Title: Windows Logging
1Windows Logging
- Or managing the morass...
2 The Good Old Days...
- Back in the good old days of Windows NT, there
were three main logs - The Application log
- The System log
- The Security log, which you almost never saw
enabled on desktops. - Windows 9x (95/ 98 and ME) of course didn't
bother with anything so sophisticated. - Most users never realised that Windows logs
existed. - Even those who did had no idea what most of the
error messages meant.
3 Then life got a lot more complicated...
- Currently there are two main setups, pre-Vista
and post-Vista. - The logs which most sysadmins are used to are
probably still the main three logs of Windows NT
although the some minor tweaks have been made. - The Security log is not necessarily enabled on
desktops. - It is turned on automatically on servers (2003)
but the default settings record success and
failure equally, which may not be the most
efficient of settings. - One improvement is that Windows 2003 security
logs may now record the full IP address of
machines attempting a login (previously only the
NetBIOS name was recorded).
4 Vista-Style Logging changes
- Vista logs use a different XML-based format and
the .evtx rather than a .evt extension). - More details can be found here
- http//www.eventlogblog.com/blog/2007/12/vista-eve
nt-log-changes.html - There are two very important consequences
- Vista and Windows 2008 .evtx logfiles cannot be
read on pre-Vista machines (at least in native
.evtx format) - http//eventlogs.blogspot.com/
- The fields in which certain events are recorded
have changed. - Specifically the Type field which was previously
used to record the severity of events
(Information, Warning, Error, Audit Success,
Audit Failure) is now called Level. Mostly
security events are now recorded in the new
Keywords field, not the Level field. - If you already have a log-collecting procedure,
then clearly what you collect will need to
change.
5Vista-Style Logging changes
- Vista logs use a different three-pane interface.
- Windows 2008 logs follow this style but are
potentially far more numerous. - Part of the consequences of the new structure is
that opening a Vista log even on a powerful
machine takes far longer than the old .evt-style
interface. - As a consequence of recording much more detail,
post-Vista-style logs can expand very rapidly so
its wise to allow much more space for them. - The differences in what is recorded between Vista
logs (desktop) and Windows 2008 logs,
particularly on AD servers is much more marked.
6Vista/Windows 2008 Three-Pane Interface
- The left-pane details the all the categories of
logs. - The middle-pane gives the old familiar log
entries with the details of the line you click on
presented beneath. - The right-pane has a list of possible actions and
tasks (for example the Filter action which was
previously found under the main menu. )
7What does all this mean for SysAdmins?
- The primary use for logs is still for
troubleshooting hardware and software problems as
well as for security purposes. - The problem is that as the complexity of log
entries increase so does the ratio of background
noise to useful information. - The old-style logs are still quite effective
tools. - For example repeated messages in system logs
about disk errors at decreasing intervals often
precedes a hard disk failure. - Or a malware-affected portable may give warning
about "new" services being installed or even
(when such malware has been partially cleaned by
anti-virus or anti-spyware) of the malware's
failure.
8What does all this mean for SysAdmins?
- The advantage of the older style of logs is that
their format and error messages are in general
well understood. - Specialist sites like eventid.net give good
information on their meanings and possible
consequences. - Even if a specialist site cannot give specific
advice details of the circumstances under which
the error can arise they may still be helpful. - The following example uses a filter which
displays only the Warning, Error and Failure
Audit entries in the Application log on a Windows
XP box, and gives the less than helpful error
message about a Fault Bucket failure.
9Windows XP filtered Application Log
10Odd Fault Bucket Error
11Determining what the logs mean...
12Determining what the errors mean...
- Looking up the unhelpful error message 'Fault
bucket', no source except 'Application Error' and
an event ID of 1001 gives a page of cases when
this error messages has arisen and what solved
the problem, as well as reference to Microsoft
Technet articles. - In this particular case http//support.microsoft.c
om/kb/828664 (one of the Technet articles
mentioned above) makes it clear that this error
is normally related to another eventid (1004)
which when looking back at the log which was
being scanned linked the error message with a
Firefox problem. - So even the more obscure old-style messages can
normally be determined.
13What does all this mean for SysAdmins?
- Basically just going through the logs on a
regular basis manually, particularily on
desktops is no longer a viable proposition for
most sysadmins, especially since the known
problems database for Vista-style logs isnt
really there yet. - So although mostly you will still need to go back
to the full set of logs to diagnose a problem in
further detail, some form of scripting
collecting/sorting/pruning of logs is needed. - You can link directly to Microsofts database of
errors from Vista-style logs but although Ive
tried this several times, mostly I get told I
have an unknown error. - Hopefully as Vista and Windows 2008 age the
known database of problems will get larger...
14A small SQL Server patch problem
15So what does all this mean for SysAdmins?
- Various third-party products which perform this
function have been around for ten years,
including Event Alarm, GFI Events Manager and
EventSentry. - Microsoft realised the growing market in this
area was being exploited in the late 90s and
brought out MOM 2000 (Microsoft Operations
Manager). - MOM 2005 with SP1 is compatible with Windows
2008, but it looks as though that is the end of
the line (?merging with SMS). - 2007 saw the release of System Center Operations
Manager 2007 http//www.microsoft.com/systemcente
r/operationsmanager/en/us/default.aspx - All of these are specialized products, and they
are not free. Only large organisations can
generally afford them. - So whats the alternative?
