Skip to main content

Event Log Essentials

Windows event logs

What is Windows event log?

Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Whenever these types of events occur, Windows records the event in an event log. Users might find the details in event logs helpful when troubleshooting problems with Windows and other programs.

Unlike UNIX syslog, Microsoft event log is not a text file and it is impossible to view it with simple text editors. Microsoft Windows event log is a binary file that consists of special records – Windows events.

Microsoft Windows runs Event Log Service to manage event logs, configure event publishing, and perform operations on the logs. Windows Event Log service exposes a special API, which allows applications to maintain and manage event logs.

Windows event logging was introduced in Windows NT operating system (version 3.1) in 1993. This Windows edition came with three Windows logs: Application event log, System event log and Security event log. Modern versions of Windows come with more than a hundred of Windows eventlogs, and third party applications can create and integrate into Windows logging their own event logs.

How to view event logs?

You can view event logs using Event Viewer (comes with Windows operating system) or third-party Windows event viewers. We recommend using our Event Log Explorer software – it provides a lot of advanced features for event log management.

What is Windows Event Log Service?

Windows Event Log Service is a Windows service that manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata. It helps to display events in both XML and plain text format. This service is enabled and starts automatically by default. You should not stop or disable this service. Stopping Windows Event Log service may compromise security and reliability of the system.

What are Windows event log files?

Windows Event Log Service lets users to save (backup) event logs to files. Windows NT, 2000 and XP/2003 save event logs to EVT format. Windows Vista/2008 and better save logs to EVTX format. Having backup event files are essential for incident investigation.

Windows event logs are also files, but they are commonly locked by Windows (Event Log Service) and it is impossible to open these files on “live” system. But if the computer is started from another disk or the system drive from the analyzed machine is connected to another computer, you can read event logs as files. The default location of event logs on Vista/2008 and better is “C:\Windows\System32\winevt\Logs\”. Windows Event Viewer allows you to open event file as follows:

Click Open Saved Log in Actions pane of Event Viewer.

Select your event log file and it will appear in Windows Event Viewer as a log.

Our Event Log Explorer software also works with event files and does it even better than Event Viewer, e.g. it lets you read even damaged event files.

What is Windows Application event log?

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. Program developers decide which events should be logged. E.g. Microsoft SQL Server logs details about important events linked with SQL server, e.g. “out of memory”, “backup failure” etc. One application log commonly contains events logged from different sources (applications), so it is incorrect to rely solely on event ID when analyzing the Application log. You should always rely on event ID along with event source. Some applications, such as Internet Explorer, Power Shell create own event log instead of using Windows application event log. Such logs look exactly like standard Windows event logs and Event Viewer (as well as Event Log Explorer) can read these event logs. Application logs are commonly useful for application support teams.

What is Windows System event log?

The System log contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined by Windows. Similarly to Application log, System event log lists events from different sources (system components) so you should not rely only on event ID when analyzing System log, instead you should rely on event ID along with event source. System logs are essential for system administrators and technicians.

What is Windows Security event log?

The Security log contains events such as valid and invalid logon attempts, as well as events related to resource use, such as creating, opening, or deleting files or other objects. Administrators can specify what events are recorded in the security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the security log. Be careful with setting up the audit policy. E.g. Windows lets you audit access to all files on NTFS disks in such a way that any access to a file will be logged as a new event. This may generate hundred events a second, overwhelm event log and reduce system performance. So when tuning audit access policy, make sure that only certain files and folders will have auditing properties. Security logs are essential for system and security administrators and forensic examiners.

Windows Event Viewer

What is Event Viewer?

Event Viewer is a standard Windows tool that reads Windows event logs and displays detailed information about events on your computer. While Event Viewer performs well, it only offers basic functions. Third-party Windows event log viewer tools often enhance the capabilities of Event Viewer. Our Event Log Explorer introduces various new features for event log management.

How to open Event Viewer?

The most common way to open Event Viewer is as follows:

Open Windows Control Panel
Click System and Security
Click Administrative Tools
Double-click Event Viewer. 

Other ways to open Event Viewer:

Run Event Viewer from Command Prompt:

Open Windows Command Prompt, type command:
EVENTVWR 
and press Enter.
 

Run Event Viewer from Windows Power Shell:

Open Power Shell, type command
EVENTVWR
and press Enter.
 

Run Event Viewer from Run dialog.

