description and record data is not saved with text-based archives. This
saves space and you won’t really need the detailed descriptions in most instances. If you do, you can
use the event code to find the description. The Windows Resource Kit
has an Event log database
that provides detailed information on events and their meaning.
Writing to Event Logs
In Chapter 13, you learn how to create scripts that can run automatically, such as scripts that are
scheduled to run periodically at a scheduled time, or scripts that run when a user logs on. To help
you keep track of the success or failure of these scripts, you can write
information related to the
scripts directly to the application event log. In this way, when you are browsing or analyzing the
logs, you’ll know immediately if scripts are running properly or failing.
Event logging basics
When you write events to the application event log, you specify the event ID and the event descrip-
tion. Windows Script Host then directs the event to the event logging service. The event logging ser-
vice then:
Sets the event type based
on the event identifier
■
Records the event with the current date and time
■
Sets the source as WSH and the category as None
■
Sets the event ID based on the event type
■
Sets the user to N/A and then sets the computer name
■
86804c12.indd 245
86804c12.indd 245
1/21/09 1:26:55 PM
1/21/09 1:26:55 PM