Viewing Windows 8 Events. Where is the Windows Event Log located?
Windows is a rather complex operating system and tracking all processes, including errors, is difficult for an inexperienced user.
For these purposes in the OS itself logging provided everything that happens and all actions in the system. You can display and view this log using the Windows Event Viewer.
Displaying Windows Event Viewer
You can view information about the operation of the OS in two ways:
- Using cmd ( command line);
- By using control panels.
To call the cmd line you can use keyboard shortcut Win+R or go through the well-known chain: Start - All programs - Accessories - Command line.
In the window that opens, enter the sequence eventvwr.msc
Or, through Start - Control Panel - System and Maintenance - Administration.
The main window of the utility will be displayed on the desktop. Select the item "". 
Don't be alarmed if there are errors in the list. Even in a perfectly working system, similar messages can appear. In most cases, they are isolated and caused by minor application glitches.
Most likely, error descriptions will not mean anything to the average user. Viewing logs can help a system administrator or an “advanced” user understand system failures that occur.
How to use view
What information can be learned from the magazine? If your computer systematically produces errors, randomly reboots, or displays a “blue screen of death,” then all events that led to a malfunction are logged by the system. When viewing information you can find out at what time which service, driver, or hardware component caused a particular error. Based on this information, the necessary measures can be taken to eliminate violations.
In addition to error information, the log can be used for other purposes. You can link to any event occurring in the system performing a specific task. This will allow in the future, if a similar situation arises, to automatically fulfill the set condition.
To do this, it is enough on any element from the list call context menu right-click and select " Link a task». 
Clearing the event log
Removing all information from the journal is also not difficult. To do this, in the left block of the log window, select the menu tree element that needs to be cleared, right-click to call up the context menu - “ Clear log» 
Hello everyone, the topic is how to view windows logs. I think everyone knows what logs are, but if suddenly you are a beginner, then logs are system events occurring in the operating system of both Windows and Linux, which help track what, where and when happened and who did it. Any system administrator must be able to read Windows logs.
An example from real life is the situation when a disk failed on one of the IBM servers and for technical support I collected server logs so that they could diagnose the problem. The Event Viewer service is responsible for collecting and recording logs in Windows. Event Viewer is a convenient tool for obtaining system logs.
How to open in Event Viewer
You can go into the Event Viewer snap-in very simply, suitable for any version of Windows. Press the magic buttons
Win+R and enter eventvwr.msc
A Windows Event Viewer window will open in which you need to expand the Windows Logs item. Let's go through each of the magazines.
Log Application contains records related to programs on your computer. The log is written when the program was launched, if it was launched with an error, then this will also be reflected here.
An audit log is needed to understand who did what and when. For example, logged in or logged out, tried to gain access. All success or failure audits are written here.
The Installation item records Windows logs about what was installed and when, for example, programs or updates.
The most important magazine is the system. All the most necessary and important things are written down here. For example, you had a blue screen bsod, and these messages that are recorded here will help you determine its cause.
There are also Windows logs for more specific services, such as DHCP or DNS. Event Viewer cuts everything :).
Suppose you have more than a million events in the Security log, you will probably immediately ask the question whether there is filtering, since viewing all of them is masochism. This is provided for in the event viewer; windows logs can be conveniently filtered out, leaving only what is needed. On the right in the Actions area there is a button Filter current log.
You will be asked to specify the event level:
- Critical
- Error
- Warning
- Intelligence
- Details
It all depends on the search task; if you are looking for errors, then there is no point in other types of messages. Next, in order to narrow the scope of your event viewing search, you can specify the desired event source and code.
So, as you can see, parsing Windows logs is very simple, we search, we find, we solve. A quick clearing of Windows logs may also be useful:
View windows PowerShell logs
It would be strange if PowerShell couldn’t do this; to display log files, open PowerShell and enter the following command
Get-EventLog -Logname "System"
As a result, you will receive a list of System logs
The same can be done for other magazines, for example Applications
Get-EventLog -Logname "Application"
small list of abbreviations
- Event code - EventID
- Computer - MachineName
- Event sequence number - Data, Index
- Category of tasks - Category
- Category code - CategoryNumber
- Level - EntryType
- Event message - Message
- Source - Source
- Event generation date - ReplacementString, InstanceID, TimeGenerated
- Event recording date - TimeWritten
- User - UserName
- Website
- Division - Container
For example, in order to display events in the command shell only with the columns “Level”, “Event Record Date”, “Source”, “Event Code”, “Category” and “Event Message” for the “System” log, run the command:
Get-EventLog –LogName ‘System’ | Format-Table EntryType, TimeWritten, Source, EventID, Category, Message
If you need to display in more detail, then replace Format-Table with Format-List
Get-EventLog –LogName ‘System’ | Format-List EntryType, TimeWritten, Source, EventID, Category, Message
As you can see, the format is already more readable.
