
close
close
In this Ask the Admin, I’ll show you how to use filters to create custom views in Windows Server Event Viewer.
Monitoring the Event Log in Windows Server is an essential task for detecting malicious activity or unwanted changes to your systems that often gets ignored. Since improvements were made to Windows Eventing in Windows Server 2008, and specifically the addition of custom views in the Event Viewer management console, this often laborious chore has become easier.
advertisment
The Event Logs contain lots of useful information, but there are certain events that you should isolate as they can indicate potential security breaches. In this way, the information provided in the logs becomes more useful without the additional noise. That’s not to say that auditing of other events should necessarily be suppressed, but some information is more likely to flag a problem.
Let’s start by creating a custom view that shows us all User Account Management events from the local Security log. Log in to the server as an administrator or user that has permission to read the event logs, and follow the instructions below:
Define a filter for a custom view in Event Viewer (Image Credit: Russell Smith)
The custom view will now appear in the left of Event Viewer, and you can use it to monitor a subset of events from the Security log. Don’t forget that the view may be empty if there haven’t been any user account management events in the past 24 hrs.
You can see in the figure below that there’s lots of other data by which events can be filtered, such as one or more Event IDs, whether the event level is critical or informational etc., and keywords.
advertisment
Custom views in Event Viewer (Image: Russell Smith)
Changing a custom view is easy, but there’s one small quirk in the process that you should take note of:
Anytime you open Event Viewer, your custom views will appear with the saved filters from the previous session.
Custom Views can be saved as XML files, allowing you to import them into Event Viewer on other management servers or PCs. To export a custom view follow the instructions below:
To import a custom view, make sure the XML file saved in the previous steps is accessible:
advertisment
Importing a custom view to Event Viewer (Image Credit: Russell Smith)
The imported view will now appear in the selected folder under Custom Views.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Windows Server 2012
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group