Windows NT Event Viewer

Email this Article

Printer-Friendly

View Reader Comments

[November 1998]
Windows NT Event Viewer
By: Michael D. Reilly
Getting Started with NT
InstantDoc #3953
From the November 1998 edition of Windows IT Pro

View your event logs

If you have much Windows NT experience, you've seen the message At least one service or device failed to start. Perhaps you recently added a new network card or SCSI adapter. Or maybe you don't have an explanation for the error message. To determine the cause of the problem, you need to examine the NT Event Viewer. This valuable tool, available on NT Server and NT Workstation, helps you diagnose and prevent problems. (For additional information about the Event Viewer, see James Michael Stewart and Ed Tittel, "Systems Management Tools," May 1997.)

Event Logs
The Event Viewer is a tool you use to examine the three NT event logs: System, Security, and Application. The event logs are in the directory \winntroot\system32\config, where winntroot is the directory that houses NT. The three log files are sysevent.evt, secevent.evt, and appevent.evt. You cannot use a regular text editor to view these files. In addition, the files do not reflect the latest changes, which the log writes only at system startup, shutdown, and specific intervals in between. The Event Viewer lets you see the contents of each log, including the most recent information.

Event Log Viewer
To open the Event Viewer, go to the Start menu and select Programs, Administrative Tools, Event Viewer. When the utility opens, it shows the log you viewed last. To switch between logs, click Log on the menu bar, and select the log you want to view (System, Security, or Application), as Screen 1, page 206, shows. The System log shows system problems, such as drivers failing to load at system startup. The Security log does not show entries by default. To view security data, you must set up security auditing. The Application log records information about the status of applications and services running under NT. For example, SQL Server places entries in the Application log, in addition to recording the information in its error log.

Events for the System and Application logs fall into one of three categories: error, warning, and information. Error events are the most serious and cause a red stop sign to appear on the left side of the screen. Warning events identify a possible problem, but not as crucial a problem as in an error event. Information events are basic notifications, such as services starting and stopping, browser elections, and print jobs.

The Security log uses two event types: success and failure. These events signal whether a user was able to log on or access a resource. You want the system to prevent unauthorized users from logging on, so a success event for an unauthorized user is a problem.

For each event, the logs show the date and time when the event occurred, as well as the event's source. The source is the service, device driver, or application that wrote the event to the log. A source can subdivide the events it writes into multiple categories to let you easily find messages. Each event has an event ID, which helps Microsoft Product Support troubleshoot problems. An event might list the user who was running the process that generated the message. In most cases, NT or the source generates the message, so no username is listed. Events list the computer name because you can view event logs on a remote computer. Remote access lets you diagnose problems without going to a user's office or remote server site. You can open multiple copies of Event Viewer to investigate problems on several machines simultaneously. To see more information about an event, double-click the event listing to view the Event Detail window, as Screen 2, page 206, shows.

Changing Log Settings
By default, logs automatically overwrite events every 7 days, and each log can grow to 512KB. These log settings might not be adequate for applications such as SQL Server that write to the log frequently and use excessive memory. Increasing the log size is a good idea because disk space is cheap. When a log fills up, the system stops writing events to the log until it empties. To configure overwrite settings, select Log, Log Settings from the main menu. Select the log from the drop-down list, set the log size, and select the overwrite frequency, as Screen 3, page 206, shows. If you want to stop the log from overflowing, select Overwrite Events as Needed. If you are in a secure environment and do not want the log to overwrite automatically, select Do Not Overwrite Events.

To clear a log, select Log, Clear All Events from the main menu. The Event Viewer prompts you to save the log before clearing it, but this step is optional. You cannot specify events to clear (e.g., only events older than 2 days, only information events). If you log security events and you clear your logs, the Security log generates an entry that identifies who cleared the log and when they cleared it.

Filtering Events of Interest
If you are trying to troubleshoot a problem, you might want to view specific log information. You can apply a filter to the log. From the main menu, select View, Filter Events. You can filter logs by date and time, type of event, source, category, user, computer, or event ID, as Screen 4 shows. To revert to viewing all events, select View, All Events from the main menu.

Prev. page [1] 2 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

How do I decipher what the event viewer is telling me? Do you have a site that I can type the event id and it will tell me the problem?

Anthony Sophy- February 06, 2001

You can find some explanation about an event in: www.microsoft.com/technet In the search box type: eventid ###

Carlos Chyla Neto- March 28, 2001

Ditto Anthony's comment. Where do we go

Elizabeth Carter- March 28, 2001

I like the site but I am trying to find out if raisining my security event log size to 400 MB is to large. I was told by my Systems Engineer that Microsoft doesn't recommend doing this for some reason. The Sec log fills up pretty fast because there are a lot of Object Failure events. Besides that problem, is it ok to raise the Sec Event Size to 409600 kb with out having a problem?

CB- January 13, 2004

Send me more information regaring installation,upgrading to higher version and management and analysis of WinNT4.0

Ronald Kandongwe- March 19, 2004

I have a problem with a winNT machine, black screen on startup sometimes, restart never works, crashes with blue screen others (unexpected_Kernel_mode_trap). Event log never records events leading to the crash - can it be made more sensitive? that would be very helpful.

Ivan F- June 06, 2004

Can i from command line clear the system log??

Anonymous User- April 29, 2005

Article Rating 3 out of 5

I'm currently trying to design a utility in c# to monitor printing events in a cyber cafe and give information such as time of printing, number of pages requested, and basic information on the print job. I'll be very greatful if I could get some help.

Anonymous User- August 04, 2005

Article Rating 4 out of 5

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

"Real Time BI" Through Real Time Data Integration: Yesterday's data is no longer sufficient to run a business, change data capture (CDC) is an innovative new software technology that is changing the data integration landscape. Find out more…

Simplify your data management: Affordable multi-database query and design tool-- free trial!

Featured Web Seminar - Change Management & Compliance: Learn how monitoring and change management are vital aspects of both day-to-day operations as well as compliance scenarios.

FEATURED LINKS

Ease Your Scripting Pains with the Flexibility of PowerShell!: Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

You’ve Deployed SharePoint…Now What?: This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Virtualization Technologies and Disaster Recovery Planning: Download this paper to see how you can realize up to 70% cost savings by using virtualization technologies in your disaster recovery plan.

Coming in December –SQL Live Event Series: Join independent experts to discover about if or when you should make the critical upgrade decision about SQL Server 2008

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Reader Comments

Related Events

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

FEATURED LINKS