 G'day viewers, my name is Oren Thomas. I'm a principal hybrid cloud advocate at Microsoft. In this video, we will talk about the Windows Event Log and Event Log policies. The Event Log is something that's been built into Windows Server for decades. It's one of those meat and potatoes features that we all have a cursory understanding of but rarely think about in depth. As someone who talks about IT Pro topics, I'm interested in covering core roles and features that have been around forever but don't get much attention. Whilst all the new shiny things get coverage, it's tools like Event Viewer and Event Logs that you need to understand to effectively do a job as a Windows Server administrator. In this video, I'll discuss what the Event Log is. The primary four Event Logs, the Applications and Services Logs, the Group Policy Items related to Event Logs and other fascinating, invigorating, and exciting ephemera related to this is exquisitely interesting but often overlooked element of the Windows operating system. So what is the Event Logs? The Event Logs record events that happen on the computer. Examining the events in these logs can help you trace activity, respond to events, and keep your system secure. Configuring these logs properly can help you manage the logs more efficiently and use the information that they provide more effectively. Whilst you generally use Event Viewer to view the logs, you can also use PowerShell and Windows Admin Center to view log data. Windows Server saves Event Log files as XML files that can be reported on and managed as part of a collective reporting schema. There are several additional log providers and categories that you can monitor. Event Viewer stores information in a number of logs, including Windows Logs. This Windows Event Log provider contains the following events logs from the operating system, application log. Events in this Windows Log are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that is not necessarily significant but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. Security Log. This Windows Log contains security-related events which are called ordered events and are described as successful or failed, depending on the event, such as whether a user's attempt to log onto Windows was successful. Setup Log. This Windows Log records events related to installing programs and services on the computer. Computers that are configured as domain controllers have additional logs displayed in this category. System Log. This Windows Log records system events that are sent by Windows and Windows System Services and are classified as error, warning, or information. Forwarded Events Log. This Windows Log records events that are forwarded to this log by other computers. Each application or service installed on the computer will have an individual log. These logs store events from a single application or service rather than events that might have system-wide impact. This category of logs includes four subtypes for which the application or service can provide events. These subtypes are admin, operational, analytic, and debug logs. Admin. Events that are found in the admin channels indicate a problem and a well-defined solution that an administrator can act on. An example of an admin event is an event that occurs when an application fails to connect to a printer. These events are either well-documented or have a message associated with them that gives the reader direct instructions of what must be done to rectify the problem. If it's a printer, it may include the solution from the movie office space. Operational. Events that are found in the operational channels are used for analyzing and diagnosing a problem or occurrence. They can be used to trigger tools or tasks based on the problem or occurrence. An example of an operational event is an event that occurs when a printer is added or removed from a system. Analytic. Events that are found in the analytic channels aid in performance evaluations and troubleshooting. These events are published in high volume, so they should only be enabled and logged for limited amounts of time as part of a diagnostic process. They describe program operation and may indicate problems that cannot be handled by user intervention. Debug. Events that are found in the debug channels can be used by developers when troubleshooting issues with their programs. You should note that both analytic and debug logs are hidden and disabled by default. To use these logs, first start Event Viewer, click the View menu, and then select Show analytic and debug logs to make these logs visible. Then select the analytic or debug log that you want to enable and on the Action menu, click Properties. On the Properties dialog box, select Enable Logging and click OK. Each of these logs has attributes such as maximum log size, access rights for each log, and retention settings and methods, each of which can be defined in the appropriate event log section in Group Policy. You can configure the event log settings in the following locations within the Group Policy Management Console. Computer configuration, backslash administrative templates, backslash windows components, backslash event log service. Subordinate folders exist for the following event logs by default. Application, Security, Setup, System. The same set of policy settings is available for each event log. The Setup folder has an additional policy setting that allows logging to be turned on. The following slides will describe the options and issues for configuring event log settings for better system management and security. The maximum log size policy setting specifies the maximum sizes of the log files. An individual setting may be specified for each of the application, security, setup, and system event log channels. The user interfaces of both the local Group Policy Editor and the Microsoft Management Console event viewer snap-in allow you to enter values as large as two terabytes. If this setting is not configured, event logs have a default maximum size of 20 megabytes. Although there is no simple equation to determine the best log size for a particular server, you can calculate a reasonable size by multiplying the average event size by the average number of events per month, assuming that you back your logs up on a monthly schedule. The average event takes up about 500 bytes within each log and the log file sizes must be a multiple of 64 