Windows Event Log Scanning

Owned by Alan Forbes
Last updated: Oct 14, 2016 by Former user (Deleted)
4 min read

The Windows Event Viewer allows you to view a log of things that have happened on a Windows computer.  Windows typically generates hundreds (or thousands) of events and it is not practical for an administrator to watch over all of these events.  However, you may find that there are some events which are worthy of note, and may foreshadow something unpleasant.  VitalSigns allows you to set triggers on remote Windows machines and will send you a proactive alert when an event matching the pattern you provide appears in a Windows event log.

As a rule of thumb, you should try searching by the general description, or the Event ID and the Source, or a combination of those values.   Just remember that the Event ID is not unique… every application can generate an event with the same Event ID so there is potential for a lot of overlap.  You can’t just search for “Event ID 122” because you may get a lot of false alerts about events from applications you don't really care about.

How to configure Windows Event Log Scanning

  1. Go to Servers & Devices -> Microsoft Windows -> Event Log Scanning
  2. Enter a name for the Event Definition
  3. Click the New button under the Event Definition textbox
  4. Enter the corresponding information (Note: you can reference the Windows Event Viewer as the OS level to obtain the necessary information.  The diagram below shows how the event viewer matches up to the form.)
  5. Any field left blank will match any value in the event log.
  6. Any field filled in will limit the events which trigger alerts.
  7. The Event Key field will match text that appears in the event description.  In the case below, it will match words in phrase "The Software Protection service has stopped."
  8. Select the server(s) and/or locations where you want to scan the event log
  9. Click OK to save the changes


Warning

Beware Internet Sites with “Solutions” for Event ID “Problems”

There are lots of web sites out there that automatically generate pages for every single event ID, and then populate them with nonsense. That would be just fine, except for many of these events, there are not a lot of other good results.

Those sites will then offer to solve the problem if you just download some piece of software for your free analysis. In all cases these will be ads, and the software “solution” is a fraud.

There is NO software package that can solve all of your event log problems.   For more information, see http://www.howtogeek.com/school/using-windows-admin-tools-like-a-pro/lesson3/


 

Interpreting the Event Log

The regular fields on the event viewer windows display contain:

  • Log Name – while in older versions of Windows everything got dumped into the Application or System log, in the more modern editions there are dozens or hundreds of different logs to choose from. Each Windows component will most likely have its own log.
  • Source – this is the name of the software that generates the log event. The name usually doesn’t directly match with a filename, of course, but it is a representation of which component did it.
  • Event ID – the all-important Event ID can actually be a little confusing. If you were to Google for “event ID 122”, you wouldn’t end up with very useful information unless you also include the Source, or application name. This is because every application can define their own unique Event IDs.
  • Level – This tells you how severe the event is – Information just tells you that something has changed or a component has started, or something has completed. Warning tells you that something might be going wrong, but it isn’t all that important yet. Error tells you that something happened that shouldn’t have happened, but isn’t always the end of the world. Critical, on the other hand, means something is broken somewhere, and the component that triggered this event has probably crashed.
  • User – this field tells you whether it was a system component or your user account that was running the process that caused the error. This can be helpful when looking through things.
  • OpCode – this field theoretically tells you what activity the application or component was doing when the event was triggered. In practice, however, it will almost always say “Info” and is pretty useless.
  • Computer – on your home desktop, this will usually just be your PC’s name, but in the IT world, you can actually forward events from one computer or server to another computer. You can also connect Event Viewer to another PC or server.
  • Task Category – this field is not always used, but it ends up basically being an informational field that tells you a bit more information about the event.
  • Keywords – this field is not usually used, and generally contains useless information.