From the course: Career Essentials in System Administration by Microsoft and LinkedIn

Utilizing event logs to monitor and maintain a server

From the course: Career Essentials in System Administration by Microsoft and LinkedIn

Utilizing event logs to monitor and maintain a server

- [Instructor] Every sys admin should understand how to use Event Viewer event logs to troubleshoot problems. On a Windows server, we can use those by going into Server Manager and going to tools and Event Viewer. We can also open up Event Viewer on Windows clients as well. If I expand the Windows logs we can see the standard logs such as applications, security system, and forwarded events. And if I expand applications and services then we can see additional logs such as specific logs to various different roles and features that you may have installed on your server. Since this is an Active Directory domain controller, we can see logs that would only show up on a domain controller, such as directory services and DNS server, as well as others that are just going to be on Active Directory servers or servers where even installed specific roles or features. There's also additional logs under the Microsoft folder which we can expand and then choose Windows. And here we see dozens of different logs that you can go into for specific issues. The majority of the logs however, you will see in this top area. It's going to be either under application or system. When a log is highlighted, then you'll be able to see the details at the bottom. We see the general tab, as well as the details tab. In this particular case, this log is informational only, so it's not going to really help us solve any problems, it just gives us information. However, we can scroll down until we find issues or we can just sort them by level. So if I click on level, then it's going to show us the different categories all grouped together. So I can scroll down until I find something other than just informational for instance. We can also click level until we get the various different categories show up at the top. For instance, here are the errors. I can see all my errors at once. I can see my date and time. What source they're coming from is also very important. Is it coming from a specific application or is it coming from say the operating system? Here's an error that has to do with security. If I click on general, it gives me a little better information that's more readable. So we see license activation failed. So when I tried to activate the server, the first time it tried to activate, there was a failure. However, the second time I was able to get through. So I'm not worried about this particular error. So let's go on to the next one, which says application error, and we see the faulting application is the Microsoft Management Console. And what we can do is we can take some of this information and we can copy and paste it into a search to find out other people that have had this issue, or if there's a Microsoft bulletin or knowledge base article that tells us how to fix it. Keep a look for the event ID. Sometimes you'll see an event ID such as this one which is very generic, which shows event ID 1000. However other times, you'll see very specific event IDs that are not going to be say 1000 or 100, that are more easily searched for an answer. I can go into the columns and I can add or remove columns by right clicking and choosing, add remove columns. And one of the things I like to add in is the process ID. So I'll click add to that. And now I can see the process ID when I scroll off to the right. And what that tells me is it will match up to a process ID that may be in Task Manager. So if I go into Task Manager and I go into the processes that are happening or the details or services, we can see this process ID here. So if I see an event log that has a specific process ID, I can try to match it up here and it'll tell me which executable file or which service may be causing the problem in a very generic type of error. And so by knowing the service and the executable, now it can pinpoint the area where I need to troubleshoot. If I go into forwarded events, what I can do is I can have all the different servers in my network go to this particular server. So then I can see all the different servers without having to go into them individually. And then once they're here there's going to be a lot of events. So you may need to use the filter that's up here either the create custom view properties or filter current log and then you can choose just the event levels, the sources, the keywords, and things like that that you want to search for. Another good thing to do is to right click on the filter and go to properties. Inside properties, you can make a few changes such as the maximum log size. If you're running low on space, you may want to lower this but if you have a lot of space and you want to see logs that go back further than just a few days or a few weeks, then you can make this much larger based on your available space. Now, when it gets to the maximum event log size reached, you may want to overwrite those events. So the oldest ones get overwritten as you see here, or you can set up an archive. An archive allows you to send those files off to another location where there may be a lot more space available. And then you can have months or even years of log files that you can go back to. Now, one particular setting I suggest you don't use is the do not override events. When I've seen people do this, they've ended up filling up their hard drive with log files and then the server crashes. So you want to make sure that you choose one of the top option and set it up properly. If you'd like to, you can also clear the log. If you'd like to start from scratch as well. At the top of our properties, we can go in and make changes to the location of the log path to use a drive that say has more space available. Event logs are essential to any sys admin who is troubleshooting an issue on a Windows server or client.

Contents