You can also filter the logs, for example show the last 20 messages
Get-EventLog –Logname ‘System’ –Newest 20
Additional Products
You can also automate the collection of events using tools such as:
- Zabbix monitoring complex
- Through sending events using Windows to the collector server
- Through the Netwrix audit suite
- If you have SCOM, then it can aggregate any Windows platform logs
- Any DLP systems
So whether you choose to use event viewer or PowerShell to view windows events, it's up to you. Site material
Remote viewing of logs
- First method
Not long ago, the Windows Server 2019 operating system introduced the Windows Admin Center remote administration component. It allows you to remotely control a computer or server; I have already talked about it in more detail. Here I want to show that by installing it on your workstation, you can connect from a browser to other computers and easily view their event logs, thereby studying Windows logs. In my example there will be a server SVT2019S01, We find it in the list of available ones and connect (Let me remind you that this is how we did remote network setup in Windows).
Next, you select the “Events” tab, select the desired log; in my example, I want to see all the logs for the system. From my point of view, viewing everything here is much more convenient than viewing events. The advantage is that you can do this from any phone or tablet. There is a convenient search form in the right corner
If you need to filter the logs more precisely, you can use the filter button.
Here you can also select the event level, for example leaving only critical and errors, set the time range, event code and source.
Here is an example of filtering by event 19.
It is very convenient to export the entire log to evxt format, which can then be easily opened through the event log. So, Windows Admin Center is a powerful tool for viewing logs.
- Second method
The second way to remotely view Windows logs is to use the Computer Management snap-in or the same “Event Viewer”. To view Windows logs on another computer or server, in the snap-in, right-click on the top item and select "" from the context menu.
We indicate the name of another computer, in my example it will be SVT2019S01
If everything is fine and there are no blockages from the firewall or antivirus, then you will be taken to remote event viewing. If there are blockages, you will receive a message like COM+ traffic is not flowing through.
I also want to note that there are entire log aggregation systems, such as Zabbix or SCOM, but this is a different level of tasks..
Event Viewer in Windows displays a history (log) of system messages and events generated by programs - errors, informational messages, and warnings. By the way, scammers can sometimes use event viewing to deceive users - even on a normally functioning computer, there will always be error messages in the log.
Launch Event Viewer
In order to start Windows Event Viewer, type this very phrase in the search or go to “Control Panel” - “Administration” - “Event Viewer”
Actually, why am I even writing about this, since there is nothing interesting for the average user in Windows Event Viewer? Still, this function (or program, utility) of Windows can be useful if problems arise with the computer - when the Windows blue screen of death randomly appears, or a random reboot occurs - in the event viewer you can find the cause of these events. For example, an error in the system log can provide information about which hardware driver caused the failure for subsequent actions to correct the situation. Just look for an error that occurred while your computer rebooted, froze, or displayed a blue screen of death - the error will be marked as critical.
There are other uses for Event Viewer. For example, Windows records the time it takes for the operating system to fully boot. Or, if your computer hosts a server, you can enable shutdown and reboot event recording - every time someone shuts down the PC, they will be required to enter a reason for it, and you can later view all shutdowns and reboots and the entered reason for the event.
In addition, you can use the event viewer in conjunction with the task scheduler - right-click on any event and select “Bind task to event”. Whenever this event occurs, Windows will run the corresponding task.
In the Windows OS line, all major events that occur in the system are recorded and then recorded in the log. Errors, warnings and just various notifications are recorded. Based on these records, an experienced user can correct the operation of the system and eliminate errors. Let's learn how to open the event log in Windows 7.
The event log is stored in a system tool called "Event Viewer". Let's see how you can get there using different methods.
Method 1: "Control Panel"
One of the most common ways to launch the tool described in this article, although far from the easiest and most convenient, is done using "Control Panels".
Method 2: Run Tool
It is much easier to initiate activation of the described tool using the tool "Run".
The basic disadvantage of this fast and convenient method is the need to remember the command to call the window in your mind.
Method 3: Start Menu Search Box
A very similar method of calling the tool we are studying is carried out using the search field of the menu "Start".
Method 4: "Command Line"
Calling a tool via "Command line" quite inconvenient, but such a method exists, and therefore it is also worth special mention. First we need to call the window "Command line".
Method 5: Directly start the eventvwr.exe file
You can use such an “exotic” option for solving the problem as directly starting a file from "Conductor". However, this method can be useful in practice, for example, if the failures have reached such a scale that other options for launching the tool are simply not available. This happens extremely rarely, but it is quite possible.
First of all, you need to go to the location of the eventvwr.exe file. It is located in the system directory at this path:
C:\Windows\System32
Method 6: Entering the file path in the address bar
With help "Conductor" we can launch the window we are interested in faster. In this case, you don’t even have to look for eventvwr.exe in the directory "System32". To do this, in the address field "Conductor" you just need to specify the path to this file.
Method 7: Create a shortcut
If you don't want to remember different commands or section jumps "Control Panels" If you consider it too inconvenient, but at the same time you often use the magazine, then in this case you can create an icon on "Desktop" or in another place convenient for you. After this, launch the tool "Event Viewer" will be carried out as simply as possible and without the need to remember anything.
