Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Handling Server Core Events

Windows Server 2008 Server Core doesn't have a graphical event viewer. There is a tool called wevtutil.exe that allows you work your log magic on the console, you can use the Event Viewer on another (graphical) machine to open the event logs of your Server Core box, but you might also opt for a nice event log subscription that forwards event log entries to a dedicated event log machine.

 

Wevtutil.exe on the console

Let's look at how this tool works and how you can do all those things you'd like to perform:

  • View recent entries in specific logs
  • View recent entries with specific source
  • View recent entries with specific event-ID's
  • Export specific logs
  • Clean specific logs
  • Configure log settings

The information in this post is not specific for the Server Core installation option of Windows Server 2008. Both the full installation of Windows Server 2008 and Windows Vista contain the wevtutil executable as well. Unlike these Operating Systems in Server Core your only way to work with (entries in) the event logs on the console is through wevtutil. Of course you can access Server Core event logs from a remote computer using eventvwr.exe or eventvwr.msc, like you can with other Windows (Server) boxes.

View recent entries in specific logs

If your goal is to view the three recent entries in one of the standard event logs you're done with just a couple of simple commands:

wevtutil.exe qe System /rd:true /c:3 /f:text
wevtutil.exe qe Application /rd:true /c:3 /f:text
wevtutil.exe qe Security /rd:true /c:3 /f:text
wevtutil.exe qe ForwardedEvents /rd:true /c:3 /f:text
wevtutil.exe qe Setup /rd:true /c:3 /f:text
...

Each command will query events (qe) in the log specified in reverse direction (newest first). The output will be in human readable format (text instead of xml) and only the first three events will be returned. (specified with the /c switch)

For a list of specific logs you can issue the command to enumerate the logs on the machine:

wevtutil.exe el

The length and relevance of this list might justify the use of the | more command switch (to control scrolling through the screen) or > enumeratedlogs.txt command switch. (to redirect the output to a text file, that you can open using notepad.exe)

View recent entries with specific source

When you're after information regarding specific sources that are not in the enumerated logs list you're bound to using an X-Path query. Unfortunately the TechNet article discussing wevtutil.exe doesn't give any examples for using this type of queries. A quick search however revealed a small trick by Nick Wienholt to eavesdrop these queries from a regular Graphical Event Viewer utility.

The only downside to this is you need to understand which kind of events appear in which event log. This information will point you in the right direction. To view the three most recent events from the System log (for instance) you can just use the following command:

wevtutil.exe qe System /q:*[System[Provider[@name='Source']]] /rd:true /f:text /c:3

View entries with specific Event ID

Now that we're used to querying X-Path style it's not really that hard anymore to query for events in a specific log with specific Event-IDs. Again the trick is to target the right System Log. For instance, when you want to locate all events with Event-ID 16 in the System Log and want them to be returned in human readable format your command line would look something like this:

wevtutil.exe qe System /q:*[System[(EventID=16)]] /f:text

This output would not be very convenient if you're experiencing this error often, so you might (for instance) want to narrow down the time scope, by introducing a second query element that specifies you only want to see the events from the last 7 days:

wevtutil.exe qe System /q:*[System[(EventID=16) and TimeCreated[timediff(@SystemTime)<=604800000]]] /f:text

Where the time difference between the local time is measured in seconds.

Export specific logs

When you're required to export your logs (for debugging, troubleshooting or legal reasons) the wevtutil executable is your best friend. You can easily clean logs by using the epl command from wevtutil.exe. For instance, to export the Security Log you can use:

wevtutil.exe epl Security C:\ExportedSecurityLog.evtx /ow:true

This might result in a rather large exported log file. You can use the query switch to target specific events in time, by Source or by Event-ID.

Clean specific logs

To clean specific logs you can just use cl command:

wevtutil.exe cl Log

This command is the simplest command of them all and pretty destructive. In contrast with the graphical Event Viewer it won't even ask you if you're OK cleaning it without making a backup. You can specify a *.evtx backup file using the /bu: switch though, if you feel like it.

Manage logs

Windows Logs can get pretty large pretty fast. In the past I've been confronted with screens that mentioned log files being full, getting overwritten, etcetera. Server Core doesn't warn you like that, because it doesn't use explorer.exe. Configuring your log settings is of great importance when you need to make sure information in the logs don't get overwritten.

Wevtutil.exe has two tricks up its sleeve to configure settings. The first trick is to change the settings. The second trick is a command that lets you view the settings. (so you can check the settings up front and after you've changed them)

All you need to type to view settings for a log is:

wevtutil.exe gl Log

In contrast with the other commands the default format of the get-log command is text. You can change this to xml by specifying /f:xml. The command returns basic values like the logs name and location, but also access rights and logging settings.

I found that my vanilla June 2007 CTP Server Core box had no retention or automatic backup configured. This means when one of my logs would reach its maximum size (configured at 20MB) new events will overwrite old events. I changed the settings for my Security Log to use retention, to set the size to 100MB and to use AutoBackup when the log file incidentally does get bigger than 100 MB (I might be going on vacation, you know) using the following command:

wevtutil.exe sl Security /ms:104857600 /rt:true /ab:true

Using the dir command on the %windir%\System32\WinEvt\Logs directory specifying I wanted to see the sizes of the *.evtx files showed me I wasn't seriously heading for trouble yet. Since I actually like the location of my Event log files I didn't bother to change it.

 

Event Viewer from another machine

If you're not really comfortable with building X-path queries you might opt to manage the Event Logs on your Server Core with the Event Viewer on your Windows Vista or another Windows Server 2008 box.

