The Ultimate Guide to Windows Event Logging

In a perfect world, there would be no issues with the operating system and no problems with the applications. Unfortunately, this isn’t a perfect world. System failures can and will occur, and when they do, it is the responsibility of system administrators to diagnose and resolve the issues. But where can system administrators begin the search for solutions when problems arise? The answer is Windows event logs.

What are Windows event logs?

At their core, Windows event logs are records of events that have occurred on a computer running the Windows operating system. These records contain information regarding actions that have taken place on the installed applications, the computer, and the system itself. Windows event logs include both actions taken by users and those taken by processes executing on the computer. If there is an issue with the system, they can provide an admin with crucial context for reaching a resolution.

Imagine for a moment that an application on your Windows machine fails, and you’re presented with an obscure error message that is relatively useless for identifying the cause of the problem. In addition, let’s say there are no proprietary log files for this application that can assist you in identifying and fixing the issue. This is an example of an instance where the Windows event logs may be of use. Simply navigate to the Event Viewer (more on this later), and you will likely have a starting point for resolving the problem.

The elements of a Windows event log

When troubleshooting any operating system incident, it is crucial that you understand the information available to you — and to understand the information, you must first understand the format in which it is presented. One advantage of working with Windows event logs is that all event logs (whether collected for the system itself, for an application or for auditing purposes) are organized in a standardized and concise manner to make them as easy to understand as possible. Let’s take a look at the major elements of Windows event logs:

• Log name/key - The key refers to each logging component's classification, indicating the log's name to which events from these components will be written. In this article, we will examine system, application, and security key values. The system event logs will include events logged by system-level components such as the Windows Update Client. The application event logs are slightly different; these include events related to different services as well as applications that are installed or being installed on the Windows machine. If an event log is recorded when an application fails while running or during set-up, it should be tied to the application key. Finally, security event logs typically include audit records of successful and failed login attempts.
• Level - Is the event being logged strictly for informational purposes, or does it indicate a critical error? The event level will tell you the severity of the event being recorded. Event levels include critical, error, warning, information and verbose.
• Date/time - This refers to the date and time when the event was recorded. If you were to log on to a Windows machine at 8:05 AM on July 30, 2019, then an audit event record is likely tied to this date and time.
• Source - This is the name of the component that triggers the event log. In many cases, it will be the name of the application or process that writes the event log. For example, suppose the event is related to the failure of a database application on the machine. In that case, the event source may be the name of the database application that experienced the failure.
• Event ID - This can be an extremely useful part of an event log for any administrator tasked with troubleshooting a failure. The event ID is meant to serve as an identifier for a distinct logged event. This identifier should tie to a message that points to the cause of the problem, which will enable the system admin to take action to get the issue resolved.
• Task category - The task category serves as additional information to assist with debugging an application or system issue. The developers of a particular application can define the categories to help provide context for a particular event.
• User - This can refer to the user logged in to a particular Windows machine at the time the event was recorded. For example, when installing an application, the username for the administrator logged into the machine will likely be reflected in the event log for the installation event.
• Computer - The name of the machine that logged the event.

Using the Windows Event Viewer

So now that we know what Windows event logs are, let’s discuss Windows Event Viewer. Windows Event Viewer is a tool provided by Windows for accessing and managing the event logs associated with both local and remote Windows machines. This tool can be accessed by searching via the start menu or navigating to the administrative tools portion of the control panel on a Windows machine.

Viewing events logs in Event Viewer

Once Event Viewer is opened on your machine, accessing the log files is fairly straightforward. In the left navigation panel, you will see a drop-down labeled “Windows logs.” Expanding this drop-down will allow you to select the event log file that you wish to view. The major log files that will likely be used for most Windows troubleshooting are application, security, and system. Left-clicking on any of the keys beneath the “Windows logs” drop-down will open the selected log file in Event Viewer. Note: If you wish to view the Windows event log files on a remote machine, simply right-click on the Event Viewer link in the left pane and select the option to “connect to another computer.”

