Event Viewer displays a variety of event types, each of which has its own level of significance and its own icon type in the event logs. For example
- Error signals a significant problem that could involve a loss of functionality, such as drivers and services that fail to start properly.
- Warning identifies a problem that might become serious if you don't attend to it. A Warning is strictly informational and doesn't signal a present or future problem.
- Success Audit is a security event that succeeded and is reported because the system or an administrator opted to audit that event.
- Failure Audit is a security event that failed and is reported because the system or an administrator opted to audit that event.
The information that Event Viewer displays includes the event type, the date and time that the event occurred, the event's source (e.g., the service, device driver, or application that wrote the event to the log), the event category, the event ID, the user who was logged on when the event occurred (if applicable), and the computer on which the event occurred. Note: You must have administrative rights to view the Security log.
Configuring Event Viewer
The event logs start automatically when you start the OS. The log files have a finite size, and the system overwrites events according to the log's configuration options. To see or change the configuration options, right-click a log's listing in Event Viewer and select Properties from the drop-down menu. You should see the corresponding Properties dialog box, as Figure 1, page 62, shows.
Changes you make to the configuration settings depend on your situation. If you're not making major configuration changes or you haven't felt the need to audit events, the default settings should work fine. The default setting for maximum log-file size is 512KB, and the system automatically overwrites events after 7 days when the log is filled. However, if you make a major change in the system or you configure an aggressive auditing plan, your event logs will likely begin recording many events. If the log becomes filled but contains no events older than 7 days, Event Viewer has nothing to discard to make room for more events and the system stops logging events. In that situation, enlarge the log file or configure the log to overwrite events as needed.
Filtering the View
When you examine a log to resolve a problem or check a computer's reaction to a major configuration change, you can speed your investigation by eliminating irrelevant events from the Details pane. Each log's Properties dialog box has a Filter tab that you use to configure the types of events that you want to view. For example, you might not care about seeing information events for certain computers, or you might want to see certain events only for a week or so after a major system change. Simply select and deselect filters as needed. Remember, the filters affect only the view; the system continues to write to the event log those event types that you filter out. For example, if you think your system might be in danger of a security breach, you could filter for event types that would provide a quick look at logon abnormalities, such as event IDs 675 and 681, which represent authentication attempts that failed, or event ID 644, which means an account was locked out because of multiple incorrrect password entries.