kilobytes. If you can estimate the average number of events that are generated each day for each type of log in your organization, you can determine a good size for each type of log file. For example, if your file server generates 5,000 events per day in its security log and you want to ensure that you have at least four weeks of data available at all times, you should configure the size of that log to about 70 megabytes, calculated as 500 bytes by 5,000 events per day by 28 days equals 70 million bytes. Then check the service occasionally over the following four weeks to verify that your calculations are correct and that the logs retain enough events for your needs. Event log size and log wrapping should be defined to match the business and security requirements that you determined when you designed your organization's security plan. You can set a maximum log size value of between 1024 and 2,147,483,647 kilobytes in multiples of 64 kilobytes. That's an approximate maximum log file size of two terabytes if you're feeling relaxed about the amount of storage you have. The recommended event log setting size is four gigabytes. That does seem rather excessive. However, I found a document on learn.microsoft.com that specified that value. So it must be the right number. The approximate maximum event per second that can be recorded is over 300,000. From a practical perspective, if you're thinking about log files that big, you should be using a tool like as your monitor or system center operations manager to query and analyze your event data. The control the location of the log file policy allows you to configure where event logs are written. By default event log files are located in the percent winDIR percent backslash system 32 backslash winEVT backslash logs folder. You can move these logs manually or by using policy. To move the event log files to a specified folder, follow these steps. Open event viewer. Right click the log that you want to configure and then select properties. In the log path box, type the desired location for the event log and then select okay. This change takes effect immediately. However, the events that were already logged are still saved in the previous location. If you relocate the event log files to an unavailable disk, the events will be lost. If you significantly increase the number of objects to audit in your organization and if you enabled the audit shutdown system immediately, if unable to log security audit setting, there is a risk that the security log will reach its capacity and force the computer to shut down. If such a shutdown occurs, the computer is unusable until an administrator clears the security log. To prevent such a shutdown, you can disable the audit shutdown system immediately if unable to log security audit setting. The following default log access rights are enforced, application and setup logs. All authenticated users can write slash read slash clear the log, system log, only system software and administrators can write or clear the log. Any authenticated user can read events from it. Security log, only system software and administrators can read or clear the log. The log access policy setting determines which user accounts have access to log files and what usage rights are granted. Individual setting may be specified for each of the application, security, setup and system event log channels. This policy requires you use Security Descripted Definition Language, SDDL, to identify security principles rather than just selecting a user or group. This makes configuring this setting a lot more cumbersome than it should be. Enabling this policy allows you to enter a security descriptor for the log file. The security descriptor controls who can read, write or clear the event log. Control event log behavior when the log file reaches its maximum size, policy setting controls event log behavior when the log file reaches its maximum size. If you enable this policy setting and the retain old events policy setting is also enabled, the event log file is automatically closed and renamed when it is full. A new file is then started. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events in the same log file. If this policy setting is enabled and a log file reaches its maximum size and the retain old events policy is not enabled, new events are not written to the log and are lost. You should archive logs to an external location at scheduled intervals and you ensure that the maximum log size is large enough to accommodate the interval. Alternatively, use a monitoring solution that ingests and archives logs in an external location. The backup log automatically when full policy setting controls event log behavior when the log file reaches its maximum size and takes effect only if the retain old events policy setting is enabled. If you enable this policy setting and the retain old events policy setting is enabled, the event log file is automatically closed and renamed when it is full. A new file is then started. If you disable this policy setting and the retain old events policy setting is enabled, new events are discarded and the old events are retained. When this policy setting is not configured and the retain old events policy setting is enabled, New events are discarded and the old events are retained. As I mentioned earlier, you should archive logs to an external location at scheduled intervals and you ensure that the maximum log size is large enough to accommodate the interval. Alternatively, use a monitoring solution that ingests and archives logs in an external location. In this video, we looked at event logs on computers running the Windows operating system. The event logs record events that happen on the computer. Examining the events in these logs can help you trace activity, respond to events and keep your system secure. Configuring these logs properly can help you manage the logs more efficiently and use the information that they provide more effectively. Tools like Event Viewer and Event Logs are things that you need to understand to effectively do a job as a Windows Server Administrator. Ensure that you configure log file policy so that log file size is appropriate and that important event log data is not overwritten or goes unlocked. I hope you found this video useful and informative. My name is Oren Thomas. You can find me at aka.ms slash oren and if you've got any questions or feedback, drop a comment below.