LoggingThe Ultimate Guide

your open-source resource for understanding, analyzing, and troubleshooting system logs

curated byloggly


Windows Logging Basics

Logs are records of events that happen in your computer, either by a person or by a running process. They help you track what happened and troubleshoot problems.

The most common location for logs in Windows is the Windows Event Log. It contains logs from the operating system and several applications such as SQL Server or Internet Information Server (IIS). The logs use a structured data format, making them easy to search for and analyze. Additionally, some applications write to log files, for example IIS access logs, in text format.

Windows Event Logs

Windows displays its event logs in the Windows Event Viewer. This application lets you view and navigate the Windows Event Log, search and filter on particular types of logs, export them for analysis, and more. We’ll start by showing you how to access it and what features are available.

Starting Windows Event Viewer

In Windows Server 2012, the Event Viewer is accessible from a number of places. Most people will open it from the Control Panel, but we also wanted to show other places it’s accessible from.

Open from Windows Control Panel

  1. From the control panel, select administrative tools.
  2. From the administrative tools window, double-click on the event viewer app icon.

Control Panel

Open from Server Manager

  1. From the server manager, choose the tools menu.
  2. Select event viewer from the drop-down menu.

Server Manager

Open from Computer Manager

If you choose the Computer Management option from Server Manager’s Tools menu, Event Viewer is accessible from that applet too:

Computer Manager

Open from the Command Prompt

  1. Open a command prompt window.
  2. Type eventvwr and press enter.

Using the Windows Event Viewer Interface

Event Viewer in Windows Server 2012 has an intuitive user interface. The main screen of the Event Viewer is divided into three parts: the navigation menu, the detail pane, and the action pane. You can also create summary and custom views. We’ll show each of these below.

Navigation Menu

This menu in the left pane is where you can choose what event log you want to view. By default, Windows Event Logs are divided into five parts:

  1. Application log – This is a place where applications hosted in the local machine send their messages to.
  2. System log – This log holds messages sent by the operating system itself.
  3. Setup log – This log holds messages captured during the OS install. If the windows machine has been set up as a domain controller, the messages will be captured here.
  4. Security log – This log holds information related to login attempts (success or failure), elevated privileges, and more.
  5. Forwarded events log – These events are “sent” by other computers when the local machine is acting as a central subscriber to those machines.

The figure below shows the Event Viewer navigation pane.

Event viewer navigation pane

As you can see from the image, there are navigation items that can show you hardware-related events, PowerShell-related events, or events related to Internet Explorer. Based on what type of events you are interested in or what source of event is important to you, you can also create custom views in the navigation pane. We will see how to create a custom view later.

Detail Pane

In the top half of the detail pane, event entries are listed in chronological order with the latest events listed near the top. You can click on any column header to sort events by that field in ascending or descending order. For example, you may want to view events of critical status only or events from a particular source.

The following image shows an error event in the detail pane:

Event viewer detail pane

Clicking on any event entry on the top half of the pane will show the event’s detailed information in the bottom half. In the example image above, we can see the highlighted event’s source (in this case MS SQL Server) and the date it happened. The General tab in the bottom half of the pane shows more information. In this case we can see the database backup failed because of insufficient disk space.

Windows event properties

The Details tab on the detail pane shows more or less the same information. There’s a friendly view:

Windows event property details

And then there’s an XML view:

Windows event properties xml

In the text and XML output below, we can see another sample log event. In this case, it’s a critical event indicating the system had shut down unexpectedly. You can see the system fields in an easy-to-read format at the top, and the entire event as XML at the bottom.


Each of these events also includes a level which indicates its severity. There are several levels:

  • Information messages let you know the application performed a successful action. These are shown with icons with an “I” in a white circle.
  • Warning messages indicate an event occurred that might present a problem later. These are shown with a yellow triangular icon.
  • Error and Critical messages indicate that a significant problem occurred. These are shown with an exclamation mark inside a red circle.

Action Menu

The action menu items on the right pane include many of the options available from the main menu bar. This includes saving event entries to a file, opening a saved event file, exporting or filtering events, etc.

event viewer action pane

As you can see, there are a number of actions possible when a particular event log is active. For example, we can search for a particular event or group of events when clicking on the “Find…” menu option. The pop-up window shown below enables us to specify query criteria:

Windows event viewer filtering

Similarly, we can create a Windows scheduled task in response to an event. An example would be sending the system administrator an email about an FTP failure event.

We can do some housekeeping if the event logs become too large. The “Clear Log…” options enable us to truncate the currently visible log. To see if any of the logs are too big, we can choose the “Windows Logs” node from the navigation pane; the detail pane shows the number of records in each Windows log and the total size of the logs:

Windows event log size

Exporting Events

It’s possible to export all events or a selection of events from the current log to an event file. The event file will have an .evtx extension:

Windows event export

Where would you use such functionality? Suppose you want to send your system’s health status to a third-party vendor—you can provide them with an exported event file. Similarly, you may wish to archive your logs before deleting them, or you may want to send your saved logs to a centralized backup medium. Saving event logs to an event file comes in handy in these cases. Administrators of the remote machine can then click on the “Open Saved Log…” option from the action pane to open the saved log.

