- The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 10, 2003

  Where to Start
  General Guides
  Boot.ini files
  Boot & Startup Issues
  Emergency Repair Disks
  Error Codes
  Event Logging
  Dr Watson
  Hang Conditions
  How to Guides
  Memory Dumps
  Memory Leaks
  Performance Tuning
  Recovery Console
  Task Manager
  Technical Articles
  Win2k Install Bugs
  WinNT Upgrade Bugs
  Win9x Upgrade Bugs

 Related Resources
  Hardware Guides
  Printer Mgmt
  Service Packs







Windows 2000 Event Log

Event Logging in Windows 2000

If you want to keep your NT Network running smoothly, keeping a watchful eye on the Event Logs is a necessity. But it doesn't have to be a time consuming task (even across hundreds of servers). The following are some resources we found useful.

Where to Start...
Auditing System Events: Creating an Audit Policy
By auditing your system on a regular basis, you'll know what your users are up to--and you'll be able to spot attempted network intrusions. Source: EarthWeb (Nov 2, 2000)

Auditing System Events: Setting Up an Audit Policy
Part 2 of Brien Posey©s series on setting up audit policies, an essential element in your Windows 2000 security arsenal. Source: EarthWeb (Nov 11, 2000)

Auditing System Events: Auditing Specific Events
Part 3 in our series on auditing Windows 2000 security helps you refine your auditing techniques. Source: EarthWeb (Nov 11, 2000)

HOW TO: Diagnose System Problems with Event Viewer in Microsoft Windows 2000
Microsoft Knowledge Base Article: 302542 - This step-by-step guide describes how to use Event Viewer as a troubleshooting tool. Event Viewer displays detailed information about system events.

Managing NT Event Logs With Perl for Win32: Part 1
Combine with a third-party event log monitoring tool to track the results of your Perl automation scripts. Source: Windows & .NET Magazine (February 1998)

Managing NT Event Logs With Perl for Win32: Part 2  
Investigate a Perl for Win32 script that unlocks the information in the NT event logs. Source: Windows & .NET Magazine (March 1998)

Nick Tonkin's proc_event_log Page
Nick wrote a cool Perl script that allows you to track and analyze user sessions on your network.

Windows 2000 Security Event Descriptions (Part 1 of 2)
Microsoft Knowledge Base Article: 299475 - This article contains descriptions of various security-related and auditing-related events, and information about how to interpret these events. These events will all appear in the Security event log and will be logged with a source of "Security" 

Windows 2000 Security Event Descriptions (Part 2 of 2)
Microsoft Knowledge Base Article: 301677 - This article contains descriptions of various security-related and auditing-related events, and information about how to interpret these events. These events will all appear in the Security event log and will be logged with a source of "Security" 

Windows NT Event Logs  
By Michael Otey, Windows NT Magazine, November 1996

Windows NT Event Viewer  
By Michael D. Reilly, Windows NT Magazine, November 1998

Windows NT has a well-defined error management system 
One of the most important functions of any mainframe applications software is the reporting of processing errors. Error reporting is a critical tool computer operators can use to ascertain the health of their systems. Source: Byte Magazine

How to Articles

How to Change the Default Event Viewer Log File Location 
Microsoft Knowledge Base Article: 216169 The Windows NT Event Viewer tool maintains three log files containing the System, Application, and Security event messages. However, the Event Viewer tool may not be able to write event messages to one of these log files if there is no disk 

HOW TO: Clear the Windows 2000 Event Logs 
Microsoft Knowledge Base Article: 315147 - This step-by-step article describes how to clear the Windows 2000 Event Logs. With Windows 2000 Event Logs, you can monitor events that are related to applications, security, and system events. 

How to Configure Event Log Replication in Windows 2000 Cluster Servers 
Microsoft Knowledge Base Article: 224969 By default, when Clustering is installed on Windows 2000 Advanced Server or Windows 2000 Datacenter servers, events that are logged in the event log of one node in the cluster are also shown in the event log of the other nodes.

HOW TO: Configure the Size and Behavior of Event Viewer Logs in Windows 2000 
Microsoft Knowledge Base Article: 320121 - This step-by-step article describes how to change the size and behavior of the event logs in Event Viewer

How To Delete Corrupt Event Viewer Log Files 
Microsoft Knowledge Base Article: 172156 When you launch Windows NT Event Viewer, one of the following error messages may occur if one of the *.evt files is corrupt:

HOW TO: Enable and Apply Security Auditing in Windows 2000 
Microsoft Knowledge Base Article: 300549 - This step-by-step instruction guide describes how to enable and apply Windows security auditing.

How to Enable Diagnostic Event Logging for Active Directory Services 
Microsoft Knowledge Base Article: 220940 You can enable enhanced event logging for certain Windows 2000 services. This may be useful for debugging purposes. This logging is set to disabled by default because the amount of data that can be logged can quickly fill the event log. 

How to Enable Kerberos Event Logging
Microsoft Knowledge Base Article: 262177 - Windows 2000 offers the capability of tracing detailed Kerberos events through the event log mechanism. You can use this information when you troubleshoot Kerberos. This article describes how to enable Kerberos event logging. 

How to Enable User Environment Event Logging in Windows 2000 
Microsoft Knowledge Base Article: 186454 This article describes how to enable the user environment event logging features available in Windows 2000.

