Где посмотреть логи windows server

How to check Windows server logs (Windows Event Log Types. Microsoft Windows Server is an operating system that provides network administrators with a collection of enterprise level management features. Accordingly, some of these features include data storage, applications, security, network, and hardware management.

Similarly, Microsoft’s collection of desktop operating systems allow you to view event logs through a set of Administrative Tools. So, Windows Server offers similar features but in a more enterprise capacity. After all, event logging and tracing are important parts of running servers. Thus, this guide will explore how you can find Windows server logs and how to interpret the information from them.

Shall we start with How to check Windows server logs (Windows Event Log Types).

Understanding The Windows Event Log

If your servers are positioned in a fairly medium or large company, they may be collecting thousands of events hourly. Especially if you have not configured your Windows Server Event Logs. Basically, the event log is separated into channels. The four most important are:

• System: Features events related to system software and/or hardware. For instance, driver failures or installations.
• Application: Contains events logged by (mostly) Windows applications.
• Security: Contains events pertaining to the security of the Windows system. This may include failed login attempts.
• Setup: Features system related event logs for setups and updates. For instance, Windows updates.

Besides, Microsoft also has channels for its features such as BitLocker, AppLocker, and Windows Firewall. Additionally, the event log may also contain channels for third party software. As a result, Windows Server allows you to collect all your events from separate servers and combine them in a central location. Alternatively, you could feed event logs to a Security Information and Event Management (SIEM) solution that isn’t Microsoft based.

While there is a lot of information collected by the events log by default, it is the auditing feature in Windows that determines what information gets collected and logged.

How to Check Windows Server Logs

There are two main graphical ways you can access the Windows Server event log:

• Event Viewer Microsoft Management Console (MMC)
• Windows Admin Center (WAC)

• Open the Start Menu (WinKey).
• Search through the applications list for Server Manager or type it into the search field.
• Double click on the Server Manager item.

How to Launch The Event Viewer

Once again, the best way to check Windows Event Logs is through the Event Viewer. You can launch it from the Server Manager using the following steps:

• Click on the top Tools menu button.
• Search the list for Event Viewer.
• Double click on it to open it .

Using The Roles and Server Groups Section To Check Events

You may have noticed that the Events Viewer isn’t the only place you can view events from the Server Manager. As seen, the Server Manager also allows you to view roles and server specific events on the dashboard. You can view File and Storage, Local Server, and All Servers events by using the various widgets in the dashboard.

Clicking on one of the Events options in these widgets will launch a screen similar to this one:

This is called the Events Detail View. It gives you a list of filtration options including:

• Event Security Levels: Filter events according to their severity.
• Event Sources: Origin of an event (applications, services, etc).
• Servers: The machine the event occurred on.
• Time Period: The hours and/or minutes the event occurred in between.
• Event IDs: Each event has a unique ID. You can filter events using these IDs.

Again, we’ll stick to using the Event Viewer because it’s the most fully featured option.

Navigating Through the Event Viewer

One of the most unfortunate facts about Windows Server’s event management system is its lack of built in alerts or notifications. However, you can apply a script or run a program that is triggered when a particular event enters one of your custom views.

Nevertheless, you should be able to see the four channels we previously mentioned under the Windows Logs folder. You can use the above image as a reference. Ultimately, this is where you will check your Windows Servers Log.

You will notice that the above image features an additional channel called Forwarded Events. This channel is used by servers that have been set up as event collectors. It allows you to see events from other servers.

If you scan through the Event Viewer tree, you should notice a top folder labeled Applications and Services Log.  It contains event channels related to installed server software and hardware.

Event Log Levels

When checking Windows Server Logs through the Event Viewer, you’re bound to run into a plethora of event types. They include:

• Information: Logs information event. For instance, when a task is completed successfully or when the system informs the user of something.
• Warning: Used to log system and software warnings. They don’t demand immediate action. However, they may warn you of a future problem, like disk space running out.
• Error: Indicates a system, software, or hardware issue that requires immediate action. For instance, a driver failing to load upon start up.
• Success Audit (Security log): This signifies the success of an audited security event. For instance, a user successfully logging onto the server or client.
• Failure Audit (Security log): This signifies the success of an audited security event. For instance, a user failing to log onto a server or client.

It is time to explain How to Check Windows Server Logs (Windows Event Log Types). 

Event Log Types

Alternatively, you can create a custom view by:

1. Application Whitelisting

If you notice that some of your events have been randomly cleared, then your network/system has most likely been compromised by bad actors. Especially, these bad actors may be trying to hide malicious activity by purging events. At this  time it’s important to remember that event logs are not typically cleared during normal operations. As such, if you notice the following event logs, you should be worried:

A variety of users will log in to your server(s). You can use these event types and IDs to detect unauthorized account usage and remote desktop logins. Some users can use Windows Remote Desktop to configure systems that they should not be allowed to. Equally, users should not be logging into your server using Remote Desktop when there are other tools such as Power Share, Windows Admin Console (WAC), etc.

You (or your network administrator) should especially be paying attention to privileged Active Directory groups such as the domain and enterprise admin groups. Furthermore, you must make sure that your system isn’t adding or removing users from these groups without permission.

Account lockouts are important events that should be monitored. They can often signify brute force attempts by malicious actors. These bad actors may be trying to guess a user’s password. Nevertheless, the following are the events that fall under this category:

Evidently, you use Group Policy Objects (GPOs) to configure and enforce your organization’s security policy. Thus, if the group policies you’ve set aren’t enforced, then your system may be compromised. In most cases, it may be the result of a bad actor attempting to prevent your system from enforcing certain policies so they can enact their own.

However, it can also be something benign or innocent. For instance, the group policy client may be failing for some reason. Regardless, it’s always important to monitor your group policies as they may indicate something nefarious occurring on your network..  

5. Software and Service Installation

7. Windows Firewall

8. Application Crashes

Application crashes are fairly common. However, they may indicate a malicious attack where a bad actor is forcing processes and services to shut down. Therefore, you or your system administrator must check the event logs for instances of Blue Screen of Death (BSOD), Windows Error Reporting (WER), Application Crashes, and Hang events.

This post will show you where the .evtx log files can be found in Windows Server 2016, as well as how they can be viewed with Event Viewer.

Viewing Log Files

The easiest way to view the log files in Windows Server 2016 is through the Event Viewer, here we can see logs for different areas of the system.

Event viewer can be opened through the MMC, or through the Start menu by selecting All apps, Windows Administrative Tools, followed by Event Viewer.

Through Event Viewer we have the ability to search the logs for a particular string, export the logs to a file, and even schedule a task to take place each time a specific event occurs.

Log File Location

While this allows us to read the logs, you may be after the full path to where the actual .evtx files are stored. These log files can be found in the C:\Windows\System32\winevt\logs folder, as shown below.

These files can be double clicked and they will automatically open with Event Viewer, and these are the files that are read when browsing through Event Viewer

Note that specific applications may have their own custom log locations, in which case you will need to check the vendors documentation regarding log file location.

Summary

We have seen that important application, security and system events that have been logged are stored in the C:\Windows\System32\winevt\logs directory as .evtx files, which can be viewed through Event Viewer.