Hello everyone, the topic is how to see windows logs. What logs I think everyone knows, but if you are a beginner, then logs are system events occurring in both Windows and Linux operating systems that help to track what, where and when happened and who did it. Any system administrator must be able to read windows logs.
An example of this is the situation when a disk went out of order on one of the IBM servers and for technical support I collected server logs so that they could diagnose the problem. The Event Viewer is responsible for collecting and fixing logs in Windows. Event Viewer is a convenient tool for receiving system logs.
How to open Event Viewer
Go to the snap Event Viewer is very simple, suitable for any version of Windows. Push the magic buttons
Win + R and type eventvwr.msc
A window for viewing windows events will open in which you need to expand Windows Logs. Let's go over each of the magazines.
Application Magazine, contains entries related to programs on your computer. It is written to the log when the program was launched, if it was started with an error, then this will also be reflected.
Audit journal, you need to understand who and when did what. For example, logged in or logged out, tried to access. All success or failure audits are written here.
The Installation item, it writes Windows logs about what and when, for example, programs or updates were installed.
The most important magazine is the system. All the most necessary and important is recorded here. For example, you had a bsod blue screen, and these messages that are entered here will help you determine its cause.
There are also windows logs for more specific services, such as DHCP or DNS. Viewing events cuts everything :).
Suppose you have more than a million events in the Security journal, you will probably ask immediately if there is any filtering, since viewing all of them is masochism. This was provided for in event viewing, windows logs can be conveniently weeded out leaving only the right one. On the right in the Actions pane there is a Filter button for the current log.
You will be asked to indicate the level of events:
- Critical
- Mistake
- Warning
- Intelligence
- Details
It all depends on the task of the search, if you are looking for errors, then there is no sense in other types of message. Further, in order to narrow the boundaries of the search for viewing events, specify the desired event source and code.
So as you can see, it’s very easy to parse the windows logs, we search, find, solve. Quick cleanup of windows logs may also be useful:
View windows PowerShell logs
It would be strange if PowerShell did not know how to do this, to display log files, open PowerShell and enter this command
Get-EventLog -Logname "System"
As a result, you will get a list of System logs
The same can be done for other magazines, for example Applications
Get-EventLog -Logname "Application"
short list of abbreviations
- Event Code - EventID
- Computer - MachineName
- The sequence number of the event - Data, Index
- Task Category - Category
- Category Code - CategoryNumber
- Level - EntryType
- Event Message - Message
- Source - Source
- Event Generation Date - ReplacementString, InstanceID, TimeGenerated
- Event Record Date - TimeWritten
- User - UserName
- Site - Site
- Division - Conteiner
For example, in order to display events in the command shell only with the columns “Level”, “Date of recording of the event”, “Source”, “Event code”, “Category” and “Event message” for the “System” log, execute the command:
Get-EventLog –LogName ‘System’ | Format-Table EntryType, TimeWritten, Source, EventID, Category, Message
If you need to display in more detail, then replace Format-Table with Format-List
Get-EventLog –LogName ‘System’ | Format-List EntryType, TimeWritten, Source, EventID, Category, Message
As you can see, the format is already more readable.
You can also filter logs, for example, show the last 20 messages
Get-EventLog –Logname ‘System’ –Newest 20
Additional Products
You can also automate the collection of events through tools such as:
- Zabbix monitoring complex
- By forwarding events by means of Windows to the server collector
- Through the Netwrix audit suite
- If you have SCOM, then it can aggregate any logs of Windows platforms
- Any DLP systems
So whether you choose to view events or PowerShell to view windows events, this is up to you. Site Material
Remote Log Viewer
- First method
Not so long ago, in the emerging Windows Server 2019 operating system, the Windows Admin Center remote administration component appeared. It allows you to remotely control a computer or server, I already told him more about it. Here I want to show that by putting it on your workstation you can connect to other computers from the browser and easily view their event logs, thereby studying the Windows logs. In my example there will be a server SVT2019S01, we find it in the list of available ones and connect (I remind you that we performed remote network configuration in Windows).
Next, you select the "Events" tab, select the desired log, in my example I want to see all the logs on the system. From my point of view, viewing everything here is much more convenient than from viewing events. The plus will be that you can do this from any phone or tablet. There is a convenient search form in the right corner
If you need to perform finer filtering of logs, then you can use the filter button.
Here you can also select the level of the event, for example, leaving only critical and errors, set the time range, event code and source.
Here is an example of filtering by event 19.
It is very convenient to export the entire log to the evxt format, which is then easily opened through the event log. So, Windows Admin Center is a powerful tool for viewing logs.
- Second method
The second way to remotely view Windows logs is to use the Computer Management snap-in or the same "Event Viewer". To view the Windows logs on another computer or server, in the snap-in, right-click on the top item and select "" from the context menu.
