Event Viewer in Windows displays a history (log) of system messages and events generated by programs - errors, information messages and warnings. By the way, scammers can sometimes use event viewing to deceive users - even on a normally functioning computer, there will always be error messages in the log.
Launch Event Viewer
In order to start Windows Event Viewer, type this very phrase in the search or go to “Control Panel” - “Administration” - “Event Viewer”
Actually, why am I writing about this at all, since there is nothing interesting for Windows event viewer? regular user? Still this function(or program, utility) Windows can be useful when problems arise with your computer - when a blue screen death of Windows, or a random reboot occurs - in the event viewer you can find the cause of these events. For example, an error in the system log can provide information about which hardware driver caused the failure for subsequent actions to correct the situation. Just look for an error that occurred while your computer rebooted, froze, or displayed a blue screen of death - the error will be marked as critical.
There are other uses for Event Viewer. For example, Windows records the time it takes for the operating system to fully boot. Or, if your computer hosts a server, you can enable shutdown and reboot event recording - every time someone shuts down the PC, they will be required to enter a reason for it, and you can later view all shutdowns and reboots and the entered reason for the event.
In addition, you can use event viewing in conjunction with the task scheduler - click right click mouse on any event and select “Bind task to event”. Whenever this event occurs, Windows will run the corresponding task.
Hello everyone, the topic is how to view windows logs. I think everyone knows what logs are, but if suddenly you are a beginner, then logs are system events occurring in the operating system of both Windows and Linux, which help track what, where and when happened and who did it. Any system administrator must be able to read Windows logs.
An example from real life is the situation when on one of the IBM servers the disk failed and for technical support I collected server logs so they could diagnose the problem. The Event Viewer service is responsible for collecting and recording logs in Windows. Event Viewer is a convenient tool for obtaining system logs.
How to open in Event Viewer
You can go into the Event Viewer snap-in very simply, suitable for any Windows versions. Press the magic buttons
Win+R and enter eventvwr.msc
A Windows Event Viewer window will open in which you need to expand the Windows Logs item. Let's go through each of the magazines.
Log Application contains records related to programs on your computer. The log is written when the program was launched, if it was launched with an error, then this will also be reflected here.
An audit log is needed to understand who did what and when. For example, logged in or logged out, tried to gain access. All success or failure audits are written here.
The Installation item records Windows logs about what was installed and when, for example, programs or updates.
The most important magazine is the system. All the most necessary and important things are written down here. For example, you had a blue screen bsod, and these messages that are recorded here will help you determine its cause.
There are also Windows logs for more specific services, such as DHCP or DNS. Event Viewer cuts everything :).
Suppose you have more than a million events in the Security log, you will probably immediately ask the question whether there is filtering, since viewing all of them is masochism. This is provided for in the event viewer; windows logs can be conveniently filtered out, leaving only what is needed. On the right in the Actions area there is a button Filter current log.
You will be asked to specify the event level:
- Critical
- Error
- Warning
- Intelligence
- Details
It all depends on the search task; if you are looking for errors, then there is no point in other types of messages. Next, in order to narrow the scope of your event viewing search, you can specify the desired event source and code.
So, as you can see, parsing Windows logs is very simple, we search, we find, we solve. A quick clearing of Windows logs may also be useful:
View windows PowerShell logs
It would be strange if PowerShell couldn’t do this; to display log files, open PowerShell and enter the following command
Get-EventLog -Logname "System"
As a result, you will receive a list of System logs
The same can be done for other magazines, for example Applications
Get-EventLog -Logname "Application"
small list of abbreviations
- Event code - EventID
- Computer - MachineName
- Event sequence number - Data, Index
- Category of tasks - Category
- Category code - CategoryNumber
- Level - EntryType
- Event message - Message
- Source - Source
- Event generation date - ReplacementString, InstanceID, TimeGenerated
- Event recording date - TimeWritten
- User - UserName
- Website
- Division - Container
For example, in order to display events in the command shell only with the columns “Level”, “Event Record Date”, “Source”, “Event Code”, “Category” and “Event Message” for the “System” log, run the command:
Get-EventLog –LogName ‘System’ | Format-Table EntryType, TimeWritten, Source, EventID, Category, Message
If you need to display in more detail, then replace Format-Table with Format-List
Get-EventLog –LogName ‘System’ | Format-List EntryType, TimeWritten, Source, EventID, Category, Message
As you can see, the format is already more readable.
