Embedded Files
Event Viewer (eventvwr.msc)
Access: Run eventvwr.msc
Key capabilities:
Analyze system, application, and security logs
Create custom event log views
Configure event subscriptions
Centralize log collection from remote computers
Critical for diagnosing system issues and tracking system events
From <https://claude.ai/chat/32155873-e13b-461c-ba7b-f4eb0c09aa09>
Windows Event Viewer provides access to the Windows event logs. Event logs provide information regarding system events that occur within the Windows operating system. These events include information, warning, and error messages about Windows components and installed applications.
Event Viewer provides categorized lists of essential Windows log events, including application, security, setup, and system events, in addition to log groupings for individual installed applications and specific Windows component categories. Individual events provide detailed information regarding the type of event that occurred, when the event occurred, the source of the event, and technical detailed information to assist in troubleshooting the event.
Additionally, Event Viewer enables you to consolidate logs from multiple computers onto a centralized computer when you use subscriptions. Finally, you can configure Event Viewer to perform an action when specific events occur. This could include sending an email message, launching an app, running a script, or performing other maintenance actions to notify you or attempt to resolve a potential issue.
Event Viewer in Windows includes the following features:
The ability to view multiple logs. You can filter for specific events across multiple logs, making it quicker to investigate issues and troubleshoot problems that might appear in several logs.
Inclusion of customized views. You can use filtering to narrow searches to only those events in which you are interested, and you then can save these filtered views.
The ability to configure tasks scheduled to run in response to events. You can automate responses to events. To do this, Event Viewer is integrated with Task Scheduler.
The ability to create and manage event subscriptions. You can collect events from remote computers, and then store them locally.
Note
To collect events from remote computers, you must create an inbound rule in Windows Firewall to permit Windows Event Log Management.
Event Viewer tracks information from several different logs. These logs provide detailed information that includes:
A description of the event.
An event ID number.
The component or subsystem that generated the event.
Information, Warning, or Error status.
The time of the occurrence.
The user’s name on whose behalf the event occurred.
The computer on which the event occurred.
A link to Microsoft TechNet for more information about the event.
Windows logs
Event Viewer has many built-in logs, including those listed in the following table.
Built-in log
Description and use
Application
This log contains errors, warnings, and informational events that pertain to the operation of applications.
Security
This log reports the results of auditing, if you enable it. The log describes audit events as successful or failed. For instance, the log would report success or failure regarding whether a user was able to access a file.
Setup
This log contains events related to application setup.
System
Windows components and services log general events and classify them as error, warning, or information. Windows predetermines the events that system components log.
Forwarded events
This log stores events collected from remote computers. To collect events from remote computers, you must create an event subscription.
By default, Windows log files are 20,480 kilobytes (KB) in size, and Windows overwrites events, as necessary.
Note
The Setup log is 1,028 KB in size.
Application and Services logs
Applications and Services logs store events from a single app or component rather than events that might have system-wide impact. This category of logs includes a number of subtypes:
Hardware Events
Internet Explorer
Key Management Service
Microsoft Office Alerts
TuneUp
Microsoft Azure
Windows PowerShell
The Applications and Services logs also contain the Microsoft node. This node contains the Windows subnode, which includes several nodes that contain granular log information.
Manage logs
If you want to clear a log manually, you must sign in as a local administrator. If you want to configure event logs settings centrally, you can do so when you use Group Policy. To do this, open the Group Policy Management Console for your selected Group Policy Object (GPO), and then navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service.
For each log, you can define:
The location of the log file.
The maximum size of the log file.
Automatic backup options.
Permissions on the logs.
Behavior that occurs when the log is full.
Custom views
Event logs contain vast amounts of data, which can make it challenging to narrow your search to only those events that interest you. To accommodate this, you can customize views in Windows so that you can query and sort only the events that you want to analyze. You also can save, export, import, and share these custom views.
Event Viewer allows you to filter for specific events across multiple logs, and display all events that could relate to an issue that you are investigating. To specify a filter that spans multiple logs, you need to create a custom view. You create custom views in the Action pane in Event Viewer. You can filter custom views based on multiple criteria, including:
The time that the event was logged.
Event level to display, such as errors or warnings.
Logs from which to include events.
Specific event IDs to include or exclude.
User context of the event.
Computer on which the event occurred.
Subscriptions
Event Viewer enables you to view events on a single computer. However, troubleshooting an issue might require you to examine a set of events that are stored in multiple logs on multiple computers. For this purpose, Event Viewer enables you to collect copies of events from multiple remote computers, and then store them locally. To specify which events to collect, create an event subscription. After a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.
Enable subscriptionsTo use the event-collecting feature, you must configure the forwarding and the collecting computers. The event-collecting functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector service (Wecsvc). Both of these services must be running on computers that are participating in the forwarding and collecting process.
To enable subscriptions, perform the following steps:
To enable subscriptions, perform the following steps:
- On each source computer, to enable Windows Remote Management, type the following command at an elevated command prompt, and then press Enter:
Copy
winrm quickconfig - On the collector computer, to enable the Windows Event Collector service, type the following command at an elevated command prompt, and then press Enter:
Copy
wecutil qc - Add the computer account of the collector computer to the local Event Log Readers group on each of the source computers.
To use the event-collecting feature, you must configure the forwarding and the collecting computers. The event-collecting functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector service (Wecsvc). Both of these services must be running on computers that are participating in the forwarding and collecting process.
Event Viewer enables the collection of event logs from remote computers, simplifying the process of troubleshooting issues that span multiple systems. Here's how it facilitates this:
Event Subscriptions: Event Viewer uses a feature called subscriptions to gather event log data from remote computers. This allows administrators to centralize event logs from multiple machines, making analysis and troubleshooting more efficient.12
Windows Remote Management (WinRM): Event Viewer's remote log collection relies on the WinRM service. This service enables communication between computers for the purpose of managing system resources.2
Windows Event Collector Service (Wecsvc): The Wecsvc service is crucial on the collector computer—the machine designated to receive the event logs. This service manages the collection and storage of forwarded events.2
Configuration Steps for Enabling Subscriptions:
Enable WinRM on Source Computers: Use the command winrm quickconfig in an elevated command prompt on each computer that will be sending its logs.3
Enable Wecsvc on Collector Computer: Run the command wecutil qc in an elevated command prompt on the computer that will receive the logs.3
Grant Permissions: Add the collector computer's account to the Event Log Readers group on each source computer. This grants the necessary permissions to access and collect the logs.3
Benefits of Centralized Log Collection:
Simplified Troubleshooting: By consolidating logs, administrators can easily correlate events across multiple machines, providing a more comprehensive view of potential issues.1
Efficient Log Management: Centralized storage and management of logs streamline the analysis process.12
Proactive Monitoring: Administrators can set up alerts based on specific events collected from various computers, enabling proactive responses to potential problems.4
Event Viewer's remote log collection capabilities play a crucial role in simplifying system administration and enhancing the ability to efficiently diagnose and address issues across an entire network.
Page updated
Google Sites
Report abuse