Specify the name of another computer, in my example it will be SVT2019S01
If everything is fine and there are no locks on the part of the firewall or antivirus, then you will get to remote viewing of events. If there are locks, you will receive a message that says that COM + traffic is not flying through.
I also want to note that there are entire log aggregation systems, such as Zabbix or SCOM, but this is a different level of tasks ..
The classic event viewer event was implemented as an ActiveX object in the file c: \\ windows \\ system32 \\ els.dll. If you register it, then you will get a snap Event viewer for Microsoft Management Console (MMC). Follow the steps below to learn how to do this.
- Open a command prompt window (press Win + X on the keyboard key and select the item - “Command Prompt (Admin).
- Type the following regsvr32 els.dll command
You will receive the message “DllRegisterServer in els.dll succeeded”. Click “OK” to close it.
- Return to the command window and enter mmc, and then press the Enter button. Microsoft Management Console application will open. Select menu item File - Add / Remove Snap-In or press key combination Ctrl + M on keyboard.
In the list on the left, select and click on the "Add" button. In the "Select Computer" dialog box, just click the "Finish" button.
In the "Add or Remove Snap-ins" dialog box, click "OK." Run the menu item "File - Options ...". Here you can change the name and icon of the console before you save it to a file. I recommend that you change the console mode to "user mode - full access" and check the box "do not save changes for this console", otherwise confirm " Save Changes ”will annoy you every time you use it.
Click “OK” to close this window. In the menu, select “File” - “Save” and give it any file name (eg CEventVwr.msc) and save it in a location such as C: \\ Windows or C: \\ Windows \\ system32. You can save it anywhere on your desktop, but saving the file in the above directory will allow you to quickly use it by entering a name in the Run dialog box and you don’t even have to enter the full path to it every time you use it. Or you can use a file that was created specifically for this function in Windows 8.
The topic of this article is the use of a tool unfamiliar to most users of Windows: Event Viewer or Event Viewer.
What is this useful for? First of all, if you want to figure out what is happening with the computer yourself and solve various problems in the OS and programs, this utility can help you, provided that you know how to use it.
The interface of this administration tool can be divided into three parts:
- In the left panel there is a tree structure in which events are sorted by various parameters. In addition, here you can add your own "Custom Views", which will display only the events you need.
- In the center, when you select one of the “folders”, the list of events will be displayed on the left, and when you select any of them, at the bottom you will see more detailed information about it.
- The right part contains links to actions that allow you to filter events by parameters, find the ones you need, create custom views, save the list and create a task in the task scheduler that will be associated with a specific event.
Event Information
As I said above, when you select an event, information about it will be displayed at the bottom. This information can help find a solution to the problem on the Internet (however, not always) and it is worth understanding what property means what:
- Log Name — The name of the log file where event information was saved.
- Source - the name of the program, process or system component that generated the event (if you see Application Error here), then the name of the application itself can be seen in the field above.
- Code - The event code can help you find information about it on the Internet. True, it’s worth looking in the English segment for Event ID + digital code + name of the application that caused the crash (because the event codes for each program are unique).
- Operation code - as a rule, “Information” is always indicated here, so there is little sense from this field.
- Task category, keywords - usually not used.
- User and computer - reports on behalf of which user and on which computer the process that triggered the event was launched.
Below, in the "Details" field, you can also see the "Online Help" link, which transmits information about the event to the Microsoft website and, in theory, should display information about this event. However, in most cases you will see a message stating that the page was not found.
To find information by mistake, it is better to use the following query: Application name + Event ID + Code + Source. An example can be seen in the screenshot. You can try and search in Russian, but in English there are more informative results. Also, textual information about the error is suitable for searching (double-click on the event).
Note: on some sites you can find an offer to download programs for fixing errors with one or another code, and all possible error codes are collected on one site - you should not upload such files, they will not fix the problems, and with a high probability will entail additional ones.
It is also worth noting that most warnings do not constitute something dangerous, and error messages also do not always indicate that something is wrong with the computer.
View Windows Performance Log
In viewing Windows events, you can find a sufficient number of interesting things, for example, look at problems with computer performance.
To do this, open the Application and service logs in the right pane - Microsoft - Windows - Diagnostics-Perfomance - It works and see if there are any errors among the events - they indicate that some component or program has slowed down Windows loading. By double-clicking on an event, you can call up detailed information about it.
Using Filters and Custom Views
A huge number of events in magazines leads to the fact that they are difficult to navigate. In addition, most of them do not carry critical information. The best way to display only the events you need is to use custom views: you can set the level of events that you want to display - errors, warnings, critical errors, as well as their source or log.
In order to create a custom view, click on the corresponding item in the panel on the right. After creating a custom view, you have the opportunity to apply additional filters to it by clicking on the "Filter of the current custom view".
