Life in the world of Win32 administration is indeed a precarious existence. Having lived there, I can attest to how difficult it is to maintain the health of a group of machines.
Fortunately, you can use event logs to help maintain the health of your machines. The event log has been around since the beginning of Windows NT and is equivalent to the UNIX syslog. An event log is a simple database that houses information about events. Basically, an event is an announcement that a program or OS component makes to indicate that something noteworthy has occurred.
Typically, event-log entries tell you that a problem has occurred. For example, an entry might tell you that a SCSI driver was unable to commit data to a drive, a Web server shut down, or a user attempted to log on but failed to provide the correct password. This information is useful because it can help isolate or predict system failures. For example, if the SCSI driver event is frequently showing up in a log, you might have a SCSI card or drive that is about to fail. Such preemptive foresight can prevent a catastrophe.
Programs and OS components don't automatically make event entries in the log. The programmer or systems administrator tells the OS component or program to create event-log entries. Thus, you can adapt or write code to generate new event-log entries.
Before you can query your machines' log files to spot potential problems or write new event-log entries in those files, you need to understand how the logging process works. In addition, you need to understand the various elements that make up an event-log entry.
Understanding Event Logs
A typical Windows 2000 or NT machine has at least three different event logs: Application, Security, and System. (In Win2K, you might also have other logs, such as the DNS Server log.) When an OS component or program submits, or reports, an event, it specifies the event source for that event. For example, if the DHCP service reports an event, it specifies DHCPServer as the event source. The OS looks up DHCPServer in the registry and finds that this event source is registered to the System event log. The OS then stores the entry in the System event log and lists DHCPServer as the event source.
Each event source maps to a message table (usually a .dll file) that contains canned messages. For example, a Web service might have a message table that contains several numbered messages. Message 1 might be The web server has been started, message 2 might be The web server has been stopped, and so on. The numeric value associated with the message is the event ID. When a program or OS component reports an event, it identifies the event ID. When you run eventvwr.exe, the event ID specifies the message to display from the message table.
You might notice that, in some log events, the information changes from entry to entry. For example, one entry might say The web service was stopped at 11:28 am and another entry might say The web service was stopped at 3:14 pm. The text in a message table can include variables that are expanded when you view the text. The data for these variables is called the event's strings. Such variables are referred to as string 1, string 2, and so on.
When a program or OS component reports an event, it identifies the event type. There are five different event types:
- EVENTLOG_ERROR_TYPE (indicates that an error such as a hardware or software failure has occurred)
- EVENTLOG_WARNING_TYPE (provides a warning that something has occurred worth noting, but the occurrence isn't catastrophic)
- EVENTLOG_INFORMATION_TYPE (provides information that the software thinks is of interest, such as a service has started)
- EVENTLOG_AUDIT_FAILURE (indicates that a security-based audit has failed, such as a user failed to log on because of an incorrect password)
- EVENTLOG_AUDIT_SUCCESS (indicates that a security-based audit has succeeded)
Querying Event Logs
The Perl Win32::EventLog extension provides all the functions you need to interact with event logs. This extension lets you read events, report events, and perform routine maintenance on the logs, such as backing up and clearing logs. Win32::EventLog comes with ActivePerl, which you can download from ActiveState Tool (http://www.activestate.com).
The script Query.pl uses Win32::EventLog to access and query event logs. Query.pl uses the Win32::EventLog object to display event log entries of type EVENTLOG_ERROR_TYPE, EVENTLOG_WARNING_TYPE, and EVENTLOG_INFORMATION_TYPE. This script is great for quickly obtaining a dump of recent event log activity on a machine. Listing 1 contains an excerpt from Query.pl. You can find the entire Query.pl script as well as the other scripts discussed here in the Code Library on the Windows Scripting Solutions Web site (http://www.winscriptingsolutions.com). These scripts work on all versions of Win2K and NT.