Open Run dialog by pressing Windows+R.
Type eventvwr.msc (or eventvwr.exe) and click OK.
 

Run Event Viewer in Microsoft Management Console.

Open Microsoft Management Console (mmc.exe)
Select File->Add/Remove snap-in from the main menu.
Select Event Viewer, then click Add button.
Select the computer you want to view event logs on (e.g. local computer) and press OK.
Press OK in Add or Remove snap-in dialog.
Then click on Event Viewer from Microsoft Management Console window.
I am unable to open Event Viewer by typing its name. Where is Event Viewer location?
Event Viewer location is
C:\Windows\System32\eventvwr.exe
or
C:\Windows\System32\eventvwr.msc
How to use Event Viewer?

To view events with Event Viewer:

  • Open Windows Event Viewer.
  • If you want to read events on a remote computer, click on Event Viewer (Local) in the tree, then click Action and select Connect to another computer.
Application, Security and System logs are located in Windows Logs folder. Other logs are located in Applications and Services Logs in the tree.
  • Click on the log name in the tree and it will appear in the main (central) pane of Event Viewer.
  • Browse events with mouse or keyboard. Use commands on Actions pane to manage the event log or refine displayed events.
More information about Event Viewer usage is available in Event Viewer Help.
However, we recommend using Event Log Explorer as an Event Viewer alternative.

Windows security auditing

What is Windows security auditing?
A security audit is a systematic monitoring of the security of a company’s information system by measuring how well it conforms to a set of established criteria. Windows security auditing is a Windows feature that helps to maintain the security on the computer and in corporate networks. Windows auditing is intended to monitor user activity, perform forensic analysis and incident investigation, and troubleshooting. Security audit lets you implement security policies in your environment to fulfill corporate, governmental or industrial requirements.
How to setup Windows security auditing?

Windows security auditing can be enabled using either Group Policy (in Active Directory environment) or Local Security Policy (for a single computer). Open Windows Control Panel, select Administrative Tools, and then run Local Security Policy. Open Local Policies branch and select Audit Policy. In the right pane of Local Security Policy window, you will see a list of audit policies. Double click on the required policy and choose what attempts (Success or Failure) to log.
Here we described setting up basic audit policies. Starting from Windows 2008 R2/Windows 7, you can use Advanced Security Audit Policy: Local Security Policy -> Advanced Audit Policy Configuration -> System Audit Policies.
More information about Advanced Security Audit Policy available at https://technet.microsoft.com/en-us/library/dn319056.aspx

How to audit logon events?
Windows security auditing lets you audit user logons and invalid logon attempts to your system. Windows generate these events not only when a user physically logons the system, but even when accessing a shared resource from a remote computer. Auditing logon events help the administrator or investigator to review users’ activity and detect potential attacks.
To log logon events run Local Security Policy. Open Local Policies branch and select Audit Policy. Double click on “Audit logon events” and enable Success and Failure options. After that, all user logons and invalid logon attempts will be logged to security event log. 
 
Here are some important logon events
 
Event ID Event message
4624 An account was successfully logged on
4625 An account failed to log on
4648 A logon was attempted using explicit credentials
4675 SIDs were filtered
How to audit file access events?
Windows security auditing lets you audit access to an object, e.g. file, folder, registry key and other system objects that have system access control list (SACL). It is important task for a system administrator to organize file server auditing, but it may be reasonable to audit not only file servers. Auditing logon events help the administrator or investigator to review users’ activity, detect attempts of unauthorized access to files, and prevent software misconfiguration. 
To log file access events, run Local Security Policy. Open Local Policies branch and select Audit Policy. Double click on “Audit object access” and enable Success and Failure options. This enables system-wide object access audit. Now we should select file objects, which will trigger this event. Open Windows Explorer and brows for the required file or folder. Click right mouse button on this object and select Properties. Switch to Security tab and click Advanced button. Switch to Auditing tab in Advanced Security Settings window. Click Continue button. Now you can set the names of the users or groups whose access you want to audit (you can choose everyone for all users) and what type of access to the file will be audited. Starting from Windows 2008 R2/Windows 7, you can use more flexible object access/file access audit policy settings.
 
Here are some important file access events
 
Event ID Event message
4656 A handle to an object was requested
4658 The handle to an object was closed
4660 An object was deleted
4663 An attempt was made to access an object
4685 The state of a transaction has changed
4985 The state of a transaction has changed
Copyright © 2024 FSPro Labs