Windows Logging

1
Windows Logging

• Or managing the morass...

2
The Good Old Days...

• Back in the good old days of Windows NT, there
  were three main logs
• The Application log
• The System log
• The Security log, which you almost never saw
  enabled on desktops.
• Windows 9x (95/ 98 and ME) of course didn't
  bother with anything so sophisticated.
• Most users never realised that Windows logs
  existed.
• Even those who did had no idea what most of the
  error messages meant.

3
Then life got a lot more complicated...

• Currently there are two main setups, pre-Vista
  and post-Vista.
• The logs which most sysadmins are used to are
  probably still the main three logs of Windows NT
  although the some minor tweaks have been made.
• The Security log is not necessarily enabled on
  desktops.
• It is turned on automatically on servers (2003)
  but the default settings record success and
  failure equally, which may not be the most
  efficient of settings.
• One improvement is that Windows 2003 security
  logs may now record the full IP address of
  machines attempting a login (previously only the
  NetBIOS name was recorded).

4
Vista-Style Logging changes

• Vista logs use a different XML-based format and
  the .evtx rather than a .evt extension).
• More details can be found here
• http//www.eventlogblog.com/blog/2007/12/vista-eve
  nt-log-changes.html
• There are two very important consequences
• Vista and Windows 2008 .evtx logfiles cannot be
  read on pre-Vista machines (at least in native
  .evtx format)
• http//eventlogs.blogspot.com/
• The fields in which certain events are recorded
  have changed.
• Specifically the Type field which was previously
  used to record the severity of events
  (Information, Warning, Error, Audit Success,
  Audit Failure) is now called Level. Mostly
  security events are now recorded in the new
  Keywords field, not the Level field.
• If you already have a log-collecting procedure,
  then clearly what you collect will need to
  change.

5
Vista-Style Logging changes

• Vista logs use a different three-pane interface.
• Windows 2008 logs follow this style but are
  potentially far more numerous.
• Part of the consequences of the new structure is
  that opening a Vista log even on a powerful
  machine takes far longer than the old .evt-style
  interface.
• As a consequence of recording much more detail,
  post-Vista-style logs can expand very rapidly so
  its wise to allow much more space for them.
• The differences in what is recorded between Vista
  logs (desktop) and Windows 2008 logs,
  particularly on AD servers is much more marked.

6
Vista/Windows 2008 Three-Pane Interface

• The left-pane details the all the categories of
  logs.
• The middle-pane gives the old familiar log
  entries with the details of the line you click on
  presented beneath.
• The right-pane has a list of possible actions and
  tasks (for example the Filter action which was
  previously found under the main menu. )

7
What does all this mean for SysAdmins?

• The primary use for logs is still for
  troubleshooting hardware and software problems as
  well as for security purposes.
• The problem is that as the complexity of log
  entries increase so does the ratio of background
  noise to useful information.
• The old-style logs are still quite effective
  tools.
• For example repeated messages in system logs
  about disk errors at decreasing intervals often
  precedes a hard disk failure.
• Or a malware-affected portable may give warning
  about "new" services being installed or even
  (when such malware has been partially cleaned by
  anti-virus or anti-spyware) of the malware's
  failure.

8
What does all this mean for SysAdmins?

• The advantage of the older style of logs is that
  their format and error messages are in general
  well understood.
• Specialist sites like eventid.net give good
  information on their meanings and possible
  consequences.
• Even if a specialist site cannot give specific
  advice details of the circumstances under which
  the error can arise they may still be helpful.
• The following example uses a filter which
  displays only the Warning, Error and Failure
  Audit entries in the Application log on a Windows
  XP box, and gives the less than helpful error
  message about a Fault Bucket failure.

9
Windows XP filtered Application Log
10
Odd Fault Bucket Error
11
Determining what the logs mean...
12
Determining what the errors mean...

• Looking up the unhelpful error message 'Fault
  bucket', no source except 'Application Error' and
  an event ID of 1001 gives a page of cases when
  this error messages has arisen and what solved
  the problem, as well as reference to Microsoft
  Technet articles.
• In this particular case http//support.microsoft.c
  om/kb/828664 (one of the Technet articles
  mentioned above) makes it clear that this error
  is normally related to another eventid (1004)
  which when looking back at the log which was
  being scanned linked the error message with a
  Firefox problem.
• So even the more obscure old-style messages can
  normally be determined.

13
What does all this mean for SysAdmins?

• Basically just going through the logs on a
  regular basis manually, particularily on
  desktops is no longer a viable proposition for
  most sysadmins, especially since the known
  problems database for Vista-style logs isnt
  really there yet.
• So although mostly you will still need to go back
  to the full set of logs to diagnose a problem in
  further detail, some form of scripting
  collecting/sorting/pruning of logs is needed.
• You can link directly to Microsofts database of
  errors from Vista-style logs but although Ive
  tried this several times, mostly I get told I
  have an unknown error.
• Hopefully as Vista and Windows 2008 age the
  known database of problems will get larger...

14
A small SQL Server patch problem
15
So what does all this mean for SysAdmins?

• Various third-party products which perform this
  function have been around for ten years,
  including Event Alarm, GFI Events Manager and
  EventSentry.
• Microsoft realised the growing market in this
  area was being exploited in the late 90s and
  brought out MOM 2000 (Microsoft Operations
  Manager).
• MOM 2005 with SP1 is compatible with Windows
  2008, but it looks as though that is the end of
  the line (?merging with SMS).
• 2007 saw the release of System Center Operations
  Manager 2007 http//www.microsoft.com/systemcente
  r/operationsmanager/en/us/default.aspx
• All of these are specialized products, and they
  are not free. Only large organisations can
  generally afford them.
• So whats the alternative?

