The role of Windows log monitoring in the enterprise
Whether organizations automate their log monitoring within Windows desktops or inspect them manually, logs can offer IT administrators valuable insight.
Like all modern OSes, Windows systems perform behind-the-scenes logging of events that occur within the desktop.
These log entries may be tied to system processes, errors, security events or other actions. By using available logging data, desktop administrators can often determine the underlying cause of a desktop error or gather information related to a security incident.
Windows event log data can sometimes also be useful in troubleshooting performance problems, though the Windows Performance Monitor does a better job of providing real-time performance data. With plenty of viable use cases and benefits, administrators should familiarize themselves with these logs and how they work.
What are the categories for Windows event logs?
Event logging isn't unique to any one version of Windows, and event logs have existed for decades in both desktop and server OSes. Admins can access Windows event logs by entering the 'Eventvwr' command at the Windows Run prompt. This causes Windows to open the Event Viewer, which is the native tool to access logging data.
Windows organizes its logging data into a series of logs that are found in the Event Viewer's Windows Logs folder. Each log pertains to a specific category of OS activity:
- Application log. Includes logging data related to applications -- although some applications create their own dedicated log files. For instance, an Application log might indicate when an application or service has stopped or when an application has been updated.
- Security log. Includes security auditing data. For example, Windows automatically audits user logon events and classifies these events as successes or failures, based on whether the user was able to successfully log in.
- Setup log. The Setup log can help IT determine which updates were installed and if an installed update required the system to be rebooted. Some update-related log data -- such as updates related to Microsoft Defender -- fall under the System log group.
- System log. The System Log is where you can find low-level information related to the overall health of the OS. This includes information such as Distributed Component Object Model (DCOM) failures, system uptime reports and basic Windows Update information such as when Windows Update began or completed the update process. The System Log can also include basic health information such as errors pertaining to Windows running low on disk space.
- Forwarded Events. Forwarded Events aren't used by default. However, IT can configure them to monitor events occurring on another system. The second system then forwards those events and they appear in the destination system's Forwarded Events folder.
These categories represent most of the logs desktop administrators will interact with (see Figure 1). In addition to these basic logs, there are numerous additional logs found in the Applications and Services Logs folder. The logs within this folder are primarily related to individual applications or system services such as the Web browser or Microsoft Hyper-V.
Anatomy of a log entry
In addition to showing the Windows Logs folders, the Event Viewer shows a sampling of the log entries an IT administrator might expect to see when they select the system folder. There are additional details for all these log entries that display after a double click on the desired log entry.
Log entries display information pertaining to the event in a standard way (see Figure 2).
In addition to a description of the event, log entries provide the following pieces of information:
- Log Name. Provides the name of the folder that logged the event, such as System or Application.
- Source. The Windows component that generated the event.
- Event ID. A numerical code pertaining to the event. If administrators need to troubleshoot an error displayed within the event logs, one of the easiest things to do is to perform a Web search on the error's Event ID.
- Level. This filed indicates the severity of the event, such as informational, warning or error.
- User. If the event is tied to the actions of a specific user, that user's name is displayed.
- Logged. The date and time the event occurred.
- Task Category. This field isn't always present, but it will occasionally classify events. A security event pertaining to user logins, for example, could have a Task Category of Logon.
- Keywords. Not every event uses this field, but some key types do. For example, security events use keywords to indicate whether the event pertains to a success or failure audit -- such as a user logging in or failing to log in due an incorrect password.
- Computer. This field indicates the name of the device on which the event has occurred.
Uses cases for event log monitoring
There are two main ways IT administrators use Windows desktop event logs in the enterprise. The first use case is for troubleshooting purposes. If a Windows desktop is experiencing performance problems, for example, a technician might choose to peruse the event logs and determine if there are any events that could give some information about the source of the problem.
However, the practice of using log files for manual troubleshooting tends to be more prevalent in smaller organizations. When a Windows desktop user experiences a problem in an enterprise organization, IT departments are more likely to simply reimage the system -- reinstall Windows -- and manually troubleshoot the issue.
Additionally, not all log file-based troubleshooting is manual. There are third-party log analyzer products that can parse the Windows log files and perform root cause analytics. In other words, a troubleshooting program can automatically piece together information found in the log files in a way that makes it possible to discover the root cause of a problem.
The other major use case for Windows event log monitoring is bulk log file analysis. External tools can collect log entries from an organization's Windows desktops and aggregate that logging data into one place. This aggregate logging data has numerous purposes. Some organizations, for example, use logging data to view trends such as how frequently desktops install updates and how quickly desktops consume disk space.
More often, an organization will attach an alerting engine to the aggregate logging data. This will automatically notify the proper IT staff members of certain types of events. For example, if the log files contain a series of events that collectively point to a security incident, the alerting mechanism will notify the security team. Similarly, events indicating an impending hardware failure might result in the mechanism alerting the help desk team.