IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
New Year greetings and salutations from Hilde and the rest of the PFEs out there! This is the first posting to this blog in 2012 and the second post in a multi-part series on troubleshooting. In this installment, I’ll be covering a real gem – the Event Viewer.
NOTE: The details of the tools covered in this series will be specific to the versions in Win7/W2k8 R2.
A prize in every box!
In Windows 7 and/or Windows Server 2008 R2, you are able to utilize many excellent troubleshooting tools without additional AdminPacks, Support Tools or other add-ins. These tools are part of the OS and you can count on them just being there.
Installment #2 – The Event Viewer
Many IT Pros are well-versed in translating data they find in the Event Viewer into actionable information. The newer Event Viewer offers some GREAT enhancements and features, and is even more helpful to IT Pros.
Event Log “Sub-system”
- Completely re-done back in Vista/2K8 – known as “Windows Eventing 6.0”
- Like many aspects of newer Microsoft products, the new Eventing subsystem relies heavily on XML standards
- This makes searching, filtering and overall performance of the Event Viewer much speedier
- Especially apparent in large event-volume situations such as the Security Event Log
- In W2k3, trying to “massage” the Security Event log on an enterprise-scale DC with best-practice auditing enabled in AD was painful and in many cases, not really even workable.
- In Win7/2K8 R2, you can manipulate/filter/sort/search the Event Logs and actually have it be an effective and valuable use of your time
- Searches quickly return results
- Filtering or re-sorting the Events doesn’t lock up the box while it processes
- Older versions of the 32-bit OS had a maximum combined size for ALL Event Log files of around 300-400mb. If the files got near that limit, unpredictable results could occur including missing events. Those space/file-size limitations are no longer present (up to 2 TB event logs can be set – not recommended, but possible).
- GPOs have been added/enhanced for very fine-grained management and control around most facets of the Event Logs, granular auditing, etc
- Be sure to understand the inter-play of “legacy” Event Log GPO settings and the newer Event Log GPO settings (newer settings take precedence)
- Be sure to understand the inter-play of “Basic Audit Policy” settings and the newer “Advanced Audit Policy” settings (be careful in a mixed environment)
- They’ll persist after you close the Event Log – you won’t lose your favorite View(s) when you close the Event Viewer
- Use “Filtering” to narrow down the results you’re looking for to quickly weed out the noise and find only what you’re looking for.
- Import/export them – make your favorite Views(s) and share them with your team
- Consider this idea:
- Combine Filtering with a Custom View and you can make “application-specific” views of Events that you can save/export across a server farm or distribute to the application-specific team who supports the app.
Subscriptions (aka ‘Event Forwarding’)
- Ever wish you could gather specific Events (even from multiple machines) to a central machine with relative ease? Now you can!
- Note – this is not a viable alternative for an enterprise monitoring system like SCOM but in a pinch or for a small-scale or narrowly-focused situation, this could be just the ticket
- Ever wish you could kick off a script or command, or even an email, right when an event occurs? Now you can!
- Two ways:
- Basic Task – from the Event Log entry itself > right-click > “Attach a Task to this Event” (or log)
- For more advanced options, open Task Scheduler and drill-down to Event Viewer Tasks > Create Task
- Enter all appropriate info and on the ‘Triggers” tab, choose “On an event”
· Application and Services Logs
- Provide detail on a vast array of OS activities
- GPO processing
- Why aren’t my GPO(s) applying?
- Don’t need to enable this like USERENV logging
- DNS Client processing
- Why isn’t my DNS record(s) updating in DNS?
- Scheduled Tasks processing
- Why is my Scheduled Task failing?
- Windows Backup processing
- Why isn’t my Backup job completing?
- DHCP Client
- Why isn’t my client getting an IP?
· Save Selected Events
- Save a subset of Events to their own EVTX file for further analysis/filtering and easier portability
- Instead of copying a 250MB file across the WAN from a remote server, you can copy over a 32kb one
· FIND the needle in the haystack
- Right-click a Log, click “Find”, enter a User ID, Event ID, keyword, etc and let the magic begin
- Quickly find who rebooted the server recently?
Don’t wait another minute – jump in and explore the Event Viewer. Progress your troubleshooting and glean more actionable information and details about the system/situation with these great features.
Come back next time for a discussion of yet another tool waiting for you “in the box” of Win7 and 2K8 R2…