March EventSource Newsletter
By Danielle Ruest and Nelson Ruest
Explore the Vista Event Log
Microsoft has made some considerable changes in the Windows Vista Event Log. It sports a new interface and a significant number of new event categories making much more useful than ever before. This article is the second in a series that demystifies the Vista Event Log
For Windows Vista, Microsoft scrapped all of its previous Windows code and started from scratch to rewrite the whole thing. Good idea? No doubt. With all the security issues Windows has been facing in the past few years, rewriting the code with security in mind was a must. But it also provides added benefits. For example, when Microsoft programmers were working on the Vista Event Log, not only did they rewrite the code, but they also took advantage of the opportunity to give it a complete overhaul. Who benefits? We do, as users or rather administrators of Vista PCs.
The new Vista Event Log includes several features:
- New Event Viewer Interface
- New Event Categories
- New Event Filters
- New Event Language: XML
- New Event command-line tool
Each of these makes it much easier to manage events in Windows Vista.
The Event Viewer Interface
The first thing you’ll notice when you launch the Event Viewer in Windows Vista is the new look and feel. When you first open it, the Event Viewer presents its summary view. Based on the Microsoft Management Console 3.0, the new Event Viewer lays out its contents into three panes (see Figure 1). The left pane is still the tree view which will be familiar to most Windows technicians. It includes several nodes: Custom Views, Windows Logs, Applications and Services Logs and Subscriptions. The center pan is as it was before the details pane. When the focus is on the Event Viewer node, you see the summary view which lists all events according to importance as well as audited events. Finally, the right pane lists actions you can perform. Like context menus, the contents of this action pane will change with the views you select.
When you change views, for example, if you focus on a specific log and view the events it contains, the details pane becomes your event viewer, showing the actual contents of events without having to open each event and having to juggle windows to try to see event listings at the same time as you see event details (see Figure 2). This makes it much easier to work with events.
Figure 1. The Summary View of the Event Log
Figure 2. Viewing the details of an event
New Event Categories
Another major improvement of the Event Log is that it is now designed to collect every single event on the system. While previous versions of Windows stored event information in different locations—databases, flat files, event log—Vista now stores all events in the Event Log. This means that it now includes a whole series of new event categories. These are located under the Applications and Services Logs node in the tree pane (see Figure 1). Perhaps the most important change is in the Microsoft sub-node. This sub-node now includes 53 different categories under the Windows sub-node. Each category is focused on a specific service within Windows—BitLocker, Event Collector, Group Policy, User Access Control, and much more. Subcategories are listed for each—administrative, operational, analytic and so on—making it very easy to drill down deep into any issue.
In addition, each application that is Vista-ready will store its events inside this event category. Windows includes its own—Distributed File System (DFS) Replication, Hardware Events, Internet Explorer, Key Management Service, and Media Center. Third party applications also store their events here. This proves that the Event Log is now the one and only store for events in Vista.
New Event Filters
In addition, in the Custom Views node under the tree pane, you’ll see that Vista already includes a custom view: the Administrative Events view. This view is based on a filter and is used to automatically collect events that are of interest to system administrators, saving them from having to generate their own filters (see Figure 3). Because this is a default view, this filter is read-only, but you have full flexibility to create your own filters based on any event attribute.
Figure 3. The Details of the Administrative Events Filter
That’s right; filters can be based on a whole series of attributes (see Figure 4). Logged time is one of the first attribute you can focus on with six predefined time periods and the ability to create your own custom time period. Event level is next, letting you select either critical, errors, warning, verbose or information events. Then, you can filter either by log or by source. By log, gives you a tree pane that lets you check the logs you need. Source lets you select any potential event source. Finally, you can filter by event ID, tasks that may be associated with the event, keywords contained inside the event, user and computer generating the event. Quite a powerful set of filters.
Figure 4. Creating a Custom Events Filter
New Event Language: XML
Filtering is now so powerful because Vista events are now completely structured, using an Extended Markup Language (XML) structure. Previous versions of Windows provided some structure for event reporting, but it was mostly only evident to programmers using the Win32 application programming interface. With Vista, this changes because they rely on XML with a published schema. Each event now includes an XML description (see Figure 5). This makes it much easier to filter out events that might be considered ‘garbage’ and lets you focus on the events that are of interest to you.
