Best Practice Ezine #90 - Event Logs

Is your server running slowly?  Check with SolarWinds ipMonitor

Get a free evaluation copy of ipMonitor

Guy's #1 Pick Wireless Network  Computer based training. Video & labs

Best Practice Ezine #90 - Litmus Tests for Event Logs

This week I feature Litmus tests for event logs.

Guy's Litmus Tests

My vision of a Litmus Test is of a simple question that instantly separates amateurs from professionals.  Here are three examples of simple Litmus tests that will tell you about the abilities of a techie.

1) There is a problem with a server hanging. Professionals start by identifying then restarting the problem service. Amateurs solve the problem by rebooting the server and thus suffer unnecessary downtime.

2) Professionals always rename 'Administrator' to a name that blends with the other users.  Amateurs leave the most powerful account open to hacking, because everyone knows that Windows systems have an account called Administrator.

3) People's attitude to Organizational Units polarises them into professionals who create OUs to manage their people and group policies and amateurs who create all their accounts in the default Users containers.

Event Logs

Just as a blood test reveals all kinds of information about my health, so event logs reflect the wellbeing of a server.  Consequently, whenever I visit a company in my capacity of consultant, it's not long before I have a peek at their event logs.  By launching the Event Viewer I can quickly run through my rich collection of Litmus tests and thus discover if I am dealing with amateurs or professionals.  My hidden agenda is this, if the company is run by amateurs then the problem maybe simple, but if they are professionals, then they will have already tried all the obvious solutions.

Ever since I can remember, Windows Servers have event logs which we can interrogate via the Event Viewer. Typical error messages would be 'Win32Time', Backup failed or Printer offline. Back in NT days, there were just three logs, but with each generation of Windows there seem to be more logs, for example Server 2003 has a log for DNS and File Replication Service. Even clients such as XP have the basic three logs, System, Security and Application.

What I want to do today is share my Event Log Litmus tests with you.  I hope that one or two tests will give you ideas to amend the settings on your servers or XP machines.

Litmus Tests for Event Logs

Before we look at specifics, merely people's attitude to event log entries labels them, as Amateurs or Professionals - at least in my eyes.

Professionals a) Trace the error message in TechNet and if that fails, they enter the Event ID in their favourite search engine, confident that someone somewhere will have seen it before and have the answer.

Amateurs a) Cannot understand what the red dots in the log mean.  b) Always blame Microsoft.

Signs that you are a Professional (any 5 of 7)

1. You increased the file size of the logs from the default of 512k to about 4mb (Surely you can afford the extra disk space).
2. On the properties menu of the Event log, you selected the radio button: Overwrite events as needed.
3. Backup errors.  Either none or just a few known errors and correction is in hand.
4. Only very few Win32Time errors in the System Log. (Have you the skill to configure an external time server?)
5. Your Security log contains auditing entries, which check for illegal access to key folders.
6. As a Professional you check not only the System, Security and Application logs, but also the Active Directory, DNS and File Replication Service.  Amateurs only ever look in the System log.
7. Professionals combine knowledge from different areas.  For example, top techies create VBScripts to monitor specific Event IDs.  Those who want warning of critical events set Alerts in Perfmon which show up in the Application log.  Amateurs are narrow minded and never operate out of their comfort zone.

Characteristics of Amateurs (and 3 of 4)

1. Log size remains at 512k and is set to Overwrite events older than 7 days (Otherwise you may lose valuable information).
2. 30% of companies I have visited have backup errors clearly displayed in the Application Log.  Worse still, when I inquired nobody know what the message means.
3. No Auditing entries  (They think a blank log means no problems, whereas it means Auditing has not been turned on).
4. Amateurs believe that there is only one Event Logs on a Windows Server 2003, when pressed they guess there maybe three.  (Usually there are at least five logs.)

If you are looking for handy network utilities, try some of the free downloads at Tools4Ever

Off the wall idea

Mad Mick's boss went on a course entitled 'Motivate your workforce with performance related pay'.  When he returned he put into practice a bonus system based on red dots in the event logs.  His 'off the wall' idea, was to start with a bank of $100 for each log.  For every red dot, meaning error, he deducted $1, what ever was left the techies received as a monthly bonus. 

At the end of the first month Mick just deleted the logs and claimed the bonus in full.  Half way through the next month, when the boss reviewed Mad Mick's server, his best log showed a deficit of -$594 dollars and his worst was -$3187.  Shortly after, both the boss and Mick left that firm.

On a more realistic note, if you take the above challenge as a fun way of learning, then reducing the red dots will improve your knowledge of Windows Server 2003, moreover, as a direct result your servers will run more smoothly and reliably.  Alternatively, if you don't have the time  to check the logs yourself, this task could be job for a student, or if the boss insists on sending his son / nephew to work with you over the summer, investigating the logs could keep them out of mischief.

Summary of Litmus tests

Basic Litmus tests: Size of the log file.  Set to overwrite as needed.  No backup errors.  Check all five logs.

Advanced Litmus tests: Presence of Audit entries, Alerts, VBScript for specific event ID.

More Information. As an MCT trainer, I can thoroughly endorse TrainSignal because they deliver practical hands on training.  In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material.  You can either take one module, for example File Server or go for a combination of modules.  See more about Windows 2003 training here

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.