The display of the log file is divided into two panes located in the center of Event Viewer. The top pane displays the major details surrounding each event in a list format. This can be sorted by clicking on any of the headers located at the top of the top pane (see image below). The bottom pane displays the details associated with whichever event record is selected from the list of event logs above.

Finding and filtering events in Event Viewer

As mentioned earlier, the Event Viewer is typically utilized in response to reported system, application and security issues. It’s possible for the administrator to search through the logs randomly in hopes of identifying the problem; therefore, the Event Viewer is only useful if the administrator can find the event logs related to the issue being experienced. With that said, finding a particular event record requires context.

This context will almost certainly include the time at which the issue was encountered and the application or system process in which the problem occurred. In addition, the user and computer name will be valuable. This information can be leveraged to search for the event by selecting the correct log file and scrolling through the entries, or it can be used to filter the event records to find the relevant information more efficiently.

After selecting the appropriate log file, you can filter by clicking on the “filter current log” link in the actions pane located on the right side of the Event Viewer. This opens the filter modal window (shown below), where the user can make the appropriate selections to filter the records that will be shown in the selected log file. For instance, if the administrator wishes to limit the results to “critical” events triggered by the user “jdoe,” then he/she would check the box labeled “critical” beside the event level and enter the username “jdoe” in the text area labeled “user.” After clicking “OK,” the Event Viewer would filter the event records accordingly.

Saving event logs

Another useful feature of the Event Viewer is the ability to save event logs for use outside of the component. This is done by selecting the appropriate log file in the left pane and then clicking the “save all events as” link in the Actions pane on the right. This link opens the traditional “save as” modal, which will allow the administrator to choose a location and filename for the exported event records.

Clearing event Logs

In some instances, it may make sense to clear the event logs. This can be done through Event Viewer as well. After selecting the appropriate log file to clear via the left navigation, there is a “clear log” link located in the Actions pane on the right. Clicking this link will open a confirmation dialog where the administrator will be asked to confirm the decision to clear the selected log file. Event Viewer gives the option to save the event logs upon clearing or to clear without saving.

Using event details to troubleshoot with Event Viewer

Above, I discussed the steps to identify, search, and filter the event log files in order to try to diagnose an issue with a Windows machine. This is a primary method of troubleshooting an issue using the event viewer. It is just as important to take the information the event log provides and use it appropriately. Many of the recorded events will have a corresponding event ID and message. The message may be enough to go on to resolve the issue; however, even if it isn’t, it is usually a good place to begin researching the issue. Performing a search online with the event ID, message and associated source will likely turn up something useful.

Windows event logs and Sumo Logic

While the Event Viewer is a good place to start when beginning to analyze Windows event logs, you may not like the interface. In this instance, consider Sumo Logic as a log management platform for collecting and monitoring your Windows event logs for easier log analysis and issue investigation. The process for setting up the Windows event log collection in Sumo Logic is pretty straightforward. After installing a Sumo Logic collector, you simply need to configure a Windows event log source for remote or local collection.

The process doesn’t take long and makes it easier to glean valuable insights from Windows event logs (something a system administrator will surely appreciate). This is helpful in cutting down on the time it takes to diagnose and resolve any bug, whether system, application or security-related. 

You can also use Sumo Logic to assess the security of your Windows environments with cloud security monitoring and analytics apps for Windows, isolate and fix issues faster with OpenTelemetry-powered infrastructure monitoring, and spot cloud credential theft on Windows endpoints.

Learn more about how to streamline Windows monitoring for better security with Sumo Logic.

For a full rundown of the Sumo Logic configuration process, be sure to visit the Sumo Logic documentation for configuring local and remote Windows event log sources. Sumo Logic makes getting started even easier with a free trial, helping businesses test out the log management platform for themselves at no cost.