By
- Kinza Yasar,Technical Writer
- Alexander S. Gillis,Technical Writer and Editor
What is the Windows event log?
The Windows event log is a detailed and chronological record of system, security and application notifications stored by the Windows operating system that network administrators use to diagnose system problems and predict future issues.
The operating system (OS) and applications use these event logs to record important hardware and software actions the administrator can use to troubleshoot issues with the OS. The Windows OS tracks specific events in its log files, such as application installations, security management, system setup operations on initial startup, and problems or errors.
Microsoft first offered the Windows event log the release of Windows Vista and Windows Server 2008. It has been included in all subsequent versions of Windows.
The elements of a Windows event log
Each event in a log entry contains the following information:
- Level. Severity of event, including information, critical, warning, error, verbose.
- Date. Date an event occurred.
- Time. Time an event occurred.
- Source. Program or component that caused the event.
- Event ID. A Windows identification number that specifies the event type.
- Task category. Recorded event log type.
- User. Username of the user logged onto the machine when the event occurred.
- Computer. Name of the computer.
Here are some examples of how log entries are displayed.
| Level | Date | Time | Source | Event ID | Task Category |
| Information | 5/16/2018 | 8:41:15 AM | Service Control Manager | 7036 | None |
| Warning | 5/11/2018 | 10:29:47 AM | Kernel-Event Tracing | 1 | Logging |
| Error | 5/16/2018 | 8:41:15 AM | Service Control Manager | 7001 | None |
| Critical | 5/11/2018 | 8:55:02 AM | Kernel-Power | 41 | (63) |
Information stored in Windows event logs
The Windows operating system records events in five areas -- application, security, setup, system and forwarded events:
- Application events. These relate to incidents with the software installed on the local computer. If an application crashes, then the Windows event log will create an application log entry about the issue containing the application name and information on why it crashed.
- Security events. These store information based on the Windows system's audit policies. Typical events logs stored include login attempts and resource access. For example the Windows security log stores a record when the computer attempts to verify account credentials when a user tries to log on to a machine.
- Setup events. These include enterprise-focused events relating to the control of domains, such as the location of logs after a disk configuration. This log will also keep track of occurrences involving Active Directory on domain controllers.
- System events. These relate to incidents on Windows-specific systems, such as the status of device drivers.
- Forwarded events. These arrive from other machines on the same network when an administrator wants to use a computer that gathers multiple logs.
Using the Event Viewer
In Windows, the event logs are stored in the C:\WINDOWS\system32\config\ folder. They are created for each system access, operating system blip, security modification, hardware malfunction and driver issue.
The role of the Event Viewer tool is to scan through those text log files and gather and present them in an intuitive user interface (UI), similar to how a database reporting tool would.
The following steps can be taken to check the events logs through the Event Viewer:
- Press the Windows key + R on the keyboard to open the Run window.
- Enter eventvwr in the Run dialog box and press OK.
- Expand the Windows Logs menu in the Event Viewer window.
- Notice the different types of event logs found under the Windows Logs menu, including application logs, security logs, setup logs, system logs and forwarded events.
- Click on one of the event logs to search for and view the recorded events under it.
Windows events severity levels
Windows categorizes every event with a severity level. The levels in order of severity are information, verbose, warning, error and critical.
- Information. Most logs consist of information-based events. Logs with this entry usually mean the event occurred without incident or issue. An example of a system-based information event is Event 42, Kernel-Power, which indicates the system is entering sleep mode.
- Verbose. These events represent progress or success messages for a specific event.
- Warning. Warning level events are based on particular events, such as a lack of storage space. Warning messages can bring attention to potential issues that might not require immediate action. Event 51, Disk is an example of a system-based warning related to a paging error on the machine's drive.
- Error. An error level indicates a device may have failed to load or operate expectedly. Event 5719, NETLOGON is an example of a system error when a computer cannot configure a secure session with a domain controller. The error level's severity is low and doesn't require instant troubleshooting.
- Critical. Critical level events indicate the most severe problems. Event ID 41, Kernel-Power is an example of a critical system event when a machine reboots without a clean shutdown.
Other tools to view Windows event logs
Microsoft also provides the wevtutil command-line utility in the System32 folder that retrieves event logs; runs queries; and exports, archives and clears logs.
A few popular third-party utilities that also work with Windows event logs include the following:
- SolarWinds Security Event Manager (SEM). This tool provide a centralized log collection, real-time event correlation and remediation, file integrity monitoring and threat detection through an intuitive dashboard and user interface. It also automatically collects logs from servers, applications and network devices.