16Free Alternatives
- One product which has been around for several
years is a product produced (and to a certain
extent supported) by Microsoft called Log Parser. - It can be downloaded from Microsoft
http//www.microsoft.com/downloads/details.aspx?Fa
milyID890cd06b-abf8-4c25-91b2-f8d975cf8c07displa
ylangen - Although the blurb says its compatible with
Windows XP Pro, Windows 2000 and Windows 2003 it
runs perfectly happily on Windows Vista and
Windows Server 2008. - A word of warning this is a command-line tool
which demands a fair amount of care in usage and
a basic knowledge of SQL syntax. It repays work
put into it but you will need to spend a little
time getting used to it.
17Free Alternatives
- Log Parser will deal with many log formats other
than the standard .evt and .evtx ones, including
syslog files, W3C (IIS log-format) and various
other Windows format files. - It has various output formats including a Chart
one (pie graphs and the like) and SQL. - Log Parser is still a trifle buggy when used with
.evtx files. You need to specify -iEVT to get
it to recognise these files. - The default output format used if you do not
specify one is NAT, which is a very wide tabular
based format you may not find entirely helpful. - It comes with a directory full of SQL samples
directed at the IIS log format so they will need
to be adapted for ordinary event log use.
18Free Alternatives
- The following command-line produces an output
file called report.txt detailing a particular
type of SQL error from the Application log on a
Windows 2008 server running SQL Server 2005 in
the Datagrid format when run from the Program
File\Log Parser directory (probably best to
extend the PATH to include the Log Parser
directory on a regular basis). - logparser -iEVT "SELECT INTO report.txt FROM
Application WHERE SourceName'MSSQLSERVER' AND
EventType16" -o DATAGRID
19Free Alternatives
20Free Alternatives format details (EVT)
21Free Alternatives
- The first details to check if you want to use Log
Parser are the fields used in the format you
want, or you will find that you are getting an
awful lot of errors every time you try to run a
query. - The examples given in the Log Parser online help
files (or from the command-line) are far from
exhaustive. - If you are more used to a GUI-style interface and
unhappy having to build up your scripts from
there, then there is a GUI front-end available
http//en.serialcoder.net/logiciels/visual-logpars
er.aspx - You need to read the documentation to ensure you
have the right components available to use it.
22Free Alternatives
- Log parser examples (also in the on-line Help)
- http//www.microsoft.com/technet/scriptcenter/tool
s/logparser/lpexamples.mspx - SecurityFocus article on using Log Parser to look
at IIS log files (includes description of all the
fields used in this format) - http//www.securityfocus.com/infocus/1712
- Lots of IIS examples
- http//www.codinghorror.com/blog/archives/000369.h
tml - A step-by-step guide on importing Security logs
- http//www.databasejournal.com/features/mssql/arti
cle.php/3515886/Import-Security-event-logs-using-L
og-parser-and-SQL-Server.htm
23Other Possible Solutions
- Microsoft have included a query-driven language
using XML behind the scenes which you may prefer
to use if you are happier with XML than SQL. - It is driven in much the usual way from the
normal grey GUI-style of interface. - For example in Windows 2008 server you will see
an entry at the bottom of the left-hand pane
entitled Subscriptions. - If you click on Subscriptions the normal type of
wizard starts asking you the type of questions
youd expect e.g. which computers do you wish to
connect to (an obvious option is domain
computers). - You also have the possibility of choosing which
level of events (e.g. Audit Failure, Error etc)
you choose to collect.
24Other Possible Solutions
- The important point about setting up
subscriptions in the underlying new functionality
in the post-Vista world of collecting remote logs
(even on a desktop) which is where the new
Forwarded Events log comes in. - This allows you to combine logs from a variety of
differing sources.
25The Event Collector Wizard
26Other Alternatives
- Other features in the new-look logs include the
ability to attach a task to a particular log (a
wizard runs). - The scheduled job can then be tidied up and/or
developed in the usual way using the Scheduler. - There is also the ability to create Custom Logs
for particular tasks. - Some particularly useful pre-supplied logs are
included with the various new role functions in
Windows Server 2008. - For example if a Windows 2008 server is set up as
a Windows Terminal Server Gateway (TSG) then a
log of who is accessing the TSG is automatically
started.
27Attaching a Task to a log
28Mixed Solutions
- It is perfectly possible to use a combination of
Log Parser and the new functionality of normal
Vista logging to handle more complex tasks. - For example you could use the new Forwarded
Events log to collect all event of any severity
from domain computers and then run the resulting
output through Log Parser (which also produces
CSV and TSV output) into the database of your
choice - For the brave heres the Microsoft take on AD
auditing - http//technet.microsoft.com/en-us/library/cc73160
7.aspx
29The Future
- Well what can I say? If you are interested you
can read the Microsoft Center Teams plan to take
over the world - http//blogs.technet.com/systemcenter/archive/2008
/04/29/operations-manager-2007-goes-cross-platform
.aspx - THE END