Of course, this is far from everything that can be useful for viewing Windows events, but this, as noted, is an article for novice users, that is, for those who do not know about this utility at all. Perhaps it will encourage further study of this and other OS administration tools.
In the OS of the Windows line, all the major events that occur in the system are registered with their subsequent recording in the log. Errors, warnings, and simply various notifications are recorded. Based on these entries, an experienced user can correct the system and eliminate errors. Let's find out how to open the event log in Windows 7.
The event log is stored in a system tool called Event Viewer. Let's see how you can go into it using various methods.
Method 1: “Control Panel”
One of the most common ways to launch the tool described in this article, although by no means the easiest and most convenient, is done using "Control Panel".
Method 2: Run Tool
It is much easier to initiate the activation of the described tool using the tool "Run".
The basic disadvantage of this quick and convenient method is the need to keep the window call command in mind.
Method 3: Start menu search field
A very similar method of calling the tool we are studying is carried out using the menu search field "Start".
Method 4: Command Prompt
Call tool through "Command line" quite inconvenient, but such a method exists, and therefore it is also worth a separate mention. First we need to call the window "Command line".
Method 5: Direct start of the eventvwr.exe file
You can use such an “exotic” version of the solution of the problem, as a direct start of the file from "Explorer". Nevertheless, this method can be useful in practice, for example, if the failures have reached such a scale that other options to run the tool are simply not available. This is extremely rare, but quite possible.
First of all, you need to go to the location of the eventvwr.exe file. It is located in the system directory in this way:
C: \\ Windows \\ System32
Method 6: Enter the file path in the address bar
With help "Explorer" You can run the window we are interested in and faster. You don’t even have to look for eventvwr.exe in the directory "System32". To do this, in the address field "Explorer" just need to specify the path to this file.
Method 7: Create a Shortcut
If you don’t want to memorize various commands or section jumps "Control Panel" If you think it’s too inconvenient, but you often use the magazine, in this case you can create an icon on "Desktop" or in another place convenient for you. After that, starting the tool Event Viewer will be carried out as simple as possible and without the need to remember something.
Problems opening a magazine
There are times when there are problems with opening a magazine in the ways described above. Most often this is due to the fact that the service responsible for the operation of this tool is deactivated. When trying to start the tool Event Viewer A message appears stating that the event log service is not available. Then it is necessary to activate it.
- First of all, you need to go to Service Manager. This can be done from the section. "Control Panel"which is called "Administration". How to go into it was described in detail when considering Method 1. Once in this section, look for the item "Services". Click on it.
IN Service Manager can go using the tool "Run". Call him by typing Win + r. Drive into the input area:
Click OK.
- Regardless of whether you made the transition through "Control Panel" or used command input in the tool field "Run"starts up Service Manager. Look for an item in the list. Windows Event Log. To facilitate the search, you can arrange all the list objects in an alphabetical order by clicking on the field name "Name". Once the desired row is found, take a look at the corresponding value in the column "Condition". If the service is enabled, then there should be an inscription "Works". If it is empty there, it means that the service is deactivated. Also look at the value in the column "Startup Type". In normal condition there should be an inscription "Automatically". If the value is there Disconnected, this means that the service is not activated when the system starts.
- To fix this, go to the service properties by double-clicking on the name LMB.
- A window opens. Click on an area "Startup Type".
- From the drop-down list, select "Automatically".
- Click on the inscriptions "Apply" and OK.
- Returning to Service Managermark Windows Event Log. In the left area of \u200b\u200bthe shell, click on the inscription "Run".
- Service started. Now in the column field corresponding to it "Condition" the value is displayed "Works", and in the column field "Startup Type" the inscription appears "Automatically". Now the magazine can be opened using any of the methods that we described above.
There are quite a few options to activate the event log in Windows 7. Of course, the most convenient and popular ways are to go through Toolbaractivation by means "Run" or menu search fields "Start". For convenient access to the described function, you can create an icon on "Desktop". Sometimes there are problems with the launch of the window Event Viewer. Then you need to check if the corresponding service is activated.
In the Windows operating system of the seventh version, the function of tracking important events that occur in work is implemented. At Microsoft, the term “events” refers to any incidents in the system that are recorded in a special journal and signal to themselves to users or administrators. This may be a utility program that does not want to start, a malfunction of applications or incorrect installation of devices. All incidents are recorded and saved by the Windows 7 event log. It also arranges and displays all actions in chronological order, helps to carry out system control, ensures OS security, corrects errors and diagnoses the entire system.
You should periodically review this journal for incoming information and configure the system to save important data.
Window 7 - programs
The “Event Viewer” computer application is the main part of the Maykrasoft utility utilities, which are designed to control and view the event log. This is a necessary tool for monitoring the health of the system and eliminating errors that appear. The Windows utility that manages incident documentation is called the Event Log. If this service is running, then it begins to collect and log all the important data in its archive. The Windows 7 Event Log allows you to do the following:
View data recorded in the archive;
Using various event filters and saving them for further use in the system settings;
Create a subscription for certain incidents and manage them;
Assign specific actions when any events occur.
