|
Chapter 8
Event And System Monitoring Tools
- • Locating And Examining Unsuccessful Logon Attempts
- • Modifying Event Log Settings
- • Fixing Local System Performance Problems
- • Changing A Process’s Priority
- • Monitoring System Performance
- • Logging And Viewing Performance Data
- • Configuring System Alerts
- • Network Monitoring
Administrator’s Notes...
One of the biggest problems faced by the administrator of any multiuser, multitasking operating system is keeping track of what system events have occurred and what caused them. The Windows NT system administrator faces these same problems. Fortunately, NT provides some excellent system monitoring tools. Although the tools are easy to use, the interpretation of the results produced by these tools often causes the most problems, especially in the area of performance monitoring. This chapter hopes to provide you with enough information about these tools to point you in the right direction in tracking down your problems.
The Event Viewer
The Event Viewer is a system event log viewer accessed via the Administrative Tools menu. This tool provides a graphical management interface to view the contents of the system, security, and application logs. No special user rights are required to view the system and application logs; however, to view the security log, you must be a member of the Administrator group or have the relevant individual right assigned. All three logs can only be cleared down or have their log settings changed by an administrator. The Event Viewer is shown in Figure 8.1, and a description of the columns is listed in Table 8.1. The different functions of the three event logs are explained in Table 8.2.
Figure 8.1 The Event Viewer.
Table 8.1 The Event Viewer column descriptions.
|
| Column
| Description
|
|
| Date
| Date on system that event was logged.
|
| Time
| Time on system that event was logged.
|
| Source
| Software application or system component that logged the event.
|
| Category
| Source software-defined category for this type of event.
|
| Event
| Number assigned by the source software to identify events.
|
| User
| User name of the user logged on when the event occurred.
|
| Computer
| Computer name of the system where the event occurred.
|
|
Table 8.2 The event log file usage.
|
| Log File
| Description of Use
|
|
| System
| Used to log events generated by the operating system.
|
| Security
| System security events based on the Audit Policy setup are logged here.
|
| Application
| Both system and user application events are logged here.
|
|
In addition to current log files, the Event Viewer can be used to view previously saved event files. This is of particular interest to high-security sites where saving security event files for several years is a normal practice.
The characteristics of the log files can be set on a per-log basis, and items that can be configured include the maximum log file size and how long events are kept before being overwritten. The defaults for the log settings are 512 K maximum size and 7 days before events are overwritten. Often, the first log setting to be changed is the security log overwrite time, because it is often advisable to keep a security audit trail for longer than a week. Events may be retained for a maximum of one year.
The basic one-line event message can be expanded to reveal more detail. The detail view not only provides a text description of the event record but sometimes includes additional hex data in the lower part of the event record. This data can be used by Windows NT support personnel to further diagnose the event. A sample detail record is shown in Figure 8.2.
Figure 8.2 Detailed view of the event record.
Five different event types are used to categorize all events. These are shown in Table 8.3, along with a brief description of the audit events to which they are assigned. Event logs can be viewed on remote systems by using the Select Computer option from the Log menu. You must have administrator rights on the remote system to view the event logs.
Table 8.3 Audit event types and descriptions.
|
| Event Type
| Description
|
|
| Error
| Major error has occurred; used for the most serious errors.
|
| Warning
| Warning of impending problems or non-critical errors.
|
| Failure Audit
| Failed audit event has been received; logon failures generate this event.
|
| Information
| Used to indicate the successful conclusion of a system event.
|
| Success Audit
| Success audit event has been received; successful logons generate these events.
|
|
As event logs become filled with data, locating a particular event becomes increasingly difficult. To help with this task, a search utility is included in the View menu. Also, you can set the order in which the events are displayed—for instance, oldest or newest first. In addition, you can filter the events, which is useful in removing irrelevant event records from the Viewer. This filter is only applied to the display and does not affect the actual log files.
Note: The Event Viewer is static; no new event records will be added to the Viewer display as they occur. To display these new records, either use the View Refresh option or the F5 function key.
Event log files can be saved for future use in one of three formats:
- • Event file format—This is the native Event Viewer file format. When files are saved, the Event Viewer can be used to view these files directly.
- • Text file format—Files in this format can be viewed in applications such as word processors.
- • Comma-delimited text file format—Log files in this format can be viewed in applications such as spreadsheets.
|
FEEDBACK
)
)
){kind=link}
){kind=link}