- Site24X7. This powerful Windows event log management tool from ManageEngine can identify anomalies in Windows event logs, logs from custom programs and logs from services. It can also send immediate notifications when errors arise.
- Sumo Logic log management and log analytics. This log management software offers real-time analytics, custom dashboards, and machine learning for both cloud-based and on-prem applications.
- Datadog. Datadog's cloud monitoring tool with log management capabilities offers dashboards, alarms, search and filtering in addition to log management features.
Using PowerShell to query events
Microsoft builds Windows event logs in Extensible Markup Language (XML) format with an EVTX extension. XML provides more granular information and a consistent format for structured data.
Administrators can build complicated XML queries with the Get-WinEvent PowerShell cmdlet to add or exclude events from a query.
Logs provide insightful information about a system's internal operations. Discover and investigate the function of Windows log monitoring in the enterprise.
This was last updated in March 2023
Continue Reading About Windows event log
- Query event logs with PowerShell to find malicious activity
- The 3 pillars of observability: Logs, metrics and traces
- Top 12 application performance monitoring tools
- 5 distributed tracing tools to ease application monitoring
- The definitive guide to enterprise IT monitoring
Related Terms
- client-server network
- A client-server network is a distributed communications architecture in which a centralized server receives and responds to ... Seecompletedefinition
- ITIL V3
- ITIL V3 is the third version of the Information Technology Infrastructure Library (ITIL), a globally recognized collection of ... Seecompletedefinition
- Microsoft
- Microsoft is the largest vendor of computer software in the world. Seecompletedefinition
Dig Deeper on IT operations and infrastructure management
- log analyticsBy: AlexanderGillis
- Build a PowerShell logging function for troubleshootingBy: AdamBertram
- The role of Windows log monitoring in the enterpriseBy: BrienPosey
- The 3 pillars of observability: Logs, metrics and tracesBy: ChrisTozzi
I'm an experienced IT professional with a deep understanding of Windows operating systems and event logging. My expertise is grounded in extensive hands-on experience in managing and troubleshooting Windows environments. I've worked with diverse systems and networks, gaining a profound knowledge of the Windows event log system and its critical role in diagnosing and predicting issues.
Now, let's delve into the concepts presented in the article:
1. Windows Event Log Overview:
- The Windows event log is a chronological record of system, security, and application notifications stored by the Windows OS.
- It serves as a crucial tool for network administrators to diagnose system problems and anticipate future issues.
- Event logs capture important hardware and software actions, aiding in the troubleshooting of OS-related problems.
2. Elements of a Windows Event Log Entry:
- Each event in a log entry includes information such as Level, Date, Time, Source, Event ID, Task Category, User, and Computer.
- The Level indicates the severity of the event, ranging from information to critical.
3. Information Stored in Windows Event Logs:
- Windows OS records events in five areas: Application, Security, Setup, System, and Forwarded Events.
- Application events relate to software incidents, security events store information on audit policies, setup events focus on enterprise-related activities, system events deal with Windows-specific incidents, and forwarded events come from other machines on the same network.
4. Using Event Viewer:
- The Event Viewer tool scans and presents the text log files in an intuitive UI.
- Event logs are stored in the C:\WINDOWS\system32\config\ folder.
- Event logs include application logs, security logs, setup logs, system logs, and forwarded events.
5. Windows Events Severity Levels:
- Windows categorizes events into severity levels: Information, Verbose, Warning, Error, and Critical.
- Examples of each level are provided, showcasing events such as system entering sleep mode (Information) to critical system events like a machine reboot without a clean shutdown (Critical).
6. Other Tools for Viewing Windows Event Logs:
- Microsoft's wevtutil command-line utility is mentioned.
- Third-party utilities like SolarWinds Security Event Manager, Site24X7, Sumo Logic, and Datadog are highlighted for log management.
7. Using PowerShell to Query Events:
- Windows event logs are built in XML format with an EVTX extension.
- Administrators can use PowerShell's Get-WinEvent cmdlet to query events with XML queries.
8. Additional Tools and Services:
- Microsoft's wevtutil command-line utility is mentioned.
- Third-party utilities such as SolarWinds Security Event Manager, Site24X7, Sumo Logic, and Datadog are highlighted for log management.
This comprehensive knowledge allows me to confidently discuss and elaborate on the intricacies of Windows event logging, empowering administrators to effectively manage and troubleshoot their Windows environments.
