Sorting a Log
When I'm on a problem-solving mission, I like to sort the logs so that I can head directly for the event type or number I need or for the source I think is reporting the problem. For example, I might look for a Userenv event if the problem involves a user who is having access problems across the network.
One common Userenv event is event ID 1000 in the Application event log, which states that Windows couldn't determine the user or computer name. This event means that the TCP/IP configuration on the computer isn't set correctly for the DNS server. (Administrators commonly use the wrong address for DNS configuration on client computers; I frequently find the IP address of a gateway entered as the DNS address.) Checking the offending computer's Event Viewer from your workstation is usually quicker than going to the client computer and opening the TCP/IP settings.
To zero in on specific types of events, select the appropriate log in the console to display its contents in the Details pane, then click the column heading of the category on which you want to sort. The default sort is Date, subsorted by Time.
Clearing a Log
You can clear any log to make room for additional entries. If you configured the log with the Do not overwrite events (clear log manually) option selected, you must periodically clear the log.
To clear a log, right-click its listing in the Event Viewer console and select Clear all Events. Windows asks whether you want to save the log before clearing it. If the log has entries you think you might need to examine later (perhaps because you're tracking a persistent problem), you can archive the log's contents.
Archiving a Log
You can archive a log as a discrete file, which is useful if you notice peculiar entries and you want to track the log over a period of time. Sometimes you see events that appear to be ominous but neither the user nor the computer associated with the events is experiencing any problems. If problems develop later, you or a Microsoft support person might find the event history helpful.
To archive a log, right-click the log in the console and select Save Log File As. By default, Windows saves the file in the Administrative Tools folder, which is in C:\documents\settings\username\start menu\programs. You can choose another folder or create a folder to hold archived logs. I typically name the file with the format logname-date (e.g., apps-dec012003). Windows adds the .evt extension.
Event-log archives are discrete files on your hard disk, but you can open them only from within Event Viewer. To do so, choose Open Log File from the Action menu (or right-click an object in the console pane and choose Open Log File). In the Open dialog box, select the desired archive, select the log type (e.g., Application, Security) from the Log Type dropdown menu, then click Open.
To remove an archive from the console, right-click its listing and select Delete. This action doesn't delete the file from your hard disk; it just removes the file from the console. You delete the file from your hard disk the same way you delete any file.