This will go a long way towards making it easier to audit change and manage systems running Windows Vista.
Figure 5. The XML Details of an Event
New Event command-line
For those who love the command line, you won’t be disappointed with the new Event Log. Vista includes a new command: wevtutil.exe which is designed to let you manage and administer events in character mode. Wevtutil, for Windows Event Utility, includes a whole series of functions and switches, all aimed at event management (see Figure 6).
For example, you can find out all of the publishers registered on a system. That’s because with the new Event Log, publishers must register themselves on the system. Wevtutil will list not only publishers but also their configuration on the system and all of the events they might log on a system. Nobody can hide from administrators anymore!
Wevtutil will also let you install or uninstall event manifests, run queries against events, export and archive logs as well as clear them, all from the command line. If you’re into the command line, then take the time to explore this powerful new tool.
Figure 6. The new wevtutil command
As you can see, the Event Viewer is considerably different from previous versions of Windows, even at just the interface level. But that’s not all. With Vista, you can integrate events with tasks, you can automate tasks based on events and you can forward key events to central locations.
In our next article, we’ll examine how Vista’s new Task Scheduler has also been upgraded in preparation for event automation. Windows Vista is here to stay and it’s easy to see why with powerful new tools such as the Event Viewer.
About the Authors
Danielle Ruest and Nelson Ruest, MCSE+Security, MCT, Microsoft MVP, are IT professionals specializing in systems administration, migration planning, software management and architecture design. They are authors of multiple books, and are currently working on the Definitive Guide to Vista Migration for Realtime Publishers as well as the Complete Reference to Windows Server 2008 for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects.
Time Change a ‘Mini-Y2K’ in Tech Terms
With daylight saving time taking effect from March 11, 2007, any device that has an internal clock looms as a potential problem and must be tweaked for the time change, usually with a software patch. Most internal clocks in computing devices are programmed for the old daylight-time calendar, which Congress set in 1986.
Read full article
Best of Breed vs. Big Security: What’s Best for SMBs?
Historically, security has been a best-of-breed market. Customers would buy the leading product in each category and integrate the products into a cohesive whole. But now, is best of breed still the right approach? Even for small and medium-sized businesses (SMBs), which by definition are time-, resource- and money-constrained? Read full article
EventTracker delivers high-value integrated solutions to SMB’s providing a broad range of capabilities including advanced security, continuous compliance and IT optimization at significantly lower costs than traditional solutions.
Lessons from the DuPont Breach: Five Ways to Stop Data Leaks
In the five months Gary Min was stealing $400 million worth of proprietary information from a DuPont database, he downloaded and accessed more than 15 times as many documents as the next-highest user of the system. But he wasn’t caught until after he left the company for a rival firm. Min pleaded guilty last November to misappropriating DuPont data and is scheduled to be sentenced on March 29. His case is only the latest to highlight a lack of internal controls for dealing with insider threats at many companies. Read full article
EventTracker monitors your mission critical servers or workstations from risks posed by data theft and hackers as well as host-based intrusions.
Privacy, Compliance and Security for SMB’s
Here is a troubling statistic from the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization: Since February 2005, the data records of more than 93 million U.S. residents have been exposed due to security breaches. While many of these breaches occurred at financial institutions and universities and were the result of hacking, many were also due to stolen computers and occurred at smaller businesses and organizations.
Companies of all sizes need to take precautions to keep customer data safe and secure, but how much security is enough? Does the size of your business matter, and what is an organization’s responsibilities regarding its customers’ privacy? Read full article
Cool Tools and Tips
Compliance School: SOX, Security Standards and Building a Compliance Framework
One of the most important elements of SOX compliance is providing evidence that the financial applications and supporting systems and services are adequately secured to ensure that financial reports can be trusted. This places a special burden on IT security departments. They need to understand which systems, services and processes need to be controlled, which aspects of security are most critical to compliance and what it takes to demonstrate that their company is in compliance.
Read tips on how to deal with compliance challenges facing IT security
Learn how EventTracker helps you automate and simplify complex compliance processes