16
Free Alternatives

• One product which has been around for several
  years is a product produced (and to a certain
  extent supported) by Microsoft called Log Parser.
• It can be downloaded from Microsoft
  http//www.microsoft.com/downloads/details.aspx?Fa
  milyID890cd06b-abf8-4c25-91b2-f8d975cf8c07displa
  ylangen
• Although the blurb says its compatible with
  Windows XP Pro, Windows 2000 and Windows 2003 it
  runs perfectly happily on Windows Vista and
  Windows Server 2008.
• A word of warning this is a command-line tool
  which demands a fair amount of care in usage and
  a basic knowledge of SQL syntax. It repays work
  put into it but you will need to spend a little
  time getting used to it.

17
Free Alternatives

• Log Parser will deal with many log formats other
  than the standard .evt and .evtx ones, including
  syslog files, W3C (IIS log-format) and various
  other Windows format files.
• It has various output formats including a Chart
  one (pie graphs and the like) and SQL.
• Log Parser is still a trifle buggy when used with
  .evtx files. You need to specify -iEVT to get
  it to recognise these files.
• The default output format used if you do not
  specify one is NAT, which is a very wide tabular
  based format you may not find entirely helpful.
• It comes with a directory full of SQL samples
  directed at the IIS log format so they will need
  to be adapted for ordinary event log use.

18
Free Alternatives

• The following command-line produces an output
  file called report.txt detailing a particular
  type of SQL error from the Application log on a
  Windows 2008 server running SQL Server 2005 in
  the Datagrid format when run from the Program
  File\Log Parser directory (probably best to
  extend the PATH to include the Log Parser
  directory on a regular basis).
• logparser -iEVT "SELECT INTO report.txt FROM
  Application WHERE SourceName'MSSQLSERVER' AND
  EventType16" -o DATAGRID

19
Free Alternatives
20
Free Alternatives format details (EVT)
21
Free Alternatives

• The first details to check if you want to use Log
  Parser are the fields used in the format you
  want, or you will find that you are getting an
  awful lot of errors every time you try to run a
  query.
• The examples given in the Log Parser online help
  files (or from the command-line) are far from
  exhaustive.
• If you are more used to a GUI-style interface and
  unhappy having to build up your scripts from
  there, then there is a GUI front-end available
  http//en.serialcoder.net/logiciels/visual-logpars
  er.aspx
• You need to read the documentation to ensure you
  have the right components available to use it.

22
Free Alternatives

• Log parser examples (also in the on-line Help)
• http//www.microsoft.com/technet/scriptcenter/tool
  s/logparser/lpexamples.mspx
• SecurityFocus article on using Log Parser to look
  at IIS log files (includes description of all the
  fields used in this format)
• http//www.securityfocus.com/infocus/1712
• Lots of IIS examples
• http//www.codinghorror.com/blog/archives/000369.h
  tml
• A step-by-step guide on importing Security logs
• http//www.databasejournal.com/features/mssql/arti
  cle.php/3515886/Import-Security-event-logs-using-L
  og-parser-and-SQL-Server.htm

23
Other Possible Solutions

• Microsoft have included a query-driven language
  using XML behind the scenes which you may prefer
  to use if you are happier with XML than SQL.
• It is driven in much the usual way from the
  normal grey GUI-style of interface.
• For example in Windows 2008 server you will see
  an entry at the bottom of the left-hand pane
  entitled Subscriptions.
• If you click on Subscriptions the normal type of
  wizard starts asking you the type of questions
  youd expect e.g. which computers do you wish to
  connect to (an obvious option is domain
  computers).
• You also have the possibility of choosing which
  level of events (e.g. Audit Failure, Error etc)
  you choose to collect.

24
Other Possible Solutions

• The important point about setting up
  subscriptions in the underlying new functionality
  in the post-Vista world of collecting remote logs
  (even on a desktop) which is where the new
  Forwarded Events log comes in.
• This allows you to combine logs from a variety of
  differing sources.

25
The Event Collector Wizard
26
Other Alternatives

• Other features in the new-look logs include the
  ability to attach a task to a particular log (a
  wizard runs).
• The scheduled job can then be tidied up and/or
  developed in the usual way using the Scheduler.
• There is also the ability to create Custom Logs
  for particular tasks.
• Some particularly useful pre-supplied logs are
  included with the various new role functions in
  Windows Server 2008.
• For example if a Windows 2008 server is set up as
  a Windows Terminal Server Gateway (TSG) then a
  log of who is accessing the TSG is automatically
  started.

27
Attaching a Task to a log
28
Mixed Solutions

• It is perfectly possible to use a combination of
  Log Parser and the new functionality of normal
  Vista logging to handle more complex tasks.
• For example you could use the new Forwarded
  Events log to collect all event of any severity
  from domain computers and then run the resulting
  output through Log Parser (which also produces
  CSV and TSV output) into the database of your
  choice
• For the brave heres the Microsoft take on AD
  auditing
• http//technet.microsoft.com/en-us/library/cc73160
  7.aspx

29
The Future

• Well what can I say? If you are interested you
  can read the Microsoft Center Teams plan to take
  over the world
• http//blogs.technet.com/systemcenter/archive/2008
  /04/29/operations-manager-2007-goes-cross-platform
  .aspx
• THE END