Best Practice Ezine #90 – Litmus Tests for Event LogsThis week I feature Litmus tests for event logs. Guy’s Litmus TestsMy vision of a Litmus Test is of a simple question that instantly separates amateurs from professionals. Here are three examples of simple Litmus tests that will tell you about the abilities of a techie. 1) There is a problem with a server hanging. Professionals start by identifying then restarting the problem service. Amateurs solve the problem by rebooting the server and thus suffer unnecessary downtime. 2) Professionals always rename ‘Administrator’ to a name that blends with the other users. Amateurs leave the most powerful account open to hacking, because everyone knows that Windows systems have an account called Administrator. 3) People’s attitude to Organizational Units polarises them into professionals who create OUs to manage their people and group policies and amateurs who create all their accounts in the default Users containers. Event LogsJust as a blood test reveals all kinds of information about my health, so event logs reflect the wellbeing of a server. Consequently, whenever I visit a company in my capacity of consultant, it’s not long before I have a peek at their event logs. By launching the Event Viewer I can quickly run through my rich collection of Litmus tests and thus discover if I am dealing with amateurs or professionals. My hidden agenda is this, if the company is run by amateurs then the problem maybe simple, but if they are professionals, then they will have already tried all the obvious solutions. Ever since I can remember, Windows Servers have event logs which we can interrogate via the Event Viewer. Typical error messages would be ‘Win32Time’, Backup failed or Printer offline. Back in NT days, there were just three logs, but with each generation of Windows there seem to be more logs, for example Server 2003 has a log for DNS and File Replication Service. Even clients such as XP have the basic three logs, System, Security and Application. What I want to do today is share my Event Log Litmus tests with you. I hope that one or two tests will give you ideas to amend the settings on your servers or XP machines. Guy Recommends: SolarWinds’ Log & Event Management Tool LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack. Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl. Download your FREE trial of SolarWinds Log & Event Management tool. Litmus Tests for Event LogsBefore we look at specifics, merely people’s attitude to event log entries labels them, as Amateurs or Professionals – at least in my eyes. Professionals a) Trace the error message in TechNet and if that fails, they enter the Event ID in their favourite search engine, confident that someone somewhere will have seen it before and have the answer. Amateurs a) Cannot understand what the red dots in the log mean. b) Always blame Microsoft. See more on Event Logs Signs that you are a Professional (Any 5 of 7)- You increased the file size of the logs from the default of 512k to about 4mb (Surely you can afford the extra disk space).
- On the properties menu of the Event log, you selected the radio button: Overwrite events as needed.
- Backup errors. Either none or just a few known errors and correction is in hand.
- Only very few Win32Time errors in the System Log. (Have you the skill to configure an external time server?)
- Your Security log contains auditing entries, which check for illegal access to key folders.
- As a Professional you check not only the System, Security and Application logs, but also the Active Directory, DNS and File Replication Service. Amateurs only ever look in the System log.
- Professionals combine knowledge from different areas. For example, top techies create VBScripts to monitor specific Event IDs. Those who want warning of critical events set Alerts in Perfmon which show up in the Application log. Amateurs are narrow minded and never operate out of their comfort zone.
Characteristics of Amateurs (and 3 of 4)- Log size remains at 512k and is set to Overwrite events older than 7 days (Otherwise you may lose valuable information).
- 30% of companies I have visited have backup errors clearly displayed in the Application Log. Worse still, when I inquired nobody know what the message means.
- No Auditing entries (They think a blank log means no problems, whereas it means Auditing has not been turned on).
- Amateurs believe that there is only one Event Logs on a Windows Server 2003, when pressed they guess there maybe three. (Usually there are at least five logs.)
Guy Recommends: Tools4ever’s UMRA Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes. It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA. Off the wall ideaMad Mick’s boss went on a course entitled ‘Motivate your workforce with performance related pay’. When he returned he put into practice a bonus system based on red dots in the event logs. His ‘off the wall’ idea, was to start with a bank of $100 for each log. For every red dot, meaning error, he deducted $1, what ever was left the techies received as a monthly bonus. At the end of the first month Mick just deleted the logs and claimed the bonus in full. Half way through the next month, when the boss reviewed Mad Mick’s server, his best log showed a deficit of -$594 dollars and his worst was -$3187. Shortly after, both the boss and Mick left that firm. On a more realistic note, if you take the above challenge as a fun way of learning, then reducing the red dots will improve your knowledge of Windows Server 2003, moreover, as a direct result your servers will run more smoothly and reliably. Alternatively, if you don’t have the time to check the logs yourself, this task could be job for a student, or if the boss insists on sending his son / nephew to work with you over the summer, investigating the logs could keep them out of mischief. Summary of Litmus testsBasic Litmus tests: Size of the log file. Set to overwrite as needed. No backup errors. Check all five logs. Advanced Litmus tests: Presence of Audit entries, Alerts, VBScript for specific event ID. See more interesting Litmus Tests• Litmus Tests • E 94 Good Tricks • E 92 Litmus Test •E 91 Litmus Tests •E 90 Litmus Tests • E 193 Litmus Tests • E 133 Response Point •E 132 Reskit •E 112 Help •E 56 Hardware • Ezines •Free Wake-on-Lan •Realtime network monitoring freeware •Free Solarwinds WMI Monitor | 