Problems opening the magazine
There are cases when problems arise with opening a journal using the methods described above. Most often this happens because the service responsible for the operation of this tool is deactivated. When trying to run the tool "Event Viewer" A message appears indicating that the Event Log service is unavailable. Then you need to activate it.
- First of all, you need to go to "Service Manager". This can be done from the section "Control Panels" which is called "Administration". How to get into it was described in detail when considering Method 1. Once in this section, look for the item "Services". Click on it.
IN "Service Manager" you can go using the tool "Run". Call him by typing Win+R. Enter in the input area:
Click "OK".
- Regardless of whether you made the transition through "Control Panel" or used the command input in the tool field "Run", starts "Service Manager". Look for an element in the list "Windows Event Log". To make your search easier, you can arrange all the objects in the list in alphabetical order by clicking on the field name "Name". Once the desired row is found, look at the corresponding value in the column "State". If the service is enabled, then there should be an inscription "Works". If it is empty, this means that the service is deactivated. Also look at the value in the column "Startup type". In normal condition there should be an inscription there "Automatically". If there is a value there "Disabled", this means that the service is not activated when the system starts.
- To fix this, go to the service properties by double-clicking on the name LMB.
- A window opens. Click on the area "Startup type".
- Select from the drop-down list "Automatically".
- Click on the inscriptions "Apply" And "OK".
- Returning to "Service Manager", mark "Windows Event Log". In the left area of the shell, click on the inscription "Run".
- The service has started. Now in the corresponding column field "State" value will be displayed "Works", and in the column field "Startup type" the inscription will appear "Automatically". Now the magazine can be opened in any of the ways that we described above.
There are quite a few options to activate the event log in Windows 7. Of course, the most convenient and popular methods are to go through "Toolbar", activation using the tool "Run" or menu search fields "Start". For easy access to the described function, you can create an icon on "Desktop". Sometimes there are problems starting the window "Event Viewer". Then you need to check whether the corresponding service is activated.
The Windows Vista operating system carefully and tirelessly monitors everything that happens to it. Absolutely all actions, which are called “events,” are constantly recorded and distributed into various categories. The Event Viewer program (which, in case you were wondering, is a tool of MMC) can be thought of as a journal kept by a scrupulous and meticulous old lady on a bench at the entrance. It records who enters and leaves the house, what conversations are taking place between residents, who divorced whom and got into fights. In other words, it has a complete picture of how the house lives.
A similar spy function is performed by the Event Viewer program, which, unlike the old lady’s curiosity, is designed to diagnose and identify problems in the operation of the OS that the user had no idea about.
All events occurring in the system are recorded in special system logs. Event Viewer allows you to view the contents of these logs, archive them, and delete them. How exactly can you use this program? The main purpose is to identify problems that have arisen and the cause of their occurrence. If the device malfunctions, the hard drive is full, some program constantly freezes, or another unpleasant event occurs, information about what happened will be recorded in the corresponding system log. Next, just launch Event Viewer and get complete and clear information from the system log.
You can start Event Viewer in one of the following ways.
- Select a team Start>Control Panel, click on the link System and its maintenance, then on the link Administration and finally on the link Event Viewer.
- The second method for the impatient: enter the command in the command line eventvwr.
Recall that, in addition to clicking the button Start, you can open the command line window by pressing the key combination
In any case, the window shown below will open.
- View events from multiple system logs.
- Create event filters as custom views.
- The ability to create a task that runs automatically with a specific event.
Let's take a closer look at the window shown above. The window is divided into three panels. On the left panel Event Viewer There are several folders containing custom views, stories, and subscriptions. The central panel contains several submenus, such as And Recently Viewed Nodes. Finally, on the right panel Actions You can choose specific actions, such as creating a custom view or connecting to another computer.
Panel allows you to quickly identify all important events recorded over the past hour, day or week. Each event type can be expanded to reveal detailed information about the event. The panel gives a general picture of what is happening in the system, and to obtain specific information you should go to a specific event.
Since Event Viewer is used to view system logs, click on the folder icons And Application and service logs in the left panel to expand the list of available journals. Let's look at it in more detail. In folder The following magazines are presented.
- Application. Events in this log are generated by applications, including installed programs that come with Windows Vista and operating system services. Exactly what events are recorded in this log depends on the specific program.
- Safety. This log lists user logon attempts (successful and unsuccessful), as well as actions related to public resources, such as actions to create, modify, or delete files or folders.
- Settings. Events in this log are created when programs are installed.
- System. System events are generated by Windows itself and by installed components such as device drivers. The log is useful for identifying drivers that failed to load when Windows started.
- Forwarded events. This log contains events collected from other computers on the network.
In folder Application and service logs you can find entries for individual applications and services. While other logs provide general entries, this log provides information about the operation of specific programs. Notice the Microsoft subfolder, which in turn contains a Windows subfolder. In this folder you can find entries for a wide variety of Windows Vista components, presented in separate folders.