You can open the Event Logs on your Server Core box using the Event Viewer utility on a box with an Operating System prior to Windows Vista, but it will not provide you with all the logs and all the features.

Opening up the firewall

In order to allow the Event Viewer from another box to connect to the Event logs of your Server Core box you need to allow that traffic through the firewall, which is turned on by default. Within the Windows Firewall you can open a series of ports called the Remote Administration Exception by issuing the following command:

netsh firewall set service type=remoteadmin mode=enable

If you're really paranoid or require special configuration you can use a command containing  advfirewall instead of the firewall to specify IP ranges or Network adapters for which to enable the service.

Connect to another computers Event logs

To connect to another computers event logs is easy as described here:

  1. Start Event Viewer.
  2. Click the root node, for example Event Viewer (Local), in the console tree.
  3. On the Action menu, click Connect to Another Computer.
  4. In Another computer, type the name or IP address of the remote computer and then click OK.

Alternatively you can use eventvwr.exe \\RemoteComputersName (in Windows XP, Windows Server 2003, etc) or eventvwr.msc /computer=RemoteComputersName (In Windows Vista and Windows Server 2008) to start the Event Viewer pointed towards your Server Core machine.

 

Using Event Log Subscriptions and Forwarding

Windows Vista and Windows Server 2008 offer Event Log Subscriptions and Event Forwarding. In a big environment this might even consume most of one person's time in the IT department. Forwarding events from your Server Core box to a Windows Vista computer might provide some relief. (since you'd have both the command line tool wevtutil.exe and the graphical tool eventvwr.msc)

Configure your Server Core machine

To enable Event log subscriptions your first steps need to run the following command:

winrm quickconfig

This will configure the Windows Remote Management settings, create a WinRM listener on http://* to accept WS-Man requests to any IP address on the machine and enable the WinRM firewall exception.

Note:
You can configure your Pre-June CTP Server Core machine to enable Event forwarding despite the absence of Internet Information Services (IIS). WinRM does not use IIS for its functionality.

Configure the dedicated Event Viewer machine

To configure the Windows Vista machine to pull the events from your Server Core machine you need to perform the following steps as described here:

  1. On the collector computer, run Event Viewer as an administrator.
  2. Click Subscriptions in the console tree.
  3. Click Add Subscription in the Actions menu.
  4. In Subscription Name, type a name for the subscription.
  5. In Description, provide an optional description.
  6. In Destination Log, select the log file where collected events are to be stored. By default, collected events are stored in the ForwardedEvents log.
  7. Click Add and select the computers from which events are to be collected.
  8. Click Select Events to display the Query Filter dialog box. Use the controls in the Query Filter dialog box to specify the criteria that events must meet to be collected.
  9. Click OK on the Subscription Properties dialog box. The subscription will be added to the Subscriptions pane and, if the operation was successful, the Status of the subscription will be Active.

Concluding

Handling Server Core Events on the console takes some knowledge and getting used to. 

When you're hard core you can manage your event logs from the command line. I really appreciate this approach, because it doesn't ask whether I'm sure. Off course I'm sure! I'm using Server Core since I know what I'm doing...

Further reading

Event Log Subscriptions in Windows Server 2008 (and Vista)
WEVTUTIL queries - .NET Performance 
Microsoft Technet on Wevtutil and Event Logs
Using Wevtutil on Longhorn server core servers to scan the event logs... 
Some remarks regarding Vista's event logging 
Enable or Disable the Remote Administration Exception
Syslog ... 20 Years Later 
Event Log Subscriptions in Windows Server 2008 (and Vista)
Create a New Subscription
Work with Event Logs on a Remote Computer
Launch The Event Viewer In Vista 
Working with Vista's new Event Viewer
New Windows Event Log: Gateway to Native Windows Functionality in Vista 
Access denied when accessing event viewer on a domain controller 
Troubleshooting issues with Windows computers using Event Viewer 
Command-Line parameter to open the Event Viewer on Another Computer 
Assigning Custom Tasks To Events In Vista 
Windows Vista Event - Viewer Improvements
Why is the Internet Explorer folder in Event Viewer always empty (IE7)? 
Batch file for clearing all the logs at once in Vista 
EventID.Net 

Disclaimer Beta Software

The information on this webpage applies to software from Microsoft that was in testing phase but utilizable by experienced users by the time the webpage was written. This software has not been released for sale, distribution or usage for the general public. The information on this webpage and the beta software are provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.

Posted: Sunday, September 02, 2007 6:13 PM by Sander Berkouwer

Comments

The things that are better left unspoken said:

I've already shown you how to remotely manage your Server Core installations of Windows Server Core using

# February 23, 2008 2:20 PM

links for 2008-03-02 « Blog Archive « Netweb said:

  • (tags: linux hosting sysadmin isp setup howto)
  • (tags: microsoft windows sysadmin server core)
  • (tags: microsoft windows sysadmin server 2008 core)
# July 20, 2008 7:32 AM

tonymurray said:

Great info, Sander.

Just one small thing. To get your time-based query to work you will need to replace the "&lt;" escape sequence with "<".

I've blogged about this here:

http://www.open-a-socket.com/index.php/2008/11/28/exporting-event-logs-with-wevtutilexe-using-a-time-based-query/

Tony

# November 27, 2008 5:11 PM

Sander Berkouwer said:

Hi Tony,

Thanks for the tip!

When defining a timespan when exporting event logs you indeed need to replace the "&lt;" bit with "<".

Great blog post, btw.

# November 27, 2008 11:54 PM
Anonymous comments are disabled