HOW TO: Move Event Viewer Log Files to Another Location 
Microsoft Knowledge Base Article: 315417 - This step-by-step article describes how to move Windows 2000 Event Viewer log files to another location on the hard disk. 

HOW TO: Use the Event Logging Utility (Logevent.exe) to Create and Log©Custom Events in Event Viewer 
Microsoft Knowledge Base Article: 315410 - This step-by-step article describes how to use the Event Logging utility (Logevent.exe) to create and to log custom events to the Application Log of Event Viewer. Logevent.exe is included in the Windows 2000 Resource Kit. can start Logevent.exe by using either the command prompt or a batch file, and you can use the tool to create entries in the Application Log of either a local or a remote Windows 2000-based computer. 

How to View Saved Directory Service, DNS Server, and File Replication Service Event Logs from Another Windows 2000-Based Computer 
Microsoft Knowledge Base Article: 235427 - Windows 2000 Event Viewer includes three new event logs: 

Introducing the NT Security Log
Learn how to get the most benefits out of your NT security log. Source: Windows & .NET Magazine (March 2000)

Interpreting the NT Security Log
To use the Security Log, you need to understand three of the most important categories of security events: logon and logoff, object access, and process tracking. Source: Windows & .NET Magazine (April 2000)

Turning Off Print Job Logging in the System Log
Microsoft Knowledge Base Article: 115841 - By default, Windows NT and Windows NT Advanced Server log every print job processed by the server in the System Log. This article explains how to disable that logging.

Misc. Technical articles
Auditing Does Not Report Security Event for Resetting Password on Domain Controller 
Microsoft Knowledge Base Article: 267556 - If you choose to audit success and failure with the "Audit account management" policy, the auditing does not report the expected success event in the Security log when an administrator resets the user password on a domain controller. 

Cannot Open .evt Files Included in a Winrep .cab File
Microsoft Knowledge Base Article: 255871 - When you attempt to open an Event Viewer log file (.evt file) that is included in a Windows Reporting tool (Winrep) .cab file, you may receive an error message: 

Defined Actions for Administrative Alerts Do Not Occur When the Security Log Is Full
Microsoft Knowledge Base Article 329350 - Defined actions for a configured administrative alert do not occur when counter data triggers an alert because of a full security log. For example, when you select the Do not overwrite events (clear log manually) setting for your security event log.

Disk Quota Events Not Written to the Event Log Immediately
Microsoft Knowledge Base Article: 228812 - By default, Disk Quota notifications are not written to the event log immediately. Instead, they are written to the event log every hour.

Event ID 12 After Installing or Upgrading to Windows 2000
Microsoft Knowledge Base Article: 256222 - When you install or upgrade your computer to Windows 2000, the following Event ID may be logged to the application event log: Failed to CoGetClassObject for provider "Microsoft|DSLDAPClassProvider|V1.0". Class not registered (0x80040154) This entry appears only for the first restart; subsequent restarts do not log this event. 

Event ID 1000 and 1001 Repeat Every 5 Minutes in the Event Log
Microsoft Knowledge Base Article: 271213 - Event ID 1000 and 1001 may be repeatedly be logged in the Application log every five minutes with the following information: 

Event ID 3013 When You Copy Files to a Server That Is Under Disk Stress
Microsoft Knowledge Base Article: 252332 - When you perform a large amount of network file transfers to a server (enough to cause a reasonable amount of disk stress on the server), one or more instances of the following error message may be displayed in the client event logs:

Event ID 3113 Logged in System Event Log When Joining a Domain
Microsoft Knowledge Base Article  Q262348 - Event ID 3113 from the Workstation service may be recorded in the System event log when you join a Windows 2000-based workstation or server to a domain. 

Error Messages in Event Log Service Caused by File Size Limit
Microsoft Knowledge Base Article: 109443 - The following error messages may occur in Event Log Service due to the default file size limitations or default Event Log Wrapping in Event Log Settings: 

Event Log Settings Are Not Retained During Windows 2000 Upgrade
Microsoft Knowledge Base Article: 227340 - When you upgrade a computer from Microsoft Windows NT 4.0 to Windows 2000, your custom settings for the Event Log tool are not retained. These settings are instead reset to the default values. 

No Event Log Replication on Cluster Servers
Microsoft Knowledge Base Article: 229071 - Windows 2000 Advanced Server and Datacenter Server include a feature known as Event Log Replication. Event Log Replication replicates events from each node in a Cluster Server to the other nodes. When an event is logged to the event log of 

The Event Log Stops Logging Events Before Reaching the Maximum Log Size 
Microsoft Knowledge Base Article: 312571 - The Event Log service may stop logging events before the size that is specified in the Maximum log size setting is reached if the Do not overwrite events option is turned on. This can cause events to be lost. The event log generally stops logging new events when the log reaches a size of from approximately 200 megabytes (MB) to 600 MB.

Time Stamp Changes with Daylight Savings
Microsoft Knowledge Base Article: 129574 - When Windows NT automatically adjusts for daylight savings time, the times on files on Windows NT file system (NTFS) partitions and the events in the event logs are retroactively shifted by one hour, even though the files and event records were created before the daylight savings time change.

Entire contents
© 1999-2003 and TechTarget
All rights reserved

This site and its contents are Copyright 1999-2003 by Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with The products referenced in this site are provided by parties other than makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.