If you’ve ever seen Indiana Jones and the Last Crusade, you might remember the scene where Indy and his dad are in a room replete with the most ornate chalices possible, only to realize that the Holy Grail is the most plain, utilitarian one in the room. Windows event logs are the IT version of the plain-looking clay cup that holds the key to answering your service questions and system issues.
Windows event logs may not be the most exciting part of working in IT, but understanding what they are and how to use them helps you respond to service calls more rapidly.
What is a Windows event log?
The Windows event log is a detailed and in-depth record about system, security, and application events that the Windows operating systems stores. Administrators, IT support analysts, and security teams use Windows event logs to diagnose system problems, predict future issues, and detect and investigate security incidents. The event logs provide information about:
- Application installations
- Security issues
- System setup operations
- Problems and errors
The Windows Event Viewer shows all the system messages and logs, providing data about errors and warnings that help with troubleshooting.
What are the 5 types of event logs?
Every Windows application, device, and operating system logs the following five events types:
- Error: something went wrong, usually problems like data or functionality loss
- Warning: something could go wrong, usually things that aren’t significant yet
- Information: something that successfully operated as intended in an application, driver, or service
- Success audit (Security Log): audited security access attempt that is successful
- Failure audit (Security Log): audited security access attempt that fails
Using Windows Event Viewer to read event logs
Instead of storing Windows event logs as a plaintext file, Microsoft uses its own format, meaning that you can’t view them in a text editor. Since Windows Vista and Windows Server 2008, Microsoft has stored the files in the EVTX format, sending them to C:\Windows\System32\winevt\Logs
Since Microsoft uses its own proprietary format, you need the Windows Event Viewer to read the event logs. Microsoft supplies the Windows Event Viewer application with every machine to make accessing the log files easier.
All Windows events logs contain the same data organized in a similar manner:
- Log Name/Key: type of logging component
- Level: event severity defined as critical, error, warning, information, or verbose
- Date/Time: when the event was recorded
- Source: component that triggered the event log, like application or process name
- EventID: type of event logged, helping to locate the issue’s root cause
- Task Category: additional information for applications or system issues provided by developers
- User: username of the person logged into the machine when the event was recorded
- Computer: machine that logged the event
If you’re troubleshooting an issue for a specific device, then the Windows Event Viewer can help you track down the root cause. For example, every time an application crashes, it logs the event. If a user calls with a problem, you can use that information to help.
What are the 5 types of logs available through the Event Viewer
Although all event logs contain the same type of information, they provide data about different devices and processes. Windows categorizes event logs into four groups:
- System: information about Windows operating system and its components, like failure to load a boot-start driver
- Application: errors found in software or application hosted on a machine, like problems with Microsoft Word crashing
- Setup: installation-related events, like events related to Active Directory on a domain controller
- Security: security events, like failed and valid logins
- Forwarded: event logs forwarded from other computers in the same network
How do I analyze Windows event logs in Event Viewer?
Understanding how to filter Windows event logs in the Event Viewer application can help you analyze them and get to the root cause of issues faster.
Since all event logs include a time and date stamp, Event Viewer makes this filter easy by offering:
- Any time
- Last hour
- Last 12 hours
- Last 24 hours
- Last 7 days
- Last 30 days
- Custom range
Depending on the type of investigation you’re doing, you may want to filter out noise to zero in on the most important information. Event Viewer allows you to filter by “Event level” so that you can get quick visibility into critical and warning events.
If you know the type of event that you’re looking for, you can focus on the EventIDs related to that issue. For example, if you’re troubleshooting an unexpected shutdown or restart, you could filter by Event ID 41.
Most likely, filtering by one element of the event log won’t be really helpful since machines generate so much data that you’d still have a difficult time finding what you need. With custom views, you can filter by multiple events and different sources. For example, a common error on machines running Windows 11/10 is the Kernel-Power 41 Critical Error. Since this is a common error, you might want to build a custom view so that you can more rapidly fix someone’s problem:
- Date/Time: Last 12 hours
- Event level: Critical
- Log Name: System
- Event ID: 41
Graylog Operations: Managing Windows event logs with centralized log management
Windows event logs provide information about your Windows devices and servers. However, Windows Event Viewer only works for individual servers and PCs on your network. If you’re managing a large numbers of machines, you need visibility across your environment. Even more likely, your environment consists of machines running Windows and Linux. If the problem isn’t on a single device but an application’s bug, you need a way to investigate the root cause as quickly as possible.
Using Graylog Sidecar, you can manage your logging levels for multiple third party logging applications. This will enable you to centrally manage all your configurations for log shippers like WinLogBeat, Filebeat and NXLog.
Graylog Operations gives you the visibility you need with lightning fast query speed. With Graylog, you can aggregate, normalize, and parse log data from across your environment to remove complexity from day-to-day analysis activities like data expiration and error tracing. With our Illuminate pre-built content, you don’t have to spend time creating your own custom views because you can use our search templates, dashboards, correlated alerts, reports, dynamic look-up tables, streams, and pipelines.