The Windows event log is an itemized record of the framework, security, and application notices put away by the Windows working framework chairpersons to analyze framework issues and anticipate future problems.
Applications and the working framework (OS) utilize these event logs to record significant equipment and programming activities that the manager can use to investigate issues with the operational framework. The Windows working framework tracks explicit events in its log documents, like application establishments, security of the executives, framework arrangement procedure on beginning startup, and issues or blunders.
Where are windows logs stored?
Windows event logs location is C:\Windows\System32\winevt\Logs, if your installation is on a C drive. Event log files have extension .evtx.When the windows application crashes, the Windows event log will store information about the application name, why the application crashed, and the incident time.
Below is presented Windows 11 log location from 2022:
What is the EVTX file?
EVTX file represents Microsoft Event viewer logs that users can see in Event Viewer. You can run Microsoft Event Viewer logs using the command in Windows “>eventvwr. msc”
The components of a Windows event log
Every event in a log passage contains the accompanying data:
Date: The date the event happened.
Time: The time the event occurred.
Client: The client’s username signed onto the machine when the event occurred.
PC: The name of the PC.
Occasion ID: A Windows ID number that determines the event type.
Source: The program or part that caused the event. Type: The sort of event, including data, cautioning, mistake, security achievement review, or security disappointment review.
For instance, a data event may show up as:
Data 3/19/2021 8:21:15 AM Service Kernel-Event Tracing 1 Logging
An admonition event may resemble:
Cautioning 3/19/2021 10:29:47 AM
By examination, a mistake event may show up as:
Mistake 3/19/2021 AM Service Control Manager 7001 None
A primary event may look like this:
Basic 3/19/2021 8:55:02 AM Kernel-Power 41 (63)
The sort of data put away in Windows event logs
The Windows working framework records events in five zones: application, security, arrangement, framework, and sent events. Windows stores event signs in the C:\WINDOWS\system32\config\ envelope.
Application events identify with occurrences with the product introduced on the neighborhood PC. If an application, for example, Microsoft Word, crashes, the Windows event log will make a log section about the issue, the application name, and why it slammed.
Security events store data depending on the Windows framework’s review approaches, and the ordinary events put away incorporate login endeavors and asset access. For instance, the security log stores a record when the PC checks account certifications when a client attempts to sign on to a machine.
Arrangement events incorporate centered events identifying with the control of spaces, like the area of logs after a plate setup.
Framework events identify with episodes on Windows-explicit frameworks, like the situation with gadget drivers.
Sent events appear from different machines in a similar organization when a chairperson needs to utilize a PC that accumulates numerous logs.
Utilizing the Event Viewer
Microsoft remembers the Event Viewer for its Windows Server and customer working framework to see Windows event logs. Clients access the Event Viewer by tapping the Start catch and entering the Event Viewer into the hunt field. Clients would then be able to choose and investigate the ideal log.
How to open Event viewer in Windows?
- Press Start” button.
- Click “Control Panel” > “System and Security” > “Administrative Tools”
- Double-click “Event Viewer”
Windows orders each event with a severity level. The level arrangement is based on data, cautioning, blunder, and basics.
Most logs comprise data-based events. Logs with this section typically mean the experience happened without an episode or issue. An illustration of a framework-based data event is Event 42, Kernel-Power, which shows the framework is entering rest mode.
Cautioning level events depend on specific events, for example, an absence of extra room. Cautioning messages can focus on potential issues that won’t require prompt activity. Occasion 51, Disk illustrates a framework-based admonition identified with a paging mistake on the machine’s drive.
A blunder level demonstrates a gadget may have neglected to stack or work expectedly. Occasion 5719, NETLOGON illustrates a framework mistake when a PC can’t arrange a safe meeting with an area regulator.
Basic level events show the most severe issues. Occasion ID 41, Kernel-Power, illustrates a basic framework when a machine reboots without a spotless closure.
Different devices to see Windows event logs.
Microsoft likewise gives the order line utility in the System32 organizer that recovers event logs, runs questions, sends out logs, files logs, and clear logs.
Outsider utilities that work with Windows event logs incorporate SolarWinds Log and Event Manager, which gives ongoing event connection and remediation; record trustworthiness observing; USB gadget checking; and danger location. Log and Event Manager gathers logs from workers, applications, and organization gadgets.
ManageEngine EventLog Analyzer fabricates custom reports from log information and sends constant instant messages and email alarms dependent on explicit events.
Utilizing PowerShell to question events
Microsoft fabricates Windows event signs in an extensible markup language (XML) design with an EVTX augmentation. XML gives more granular data and a reliable organization for organized information.
Directors can construct convoluted XML inquiries with the Get-WinEvent PowerShell cmdlet to add or reject events from a question. If you’re faced with issues related to corrupted event logs, we recommend you first try a software cleanup of your Windows event log. These software tools, such as ReconLogger or Software Events Cleaner, automatically clean Windows event logs to eliminate all the junk, such as unused files, configuration files, and garbage. Alternatively, you can try System Reliability; You can search and filter it by date range and service to find specific issues. The graphs in the Window Event Viewer can help detect subtle behavior changes in your system.