Last Update: Sep 04, 2024 | Published: Mar 19, 2015
In this Ask the Admin, I’ll show you how to use filters to create custom views in Windows Server Event Viewer.
Monitoring the Event Log in Windows Server is an essential task for detecting malicious activity or unwanted changes to your systems that often gets ignored. Since improvements were made to Windows Eventing in Windows Server 2008, and specifically the addition of custom views in the Event Viewer management console, this often laborious chore has become easier.
The Event Logs contain lots of useful information, but there are certain events that you should isolate as they can indicate potential security breaches. In this way, the information provided in the logs becomes more useful without the additional noise. That’s not to say that auditing of other events should necessarily be suppressed, but some information is more likely to flag a problem.
Let’s start by creating a custom view that shows us all User Account Management events from the local Security log. Log in to the server as an administrator or user that has permission to read the event logs, and follow the instructions below:
The custom view will now appear in the left of Event Viewer, and you can use it to monitor a subset of events from the Security log. Don’t forget that the view may be empty if there haven’t been any user account management events in the past 24 hrs.
You can see in the figure below that there’s lots of other data by which events can be filtered, such as one or more Event IDs, whether the event level is critical or informational etc., and keywords.
Changing a custom view is easy, but there’s one small quirk in the process that you should take note of:
Anytime you open Event Viewer, your custom views will appear with the saved filters from the previous session.
Custom Views can be saved as XML files, allowing you to import them into Event Viewer on other management servers or PCs. To export a custom view follow the instructions below:
To import a custom view, make sure the XML file saved in the previous steps is accessible:
The imported view will now appear in the selected folder under Custom Views.