How to open Windows 7 event log?
The program responsible for registering incidents starts as follows:
1. The menu is activated by pressing the "Start" button in the lower left corner of the monitor, then the "Control Panel" opens. In the list of controls, select "Administration" and already in this submenu click on "View Events".
2. There is another way to see the Windows 7 event log. To do this, go to the "Start" menu, type mmc in the search box and send a request to search for the file. Next, the MMC table opens, where you need to select the paragraph that indicates the addition and removal of equipment. Then the “Event Viewer” is added to the main window.
What is the described application?
Two events are installed on the Widows 7 and Vista operating systems: system archives and the application service log. The first option is used to record system-wide incidents that are related to the performance of various applications, startup and security. The second option is responsible for recording the events of their work. To control and manage all data, the Event Log service uses the View tab, which is divided into the following items:
Application - events that are associated with a specific program are stored here. For example, mail services store in this place the history of the transfer of information, various events in mailboxes and so on.
The “Security” item saves all data related to logging in and out of the system, using administrative capabilities and accessing resources.
Installation - this Windows 7 event log records the data that occurs during the installation and configuration of the system and its applications.
System - captures all OSes events, such as a crash when starting utility applications or installing and updating device drivers, various messages related to the operation of the entire system.
Forwarded events - if this item is configured, it stores information that comes from other servers.
Other main menu sub-items
Also in the "Administration" menu, where the event log in Windows 7 is located, there are such additional items:
Internet Explorer - events that occur during the operation and configuration of the browser of the same name are logged here.
Windows PowerShell - incidents related to the use of PowerShell are recorded in this folder.
Equipment events - if this item is configured, then the data that the devices generate is logged.
The whole structure of the "seven", which provides a record of all events, is based on the type of "Vista" on XML. But to use the Event Log program in Window 7, you don’t need to know how to apply this code. The Event Viewer application will do everything by itself, providing a convenient and simple table with menu items.
Incident Characteristics
A user who wants to learn how to view the Windows 7 event log should also understand the characteristics of the data that he wants to view. After all, there are various properties of certain incidents described in the "Event Viewer". We will consider these characteristics below:
Sources - a program that captures events in a journal. The names of applications or drivers that have affected a particular incident are recorded here.
Event code - a set of numbers that determine the type of incident. This code and the name of the event source is used by the technical support of the system software to eliminate software failures.
Level - the degree of importance of the event. The system event log has six levels of incidents:
1. Message.
2. Caution.
3. Error.
4. Dangerous mistake.
5. Monitoring successful error correction operations.
6. Audit of failed actions.
Users - captures the data of accounts on behalf of which there may be names of various services, as well as real users.
Date and time - records the time indicators of the occurrence of the event.
There are many other events that occur during the operation of the operating system. All incidents are displayed in the "Event Viewer" with a description of all related information data.
How to work with the event log?
A very important point in protecting the system from crashes and freezes is to periodically look through the Application log, which records information about incidents, recent actions with a particular program, and also provides a selection of available operations.
Having entered the Windows 7 event log, in the “Application” submenu you can see a list of all programs that caused various negative events in the system, the time and date of their appearance, source, and also the degree of problem.
User Response to Events
Having studied how to open the Windows 7 event log and how to use it, you should further learn how to use the Task Scheduler with this useful application. To do this, right-click on any incident and in the window that opens, select the menu for linking the task to the event. The next time such an incident occurs in the system, the OS will automatically launch the installed task to process the error and fix it.
Error in the log is not a cause for panic
If, while looking at the Windows 7 system event log, you will see system errors or warnings that appear periodically, then you should not worry and panic about this. Even with a perfectly functioning computer, various errors and crashes can be logged, most of which do not pose a serious threat to the performance of the PC.
The application described by us was created in order to facilitate the system administrator's control over computers and the elimination of emerging problems.
Output
Based on the foregoing, it becomes clear that the event log is a method that allows programs and the system to record and save all events on the computer in one place. Such a log stores all operational errors, messages and warnings of system applications.
Where is the event log in Windows 7, how to open it, how to use it, how to fix errors that have appeared - we learned all of this from this article. But many will ask: “Why do we need this, we are not system administrators, not programmers, but ordinary users who do not need this knowledge?” But this approach is wrong. After all, when a person becomes ill with something, before going to the doctor, he tries to heal himself by one way or another. And many often succeed. So a computer, which is a digital organism, can "get sick", and this article shows one of the ways to diagnose the cause of such a "disease", according to the results of such an "examination" you can make the right decision on the methods of subsequent "treatment".
So the information on the method of viewing events will be useful not only to the system specialist, but also to the ordinary user.