Preparing to Create a Database for Event Analysis and Reporting
Event Logs compose a highly valuable weapon in the arsenal of
Windows 2000 administrators. By default, a computer running a Windows
Server 2000 family operating system records events in three kinds of logs:
-
Application log: The Application log contains events logged
by applications or programs. For example, a database program might record a file
error in the application log. Application developers decide which events to
log.
-
Security log: The Security log records events such as
valid and invalid logon attempts, as well as events related to resource use
such as creating, opening, or deleting files or other objects. For example, if
logon auditing is enabled, attempts to log on to the system are recorded in the
Security log.
-
System log: The System log contains events logged by
Windows system components. For example, the failure of a driver or other system
component to load during startup is recorded in the System log. The
event types logged by system components are predetermined by the server.
Other logs can appear on a computer, depending upon the
services that are hosted. Domain controllers carry two additional logs, the Directory
Service and File Replication logs, and Domain Naming System (DNS)
servers host an additional DNS Server log.
We will focus primarily on the Application, Security
log in this article, as it resides on virtually any Windows 2000 Server family
machine. From the perspective of this article, however, the procedures we
undertake to export the Application log would be the same for additional logs,
should they exist and be populated.
Most
would agree that recurring scans of the logs, at a bare minimum, are another "cost
of doing business," in maintaining a well-tuned, trouble-free computing
and network environment. But the Event Viewer's interface, the Microsoft
Management Console, makes cursory browsing somewhat tedious, which often
causes administrators to focus on the serious "error" items, whose "red-circle-and-x"
icons cannot help but demand attention. At best, a few of the yellow "warning"
class might also be reviewed, given the time to drill down on each to read the
data presented. Informational events might be overlooked, or deferred,
particularly in the hectic climates of today, and where other serious
conditions might well be in progress
In
addition to its importance in alerting us to existing or potential problems,
the Event Log often provides essential guidance in troubleshooting
servers, clients, networks, applications, and a host of other areas within
which we might experience difficulties in operations. The logs, when examined
and analyzed as a whole, enable us to see, and investigate, security issues
such as system attack attempts, audit results and many others vital statistics.
However, when it comes time to perform serious analysis of the data in the log,
practitioners are often frustrated with the unwieldy approach of the Event
Viewer in the Management Console.
The Event
Viewer provides a reasonable interface from which to view, filter and
search event logs. However, it does not provide the capability to automate
the export of a complete event log to another application, such as a database. We
can export the different log types individually in a manual process, but this
presents a time consuming effort. Illustration 1 depicts the Event
Viewer interface on a combined domain controller / DNS Server, with the Properties
page for an example event assuming the focus after the event is double-clicked
in the Viewer.
Illustration 1: All Dressed Up with Nowhere to Go ...
Limited Export Features in Event Viewer
The
menu clicks necessary to export the contents of a log are straightforward
enough: We simply highlight the (single) log we wish to export, and then
select Action --> Export List, whereupon we are prompted for
the location to which we wish to export the file. (The clipboard icon on the Properties
window saves the associated event's details to the clipboard, for an even more
manual process of pasting elsewhere). This is simple, but requires manual
intervention at any time we require export to take place.
The
capability to fully export log files might be particularly useful when we need
to explore the logs in detail for troubleshooting. Support teams for many
applications request that you send them the user.dmp and drwtsn32.log files, in
addition to parts or all of the Event Log, often filtered for a certain
window of time before a crash, etc. or when tracking down a potential security
breach. It is also useful for generating reports. Automation of log export
would truly be a luxury, but, somewhat surprisingly, the Event Viewer
offers no way to schedule the export process.
Fortunately,
Microsoft has seen fit to address this need with various tools in the past and
today. For Windows 2000, the tool specifically designed for this purpose is the
Event Log Query tool.