MORE INFORMATION

Event Viewer

In Windows XP, an event is any significant occurrence in the system or in a program that requires users to be notified, or an entry added to a log. The Event Log Service records application, security, and system events in Event Viewer. With the event logs in Event Viewer, you can obtain information about your hardware, software, and system components, and monitor security events on a local or remote computer. Event logs can help you identify and diagnose the source of current system problems, or help you predict potential system problems.

Event Log Types

A Windows XP-based computer records events in the following three logs:

• Application log
  

The application log contains events logged by programs. For example, a database program may record a file error in the application log. Events that are written to the application log are determined by the developers of the software program.

• Security log
  

The security log records events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. For example, when logon auditing is enabled, an event is recorded in the security log each time a user attempts to log on to the computer. You must be logged on as Administrator or as a member of the Administrators group in order to turn on, use, and specify which events are recorded in the security log.

• System log
  

The system log contains events logged by Windows XP system components. For example, if a driver fails to load during startup, an event is recorded in the system log. Windows XP predetermines the events that are logged by system components.

How to View Event Logs

To open Event Viewer, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, click Event Viewer.
   

The Application, Security, and System logs are displayed in the Event Viewer window.

How to View Event Details

To view the details of an event, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.
3. In the details pane, double-click the event that you want to view.
   

The Event Properties dialog box containing header information and a description of the event is displayed.

To copy the details of the event, click the Copy button, then open a new document in the program in which you want to paste the event (for example, Microsoft Word), and then click Paste on the Edit menu.

To view the description of the previous or next event, click the UP ARROW or DOWN ARROW.

How to Interpret an Event

Each log entry is classified by type, and contains header information, and a description of the event.

Event Header

The event header contains the following information about the event:

• Date
  

The date the event occurred.

• Time
  

The time the event occurred.

• User
  

The user name of the user that was logged on when the event occurred.

• Computer
  

The name of the computer where the event occurred.

• Event ID
  

An event number that identifies the event type. The Event ID can be used by product support representatives to help understand what occurred in the system.

• Source
  

The source of the event. This can be the name of a program, a system component, or an individual component of a large program.

• Type
  

The type of event. This can be one of the following five types: Error, Warning, Information, Success Audit, or Failure Audit.

• Category
  

A classification of the event by the event source. This is primarily used in the security log.

Event Types

The description of each event that is logged depends on the type of event. Each event in a log can be classified into one of the following types:

• Information
  

An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully.

• Warning
  

An event that is not necessarily significant, however, may indicate the possible occurrence of a future problem. For example, a Warning message is logged when disk space starts to run low.

• Error
  

An event that describes a significant problem, such as the failure of a critical task. Error events may involve data loss or loss of functionality. For example, an Error event is logged if a service fails to load during startup.

• Success Audit (Security log)
  

An event that describes the successful completion of an audited security event. For example, a Success Audit event is logged when a user logs on to the computer.

• Failure Audit (Security log)
  

An event that describes an audited security event that did not complete successfully. For example, a Failure Audit may be logged when a user cannot access a network drive.

How to Find Events in a Log

The default view of event logs is to list all its entries. If you want to find a specific event, or view a subset of events, you can either search the log, or you can apply a filter to the log data.

How to Search for a Specific Log Event

To search for a specific log event, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.
3. On the View menu, click Find.
4. Specify the options for the event that you want to view in the Find dialog box, and then click Find Next.

The event that matches your search criteria is highlighted in the details pane. Click Find Next to locate the next occurrence of an event as defined by your search criteria.

How to Filter Log Events

To filter log events, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.
3. On the View menu, click Filter.
4. Click the Filter tab (if it is not already selected).
5. Specify the filter options that you want, and then click OK.

Only events that match your filter criteria are displayed in the details pane.

To return the view to display all log entries, click Filter on the View menu, and then click Restore Defaults.

How to Manage Log Contents

By default, the initial maximum of size of a log is set to 512 KB, and when this size is reached, new events overwrite older events as needed. Depending on your requirements, you can change these settings, or clear a log of its contents.

How to Set Log Size and Overwrite Options

To specify log size and overwrite options, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then right-click the log in which you want to set size and overwrite options.
3. Under Log size, type the size that you want in the Maximum log size box.
4. Under When maximum log size is reached, click the overwrite option that you want.
5. If you want to clear the log contents, click Clear Log.
6. Click OK.

How to Archive a Log

If you want to save your log data, you can archive event logs in any of the following formats:

• Log-file format (.evt)
• Text-file format (.txt)
• Comma-delimited text-file format (.csv)

To archive a log, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then right-click the log in which you want to archive, and then click Save Log File As.
3. Specify a file name and location where you want to save the file. In the Save as type box, click the format that you want, and then click Save.

The log file is saved in the format that you specified.