Professional Documents
Culture Documents
Lesson 11
Lesson 11
Lesson 11
Lesson 11
Skills Matrix
Technology Skill
Objective Domain
Objective #
3.2
Using Auditing
3.3
Software Logs
It is common practice for software
products to save information about their
ongoing activities to chronological lists
called logs.
By examining the logs, administrators can
track the activity of the software,
document errors, and extract analytical
information.
Logs are traditionally text files, which
administrators open in an editor
application, but the Windows operating
systems have long used a graphical
Event Viewer
The operating system component that
generates the Windows logs is called
Windows Eventing.
The primary function of the Windows
Eventing engine, as always, is to record
information about system activities as
they occur and package that information
in individual units called events.
The application you use to view the events
is called Event Viewer.
In Windows Server 2008, Event Viewer
takes the form of a Microsoft Management
Console (MMC) snap-in.
Event Viewer
The Event Viewer snap-in appears in
Windows Server 2008 as a separate
console, accessible from the
Administrative Tools program group,
and as part of other consoles,
including Server Manager (under the
Diagnostics node), and Computer
Management (under System Tools).
As with all snap-ins, you can also add
Event Viewer to a custom MMC
console.
Event Viewer
Windows Logs
When you expand the Windows Logs
folder in the Event Viewer console,
you see the following logs:
Application
Security
Setup
System
Forwarded Events
Types of Logs
The four types of logs that can appear in
this folder are as follows:
Admin Contains events targeted at end
users or administrators that indicate a
problem and offer a possible solution.
Operational Contains events that signify
a change in the application or service, such
as the addition or removal of a printer.
Analytic Contains a high volume of
events tracking application operation
activities.
Debug Contains events used by software
developers for troubleshooting purposes.
Types of Logs
By default, only the Admin and
Operational logs are visible in the
Event Viewer console, because these
are the logs that can be useful to the
average administrator.
The Analytic and Debug logs are
disabled and hidden, because they
typically contain large amounts of
information that is of interest only to
developers and technicians. To
display and enable these log types.
Additional Logs
The Event Viewer console comes
preconfigured with a large collection
of additional logs for Windows Server
2008.
When you expand the Microsoft and
Windows folders in the Applications
and Services Logs folder, you see a
long list of Windows components.
Each of these components has a
pathway, called a channel, to its
Custom Views
Another means of locating and
isolating information about specific
events is to create custom views.
A custom view is essentially a filtered
version of a particular log, configured
to display only certain events.
The Event Viewer console now has a
Custom Views folder, in which you
can create filtered views and save
them for later use.
Custom Views
Resource Overview
When you launch the Reliability and
Performance Monitor console, you see the
Resource Overview screen.
This screen contains four real-time line
graphs that display information about four
of the servers main hardware
components.
Each of the four components also has a
separate, expandable section below the
graphs, displaying more detailed
information in text form, such as the
resources being utilized by individual
Resource Overview
Resource Overview
Resource Overview
Performance Monitor
Performance Monitor is another
tool within the Reliability and
Performance Monitor console that
displays system performance
statistics in real time.
The difference between Performance
Monitor and Resource Overview is
that Performance Monitor can display
hundreds of different statistics
(called performance counters) and
that you can create a customized
graph containing any statistics you
Adding Counters
In the Add Counters dialog box, you
have to specify the following four
pieces of information to add a
counter to the display:
Computer
Performance object
Performance counter
Instance
Reliability Monitor
Reliability Monitor is a new
addition to Windows Server 2008
that automatically tracks events that
can have a negative effect on system
stability and uses them to calculate a
stability index.
Bottleneck
A bottleneck occurs when a
component is not providing an
acceptable level of performance
compared with the other components
in the system.
Bottlenecks can appear for a variety
of reasons including:
Increased server load
Hardware failure
Changed server role
A Baseline
As mentioned earlier, performance
bottlenecks can develop over a long
period of time, and it can often be difficult
to detect them by observing a servers
performance levels at one particular point
in time.
A baseline is simply a set of readings,
captured under normal operating
conditions, which you can save and
compare to readings taken at a later time.
By comparing the baseline readings to the
servers current readings at regular
intervals, you can discern trends that
Auditing
Auditing is the process by which
administrators can track specific securityrelated events on a Windows Server 2008
computer.
To audit security events, you must enable
specific Group Policy settings for a
computer.
Once you activate these settings, the
system tracks the specified activities and
records them as events in the Security log,
which you can access using the Event
Viewer snap-in.
Summary
The primary function of the Windows
Eventing engine, as always, is to
record information about system
activities as they occur and package
that information in individual units
called events.
The application you use to view the
events is called Event Viewer.
Summary
When you expand the Windows Logs
folder in the Event Viewer console,
you see the following logs:
Application, Security, Setup, System,
and Forwarded Events.
The Windows event logs contain
different types of events, as follows:
Information, Error, Warning, and
Critical.
Summary
There are four types of logs that can
appear in the Applications and
Services Logs folder, as follows:
Admin, Operational, Analytic, and
Debug.
When you launch the Reliability and
Performance Monitor console, you
see the Resource Overview screen,
which contains four real-time line
graphs that display information
about four of the servers main
hardware components.
Summary
While the Event Viewer snap-in
enables you to review system events
that have already occurred, the
Reliability and Performance snap-in
enables you to view system
information on a continuous, realtime basis.
Summary
Performance Monitor is a tool within
the Reliability and Performance
Monitor console that displays system
performance statistics in real time.
The difference between Performance
Monitor and Resource Overview is
that Performance Monitor can display
hundreds of different statistics
(called performance counters) and
you can create a customized graph
containing any statistics you choose.
Summary
Reliability Monitor is a new addition
to Windows Server 2008 that
automatically tracks events that can
have a negative effect on system
stability and uses them to calculate a
stability index.
Summary
A bottleneck is a component that is
not providing an acceptable level of
performance compared with the
other components in the system.
Auditing is the process by which
administrators can track specific
security-related events on a Windows
Server 2008 computer.