After you select a log to view in Event Viewer, you can:
For many events, you can view more information than is displayed in Event Viewer by double-clicking the event.
The Event Detail dialog box shows a text description of the selected event and any available binary data for the selected event. This information is generated by the application that was the source of the event record. Because the data appears in hexadecimal format, its meaning can be interpreted only by a support technician familiar with the source application. Not all events generate such data. For more information, see "Viewing Event Details" in Event Viewer Help.
To control the types of security events that are audited, click Audit on the Policies menu in User Manager. To control the auditing of file and folders access, click Auditing on the Security tab in the Windows NT Explorer Properties dialog box.
By default, Event Viewer lists events by date and time of occurrence from the newest event to the oldest. To change the order from oldest to newest, click Oldest First on the View menu. If the Save Settings On Exit command on the Options menu is checked when you quit, the current sort order is used the next time you start Event Viewer.
When a log is archived, the sort order affects the order in which event records are archived in a text format or comma-delimited text format file; sort order does not affect the order of event records archived in log file format. For more information, see "Using Archived Log Files" later in this chapter.
For information on how to specify the sort order, see "Sorting Events" in Event Viewer Help.
By default, Event Viewer lists all events recorded in the selected log. To view a subset of events that have specific characteristics, click Filter Events on the View menu. When filtering is on, a check mark appears by the Filter command on the View menu and "(Filtered)" appears on the title bar. If Save Settings On Exit on the Options menu is checked when you quit Event Viewer, the filters remain in effect the next time you start Event Viewer.
Filtering has no effect on the actual contents of the log: It changes only the view. All events are logged continuously, whether the filter is active or not. If you archive a log from a filtered view, all records are saved, even if you select a text format or comma-delimited text format file. For more information on archiving, see "Using Event Viewer with Archived Log Files" later in this chapter.
The following table describes the options available in the Filter dialog box
Use | To filter for | |
View From | Events after a specific date and time. By default, this is the date of the first event in the log file. | |
View Through | Events up to and including a specific date and time. By default, this is the date of the last event in the log file. | |
Information1 | Infrequent significant events that describe successful operations of major server services. For example, when a database program loads successfully, it might log an Information event. | |
Warning1 | Events that are not necessarily significant but that indicate possible future problems. For example, a Warning event might be logged when disk space is low. | |
Error1 | Significant problems, such as a loss of data or loss of functions. For example, an Error event might be logged if a service was not loaded during Windows NT Workstation startup. | |
Success Audit1 | Audited security access attempts that were successful. For example, a user's successful attempt to log on to the system might be logged as a Success Audit event. | |
Failure Audit1 | Audited security access attempts that failed. For example, if a user tried to access a network drive and failed, the attempt might be logged as a Failure Audit event. | |
Source2 | A source for logging events, such as an application, a system component, or a driver. | |
Category3 | A classification of events defined by the source. For example, the security event categories are Logon and Logoff, Policy Change, Privilege Use, System Event, Object Access, Detailed Tracking, and Account Management. | |
User3 | A specific user that matches an actual user name. This field is not case sensitive. | |
Computer3 | A specific computer that matches an actual computer name. This field is not case sensitive. | |
Event ID2 | A specific number that corresponds to an actual event. | |
1 This option is not available for LAN Manager 2.x servers.
2 This option is not available for audit logs on LAN Manager 2.x servers.
3 This option is not available for error logs on LAN Manager 2.x servers.
For information on how to filter for events and turn off filtering of events, see "Filtering Events" in Event Viewer Help.
For information on how to return to the default criteria, see "Reset to Default Settings" in Event Viewer Help.
To search for events that match a specific type, source, or category, click Find on the View menu. Searches can be useful when you are viewing large logs: For example, you can search for all Warning events related to a specific application, or search for all Error events from all sources.
Your choices in the Find dialog box are in effect throughout the current session. If Save Settings On Exit on the Event Viewer Options menu is checked when you quit, the current filter settings are available the next time you start Event Viewer.
For more information, see "Searching for Events" in Event Viewer Help.