Custom Views

Event Viewer allows us to create custom views on events. This helps if a system administrator is interested in a certain type of event or events of a certain severity level.

To create a custom event view, follow these steps:

  1. Select the custom views node in the navigation pane.
  2. Click on the “create custom view…” option from the action pane.
  3. In the dialog box that appears, specify the selection criteria for the events to be included in the custom view. Click ok.
  4. In the final dialog box, select the tree node in which you want to create the custom view.

The figures below show how we are creating a custom view to trap all critical, error, and warning events from SQL Server running in the local machine.

windows event custom view

Windows event custom view filter

When you click OK in the Save Filter to Custom View dialog box, the view is created in the location chosen:

save windows event custom view

Like saving logs in an event file, we can also export custom views. To export a custom view: 

  1. Select the custom view from the navigation pane.
  2. Choose the “export custom view…” option from the action pane.
  3. Provide a name for the xml file of the custom view.

The figure below shows this process:

Export custom view

The saved XML file can then be copied to another machine and imported into its own Event Viewer using the “Import Custom View…” action menu item.

Summary Views

If we select the top node of the navigation pane (Event Viewer (Local)), it gives us a good idea about the number of events in Administrative category. The Administrative node traps critical, error, and warning events from all administrative logs:

Summary view

Looking at this particular case, we can see there were four errors trapped in the last hour, and the number of errors in the last week was 37.

Windows event error

Other Application Logs

Windows also has other types of logs with their own event viewing mechanisms. Here are three additional types:

Task Scheduler History Logs

Windows Task Scheduler enables us to run background tasks and applications on a scheduled basis, much like the Linux cron subsystem. An example of task scheduler running a job would be a nightly backup script that backs up local SQL Server databases. Each task has associated history events associated with it, and these events can be seen from the Task Scheduler’s detailed window. The following image shows this:

Task scheduler logs

Failover Cluster Manager

Windows Server Failover Clustering service enables two or more Windows servers to work as part of a “cluster”: a fault tolerant configuration where one server’s physical hardware failure is automatically detected by the other server and replaced by it. Windows Server Failover Clustering service will automatically re-route all network traffic to the healthy instance, creating a highly available environment. In a clustering setup, applications connect to a common access point—a virtual IP or a cluster name—and Windows routes all traffic to the correct node. When a fault does happen, applications won’t know one of the underlying servers has failed and will continue to work as before. Windows Server Failover Clustering is used as the foundation of modern SQL Server HA solutions like AlwaysOn Availability Groups.

The Failover Cluster Manager is a Windows built-in application with its own Event Viewer. Using this Event Viewer, system administrators can troubleshoot when their cluster fails or stops functioning as expected. The following screenshot shows the Cluster Manager event viewer node in the navigation pane. Selecting this node will show cluster-related events:

Failover cluster manager events

DNS Manager

Windows Server comes with a special role for acting as a Domain Name Service (DNS) server. This role has to be explicitly installed and enabled. When a server is acting as a DNS server (typically the Active Directory Domain Server in small networks), an application called the DNS Manager is added to the Server Manager. As the following image shows, DNS Manager has its own list of events:

DNS manager events

Windows Component Service

Another built-in application is the Windows Component Services Manager that enables us to configure DCOM applications running on Windows. Windows Event Viewer is accessible from Component Services Manager as well:

Windows component service events

So we can see, Windows records its various events in one place and in some cases multiple places. Trapping those events and making sense of those events form part of an administrator’s role. In this guide we will see how we can use different methods to collect, centralize, and protect these logs.

IIS Access Logs

The IIS web server’s access logs contain information about which URIs were requested, a status code indicating whether the response was successfully served, and more. It writes these logs as files in the W3C Extended Log Format. This format is a type of comma-separated value (CSV).

The log files are written in this default location. Below is an example file with W3SVC1 as the virtual host, and u_ex150428 is a file name coded with the date 2015-04-28

Here is an excerpt from the log file showing the column definition as a comment, followed by a request for /manager/html which returned a 404 status code because it does not exist. 

Written & Contributed by



Windows displays its event logs in the Windows Event Viewer: http://bit.ly/1LLEsQw @loggly

Windows Server Failover Clustering service enables 2 or more Windows servers to work as part of a "cluster": http://bit.ly/1LLEsQw @loggly

This guide will help software developers and system administrators become experts at using logs to better run their systems. This is a vendor-neutral, community effort featuring examples from a variety of solutions

Meet Our Contributors Become a contributor