Manage Learn to apply best practices and optimize your operations.

Vista's event viewer improves security management

Windows Vista's revamped Event Viewer allows you to view and manage events happening in your network. Read what security guru Mark Minasi has to say about Event Viewer's new features and managing security events in this excerpt from his book, "Administering Windows Vista Security: The Big Surprises."

Windows Vista's little surprises
By Mark Minasi

Have a look inside Windows security guru Mark Minasi's latest book, Administering Windows Vista Security: The Big Surprises, with this excerpt from Chapter 1, "Administering Vista Security: The Little Surprises."

It's always been possible to filter items in Event Viewer in a simple way by right-clicking in the Event Log, choosing New Log View, and then adjusting its filter properties. But Vista's Event Viewer takes it a bit further. To see how, take a look at the Event Viewer when started up in Figure 1.11.

FIGURE 1.10: An event log entry's details

FIGURE 1.11: The Event Viewer

Like the old Event Viewer, you get a pane down the left-hand side listing the logs that you can peruse. But instead of the standard Application, System and Security, Vista's Event Viewer fine-tunes your events into dozens of smaller "sub-logs." You can see in its right-hand pane a summary of entries and, you'll note, there are more levels of event than Information, Warning, Error, Audit Success, and Audit Failure; now there's also Critical. But look in the upper left-hand corner and you'll notice a folder called "Custom Views" and, inside that, a folder named "Administrative Events."

I didn't create that, it was already built in Vista. It collects all of the events from all logs that are Critical, Error, or Warning. In short, it's one-stop-shopping for keeping an eye on what's broken. But what if we wanted the "auugh! log," a collection of just the Critical stuff? Simplicity itself. Just right-click the Custom Views folder and choose "Create custom view…" and you'll see a dialog like the one in Figure 1.12.

With this dialog, it's simple to see how Microsoft prebuilt the "Administrative Events" log. To create a "Criticals only" log, I'd change the dialog like so:

  • Leave "Logged:" as "Any time;" this means to show any events in the log. (Remember that by default Windows only keeps as many events as it has storage to hold.)
  • In "Event level:," check only "Critical."
  • Choose the radio button between "Event log:" and "By log," and click the drop-down box to the right of them. Check the boxes next to "Windows Logs" and "Applications and Services Logs" to choose all logs.
  • Click OK and when you get the dialog that says that this might be a bit slow and are you sure, click "Yes." You'll see a dialog like Figure 1.13.
FIGURE 1.12: Creating a custom view in Vista's Event Viewer

FIGURE 1.13: Name your new custom view

Here, I've filled in "Criticals Only" in the Name: field, and "Shows critical events for all administrative logs" in the Description: field. Click OK and you'll see the new view. And by the way, that's not a silly example. After running just a few days, my Vista system has generated tons of event log entries of varying levels of importance. But the "Criticals Only" log has just a dozen events in it, and they were all interesting. (My favorite was a message telling me that a particular program was "slowing down the Windows Shell," presumably meaning that shutting off this badly written program, whatever its name was, would make things faster. The program? Explorer.exe. Who says programmers lack senses of humor?)

Once you've created your ideal custom view, it's easy to back it up or spread it around. Just right-click it and export it. And guess what kind of file it creates? Yup, you got it: XML. (Perhaps they should have named Vista "Windows XML?" Then it would have sounded more like an upgrade from "XP.")

Check out other excerpts from this chapter of Mark's book, Administering Windows Vista Security: The Big Surprises. also features excerpts from chapter eight, "Locking Up the Ports: Windows Firewall", of Mark Minasi's book, Mastering Windows Server 2003 Upgrade Edition for SP1 and R2.

Mark Minasi is a best-selling author, commentator and all-around alpha geek. Mark is best known for his books in the Mastering Windows series. What separates him from others is that he knows how to explain technical things to normal humans, and make them laugh while doing it. Mark's firm, MR&D, is based in Pungo, a town in Virginia's Tidewater area that is distinguished by having one -- and only one -- traffic light.
Copyright 2005 TechTarget

Dig Deeper on Microsoft Windows Vista operating system

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.