You can also filter the logs, for example show the last 20 messages
Get-EventLog –Logname ‘System’ –Newest 20
Additional Products
You can also automate the collection of events using tools such as:
- Zabbix monitoring complex
- Through event forwarding using Windows to the collector server
- Through the Netwrix audit suite
- If you have SCOM, then it can aggregate any Windows platform logs
- Any DLP systems
So whether you choose to use event viewer or PowerShell to view windows events, it's up to you. Site material
Remote viewing of logs
- First method
Not long ago, the Windows Server 2019 operating system introduced the Windows Admin Center remote administration component. It allows you to carry out remote control computer or server, I already told him in more detail. Here I want to show that by installing it on your workstation, you can connect from a browser to other computers and easily view their event logs, thereby studying Windows logs. In my example there will be a server SVT2019S01, We find it in the list of available ones and connect (Let me remind you that this is how we did remote network setup in Windows).
Next, you select the “Events” tab, select the desired log; in my example, I want to see all the logs for the system. From my point of view, viewing everything here is much more convenient than viewing events. The advantage is that you can do this from any phone or tablet. There is a convenient search form in the right corner
If you need to produce more fine filtration logs, then you can use the filter button.
Here you can also select the event level, for example leaving only critical and errors, set the time range, event code and source.
Here is an example of filtering by event 19.
It is very convenient to export the entire log to evxt format, which can then be easily opened through the event log. So, Windows Admin Center is a powerful tool for viewing logs.
- Second method
The second way to remotely view Windows logs is to use the Computer Management snap-in or the same “Event Viewer”. To view Windows logs on another computer or server, in the snap-in, right-click on the top item and select "" from the context menu.
We indicate the name of another computer, in my example it will be SVT2019S01
If everything is fine and there are no blockages from the firewall or antivirus, then you will be taken to remote event viewing. If there are blockages, you will receive a message like COM+ traffic is not flowing through.
I also want to note that there are entire log aggregation systems, such as Zabbix or SCOM, but this is a different level of tasks..
The topic of this article is the use of something unfamiliar to most users Windows tool: Event Viewer or Event Viewer.
What can this be useful for? First of all, if you want to figure out for yourself what is happening with the computer and solve various kinds of problems in the operation of the OS and programs, this utility can help you, provided you know how to use it.
The interface of this administration tool can be divided into three parts:
- The left panel contains a tree structure in which events are sorted by various parameters. In addition, you can add your own “Custom Views” here, which will display only the events you need.
- In the center, when you select one of the “folders”, the list of events itself will be displayed on the left, and when you select any of them, at the bottom you will see more detailed information about him.
- The right side contains links to actions that allow you to filter events by parameters, find the ones you need, create custom views, save the list, and create a task in the task scheduler that will be associated with a specific event.
Event Information
As I said above, when you select an event, information about it will be displayed at the bottom. This information can help you find a solution to the problem on the Internet (however, not always) and it is worth understanding which property means what:
- Log name - the name of the log file where the event information was saved.
- Source - the name of the program, process or system component that generated the event (if you see here Application Error), then you can see the name of the application itself in the field above.
- Code- event code can help you find information about it on the Internet. True, it’s worth searching in the English-language segment for Event ID + digital designation of the code + name of the application that caused the failure (since the event codes for each program are unique).
- Operation code - as a rule, “Details” is always indicated here, so this field is of little use.
- Task category, keywords- not usually used.
- User and computer - reports on behalf of which user and on which computer the process that caused the event was launched.
At the bottom, in the "Details" field, you can also see an "Online Help" link, which reports information about the event to the Microsoft site and should, in theory, display information about this event. However, in most cases you will see a message saying that the page was not found.
To find information about an error, it is better to use the following query: Application name + Event ID + Code + Source. You can see an example in the screenshot. You can also try searching in Russian, but there are more informative results in English. Also suitable for searching text information about an error (double-click on the event).
Note: on some sites you can find an offer to download programs to correct errors with one or another code, and all possible error codes are collected on one site - you should not download such files, they will not fix problems, and will most likely lead to additional ones.
It's also worth noting that most warnings aren't anything dangerous, and error messages don't always mean there's something wrong with your computer.
View Windows Performance History
In Windows Event Viewer you can find a lot of interesting things, for example, look at problems with your computer's performance.
To do this, in the right pane, open Applications and Services Logs - Microsoft - Windows - Diagnostics-Perfomance - Running and see if there are any errors among the events - they report that some component or program has caused the slowdown Windows boot. By double clicking on an event, you can call up detailed information about it.
Using filters and custom views
The sheer number of events in the logs makes them difficult to navigate. Moreover, most of them are not critical important information. The best way display only the events you need - use custom views: you can set the level of events you want to display - errors, warnings, critical errors, as well as their source or log.
To create a custom view, click the appropriate item in the panel on the right. After creating a custom view, you can apply additional filters to it by clicking on “Filter current custom view”.
Of course, this is not all that Windows Event Viewer can be useful for, but this, as noted, is an article for novice users, that is, for those who do not know about this utility at all. Perhaps it will encourage further study of this and other OS administration tools.
operating system Windows Vista carefully and tirelessly monitors everything that happens to her. Absolutely all actions, which are called “events,” are constantly recorded and distributed into various categories. The Event Viewer program (which, in case you were wondering, is a tool of MMC) can be thought of as a journal kept by a scrupulous and meticulous old lady on a bench at the entrance. It records who enters and leaves the house, what conversations are taking place between residents, who divorced whom and got into fights. In other words, it has a complete picture of how the house lives.
A similar spy function is performed by the Event Viewer program, which, unlike the old lady’s curiosity, is designed to diagnose and identify problems in the operation of the OS that the user had no idea about.
All events occurring in the system are recorded in special system logs. Event Viewer allows you to view the contents of these logs, archive them, and delete them. How exactly can you use it? this program? The main purpose is to identify problems that have arisen and the cause of their occurrence. If the device malfunctions, HDD“busy”, some program constantly “freezes” or another unpleasant event occurred, information about what happened will be recorded in the corresponding system log. Next, just run Event Viewer and get the full and visual information from the system log.
You can start Event Viewer in one of the following ways.
- Select a team Start>Control Panel, click on the link System and its maintenance, then on the link Administration and finally on the link Event Viewer.
- The second method for the impatient: enter the command in the command line eventvwr.
Recall that, in addition to clicking the button Start, call window command line possible by pressing the key combination
In any case, the window shown below will open.
- View events from multiple system logs.
- Create event filters as custom views.
- The ability to create a task that runs automatically with a specific event.
Let's take a closer look at the window shown above. The window is divided into three panels. On the left panel Event Viewer There are several folders containing custom views, stories, and subscriptions. The central panel contains several submenus, such as And Recently Viewed Nodes. Finally, on the right panel Actions You can choose specific actions, such as creating a custom view or connecting to another computer.
Panel allows you to quickly identify all important events recorded over the past hour, day or week. Each event type can be expanded to reveal detailed information about the event. The panel gives a general picture of what is happening in the system, and to obtain specific information you should go to a specific event.
Since Event Viewer is used to view system logs, click on the folder icons And Application and service logs in the left panel to expand the list of available journals. Let's look at it in more detail. In folder The following magazines are presented.
- Application. Events in this log are generated by applications including installed programs that come with Windows Vista, and operating system services. Exactly what events are recorded in this log depends on the specific program.
- Safety. This log lists user logon attempts (successful and unsuccessful), as well as actions related to public resources, such as actions to create, modify, or delete files or folders.
- Settings. Events in this log are created when programs are installed.
- System. System events are generated by Windows itself and by installed components such as device drivers. The log is convenient to use to detect drivers that are loading at startup. Windows happened failure.
- Forwarded events. This log contains events collected from other computers on the network.
In folder Application and service logs you can find entries for individual applications and services. While other logs provide general entries, this log provides information about the operation of specific programs. Pay attention to the Microsoft subfolder, which in turn contains a subfolder Windows folder. In this folder you can find entries for a wide variety of Windows components Vista, presented in separate folders.
Windows is quite complicated operating system and tracking all processes, including errors, is difficult for an inexperienced user.
For these purposes in the OS itself logging provided everything that happens and all actions in the system. You can display and view this log using the Windows Event Viewer.
Displaying Windows Event Viewer
You can view information about the operation of the OS in two ways:
- At cmd help (command line);
- By using control panels.
To call the cmd line you can use keyboard shortcut Win+R or go through the well-known chain: Start - All programs - Accessories - Command line.
In the window that opens, enter the sequence eventvwr.msc
Or, through Start - Control Panel - System and Maintenance - Administration.
The main window of the utility will be displayed on the desktop. Select the item "". 
Don't be alarmed if there are errors in the list. Even in a perfectly working system, similar messages can appear. In most cases, they are isolated and caused by minor application glitches.
Most likely, error descriptions will not mean anything to the average user. Viewing the logs may help system administrator or an “advanced” user to understand emerging system failures.
How to use view
What information can be learned from the magazine? If your computer systematically produces errors, randomly reboots, or displays a “blue screen of death,” then all events that led to a malfunction are logged by the system. When viewing information you can find out at what time which service, driver, or hardware component caused a particular error. Based on this information, the necessary measures can be taken to eliminate violations.
In addition to error information, the log can be used for other purposes. You can link to any event occurring in the system performing a specific task. This will allow in the future, if a similar situation arises, to automatically fulfill the set condition.
To do this, it is enough on any element from the list call context menu
right-click and select " Link a task». 
Clearing the event log
Removing all information from the journal is also not difficult. To do this, in the left block of the log window, select the menu tree element that needs to be cleared, right-click to call up the context menu - “ Clear log» 